redline | c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568

Analysis

max time kernel
150s
max time network
151s
platform
windows10_x64
resource
win10-20220414-en
resource tags

arch:x64arch:x86image:win10-20220414-enlocale:en-usos:windows10-1703-x64system
submitted
12-08-2022 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe
Size

905KB
MD5

2a30eb2ce951c8d07108c6f06b493a75
SHA1

89b347a6edbdec60ea9fdbbad3a1fb16606874c3
SHA256

c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568
SHA512

34ab15e1f6aae7a6d738debfa39e970e118b69f05558a55cd390a2c08106bdda3d030d3454dd7ef5a51ae6112536d27b5d9b6a4cdc0ece0f7a87108550262c7e

Score

10^/10

redline 4 5076357887 @tag12312341 nam3 ruxarr_gg discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

redline

Botnet

RuXaRR_GG

insttaller.com:40915

Attributes

auth_value
4a733ff307847db3ee220c11d113a305

Extracted

Family

redline

Botnet

5076357887

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Extracted

Family

redline

Botnet

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 15 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline
behavioral1/memory/5000-643-0x00000000003B0000-0x00000000003D0000-memory.dmp	family_redline
behavioral1/memory/4216-665-0x0000000000890000-0x00000000008B0000-memory.dmp	family_redline
behavioral1/memory/5100-663-0x00000000007F0000-0x0000000000834000-memory.dmp	family_redline
behavioral1/memory/4476-676-0x0000000000CF0000-0x0000000000D10000-memory.dmp	family_redline
behavioral1/memory/4700-695-0x0000000000800000-0x0000000000820000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exereal.exesafert44.exetag.exejshainx.exeffnameedit.exerawxdev.exeme.exe

pid	process
4904	F0geI.exe
4936	kukurzka9000.exe
5000	namdoitntn.exe
5048	real.exe
5100	safert44.exe
4216	tag.exe
4476	jshainx.exe
4700	ffnameedit.exe
4832	rawxdev.exe
5020	me.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Control Panel\International\Geo\Nation	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe

Loads dropped DLL 3 IoCs

Processes:

F0geI.exe

pid process

4904 F0geI.exe
4904 F0geI.exe
4904 F0geI.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

Processes:

c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\me.exe	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\rawxdev.exe	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jshainx.exe	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe

Drops file in Windows directory 10 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5820 5048 WerFault.exe real.exe

pid	pid_target	process	target process
5820	5048	WerFault.exe	real.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

real.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 70c52770ffadd801	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 6bec626effadd801	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 04142f70ffadd801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 6d2ecb54ffadd801	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

real.exejshainx.exetag.exesafert44.exeffnameedit.exenamdoitntn.exe

pid	process
5048	real.exe
5048	real.exe
4476	jshainx.exe
4476	jshainx.exe
4216	tag.exe
4216	tag.exe
5100	safert44.exe
5100	safert44.exe
4700	ffnameedit.exe
4700	ffnameedit.exe
5000	namdoitntn.exe
5000	namdoitntn.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

MicrosoftEdgeCP.exe

pid	process
2728	MicrosoftEdgeCP.exe
2728	MicrosoftEdgeCP.exe
2728	MicrosoftEdgeCP.exe
2728	MicrosoftEdgeCP.exe
2728	MicrosoftEdgeCP.exe
2728	MicrosoftEdgeCP.exe
2728	MicrosoftEdgeCP.exe
2728	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exejshainx.exetag.exesafert44.exeffnameedit.exenamdoitntn.exe

description	pid	process
Token: SeDebugPrivilege	1648	MicrosoftEdge.exe
Token: SeDebugPrivilege	1648	MicrosoftEdge.exe
Token: SeDebugPrivilege	1648	MicrosoftEdge.exe
Token: SeDebugPrivilege	1648	MicrosoftEdge.exe
Token: SeDebugPrivilege	3176	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3176	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3176	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3176	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5860	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5860	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4476	jshainx.exe
Token: SeDebugPrivilege	4216	tag.exe
Token: SeDebugPrivilege	5100	safert44.exe
Token: SeDebugPrivilege	4700	ffnameedit.exe
Token: SeDebugPrivilege	5000	namdoitntn.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

1648 MicrosoftEdge.exe
2728 MicrosoftEdgeCP.exe
2728 MicrosoftEdgeCP.exe

pid	process
1648	MicrosoftEdge.exe
2728	MicrosoftEdgeCP.exe
2728	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 3704 wrote to memory of 4904	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	F0geI.exe
PID 3704 wrote to memory of 4904	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	F0geI.exe
PID 3704 wrote to memory of 4904	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	F0geI.exe
PID 2728 wrote to memory of 616	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 616	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 616	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 616	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 3176	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 3176	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 3176	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 3176	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3704 wrote to memory of 4936	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	kukurzka9000.exe
PID 3704 wrote to memory of 4936	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	kukurzka9000.exe
PID 3704 wrote to memory of 4936	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	kukurzka9000.exe
PID 3704 wrote to memory of 5000	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	namdoitntn.exe
PID 3704 wrote to memory of 5000	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	namdoitntn.exe
PID 3704 wrote to memory of 5000	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	namdoitntn.exe
PID 3704 wrote to memory of 5048	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	real.exe
PID 3704 wrote to memory of 5048	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	real.exe
PID 3704 wrote to memory of 5048	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	real.exe
PID 3704 wrote to memory of 5100	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	safert44.exe
PID 3704 wrote to memory of 5100	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	safert44.exe
PID 3704 wrote to memory of 5100	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	safert44.exe
PID 3704 wrote to memory of 4216	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	tag.exe
PID 3704 wrote to memory of 4216	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	tag.exe
PID 3704 wrote to memory of 4216	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	tag.exe
PID 3704 wrote to memory of 4476	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	jshainx.exe
PID 3704 wrote to memory of 4476	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	jshainx.exe
PID 3704 wrote to memory of 4476	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	jshainx.exe
PID 3704 wrote to memory of 4700	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	ffnameedit.exe
PID 3704 wrote to memory of 4700	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	ffnameedit.exe
PID 3704 wrote to memory of 4700	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	ffnameedit.exe
PID 3704 wrote to memory of 4832	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	rawxdev.exe
PID 3704 wrote to memory of 4832	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	rawxdev.exe
PID 3704 wrote to memory of 4832	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	rawxdev.exe
PID 2728 wrote to memory of 2768	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 2768	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 2768	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 2768	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3704 wrote to memory of 5020	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	me.exe
PID 3704 wrote to memory of 5020	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	me.exe
PID 3704 wrote to memory of 5020	3704	c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe	me.exe
PID 2728 wrote to memory of 3524	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 3524	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 3524	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 3524	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 4736	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 4736	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 4736	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 4736	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 4280	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 4280	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 4280	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 4280	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 4524	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 4524	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 4524	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 4524	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 4704	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 4704	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 4704	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2728 wrote to memory of 4704	2728	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe
"C:\Users\Admin\AppData\Local\Temp\c33aec2527c88a003a6073ee31c1fec0cc3fea40b40f5b1170f67ea5c0838568.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3704

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4904

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:4936

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Program Files (x86)\Company\NewProduct\tag.exe
"C:\Program Files (x86)\Company\NewProduct\tag.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
"C:\Program Files (x86)\Company\NewProduct\rawxdev.exe"
2⤵
- Executes dropped EXE
PID:4832

C:\Program Files (x86)\Company\NewProduct\me.exe
"C:\Program Files (x86)\Company\NewProduct\me.exe"
2⤵
- Executes dropped EXE
PID:5020

C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
"C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Program Files (x86)\Company\NewProduct\jshainx.exe
"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1256
3⤵
- Program crash
PID:5820

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1648

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:668

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:616

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2768

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3524

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4280

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:4524

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4736

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4704

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5860

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5276

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
Filesize
107KB

MD5
4bf892a854af9af2802f526837819f6e

SHA1
09f2e9938466e74a67368ecd613efdc57f80c30b

SHA256
713eeb4e9271fe4b15160d900ad78498838bb33f7f97ad544a705ab2a46d97cf

SHA512
7ef9d8cb4daf6be60c5a41439dab4e7384676b34de2341ac52cb33815645fbb51a4b78725ea97479d287a8d7a0a61b4b337b1ad49cce2a23c9192fd9b7678d44

Download Submit
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
Filesize
107KB

MD5
4bf892a854af9af2802f526837819f6e

SHA1
09f2e9938466e74a67368ecd613efdc57f80c30b

SHA256
713eeb4e9271fe4b15160d900ad78498838bb33f7f97ad544a705ab2a46d97cf

SHA512
7ef9d8cb4daf6be60c5a41439dab4e7384676b34de2341ac52cb33815645fbb51a4b78725ea97479d287a8d7a0a61b4b337b1ad49cce2a23c9192fd9b7678d44

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
C:\Program Files (x86)\Company\NewProduct\me.exe
Filesize
286KB

MD5
29f986a025ca64b6e5fbc50fcefc8743

SHA1
4930311ffe1eac17a468c454d2ac37532b79c454

SHA256
766033bd59297068c74324bfffca88887a4f02588bac347e277644011fb6b090

SHA512
7af798f1480c18952597699189eff78d2ac638b40bffbc651954807b81d667207dd6d4ad073a787d40a423a15361d625f49b556109f998d2c56fa66d71c7268a

Download Submit
C:\Program Files (x86)\Company\NewProduct\me.exe
Filesize
286KB

MD5
29f986a025ca64b6e5fbc50fcefc8743

SHA1
4930311ffe1eac17a468c454d2ac37532b79c454

SHA256
766033bd59297068c74324bfffca88887a4f02588bac347e277644011fb6b090

SHA512
7af798f1480c18952597699189eff78d2ac638b40bffbc651954807b81d667207dd6d4ad073a787d40a423a15361d625f49b556109f998d2c56fa66d71c7268a

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
Filesize
287KB

MD5
c1595ffe08cf9360cda3a95c2104d2d9

SHA1
7d2727bf305fd7ffcf4119f7d545b189135b06f6

SHA256
dc55684473d7a957277eb4dc82deab4cadc83bd21f2c9a6c4b1b3f579cc1b7f3

SHA512
8847577ecd6590fdc4dbd0447e8a990c8d8835e733106a3b910edf4ee4fbac4e1ca6b61468c8fdef83982e5bd347b21525dc605e6d596bb6f2ca940dab256619

Download Submit
C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
Filesize
287KB

MD5
c1595ffe08cf9360cda3a95c2104d2d9

SHA1
7d2727bf305fd7ffcf4119f7d545b189135b06f6

SHA256
dc55684473d7a957277eb4dc82deab4cadc83bd21f2c9a6c4b1b3f579cc1b7f3

SHA512
8847577ecd6590fdc4dbd0447e8a990c8d8835e733106a3b910edf4ee4fbac4e1ca6b61468c8fdef83982e5bd347b21525dc605e6d596bb6f2ca940dab256619

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\C8G5TKYW.cookie
Filesize
340B

MD5
462ff647add0aebbce29a153f5971012

SHA1
dbe5c0e9a7921d370017e4bef4eec40bab890497

SHA256
d6f0e3bb13fbe30061d5d131b9cb28c55c3267eec8219c2611225f74b7734af6

SHA512
64b616a041b6c4a5fb7a338b97a832b15462ef259e1f159b500ffdb0d5bb38b723733e722ebfb10c7d5643ae970beffd9704daea38d9bd111214eba9b468261a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\I4L3Y4A9.cookie
Filesize
508B

MD5
84958f8b91f1f13addf2be7aba6d24af

SHA1
36da7dfcc72e3bee7d0bf7136200d97c5a948c40

SHA256
fe42cb6906bbf8fbc3718042f9cb1eda45f23607e0202ce2af707caad4aec413

SHA512
843e5a72aada6279ea4d4b59404e40025f1df2968be599baa51a8f5d591cfeb9f95d39e8469fb0ffc4bf3f6d338bc25ba4075c3882902961491fd12e159479d4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\K23GFP3G.cookie
Filesize
424B

MD5
fa87be04607bd6e3c8ed6b3fd036bef4

SHA1
ef81fe29312939ae047c0a7de0d2696837d9b29b

SHA256
e2681bdd0307a3a78b169fb8c6022776f4154883367a4f89a32918aeeb8140c0

SHA512
4d545de9150768682e534746ff27cc81e6c72ad75408ea41593195517db31b0b8178b96a994b51457a5267260c5434374c2d91e804cd2f4677d07796d04031c4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\O5G43R8C.cookie
Filesize
592B

MD5
83c4b21a91a6672b049155399cb04ed0

SHA1
6e0f93720693e3d55799e9d7ddd32aabc7ab403c

SHA256
3e867d84018b245805938201c95b35a2b554bd39de8514191f25bf5b312e49a2

SHA512
1357ef302b9fd19411697659e57a6b772d2835a3363c2f0f30897705dee13d1954570984f015ceaf54a9a6d169e8b549e49283cb696a00477058749ffd0824b1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\TQTXOJUQ.cookie
Filesize
256B

MD5
2b5a7645e85f32c185ef2bb993bf2084

SHA1
5dcd6ce602dd9b23e7bdc80007f92bd1f02372ab

SHA256
f0c21360a77665e45d3c832836f527b87400b70972e843ff9167c44f7ff64cf9

SHA512
928881f4dab803f78f4f5adc07d77881a69498eb5831bf316330a3983faf9e55ccd6e7663a914fea6833a7dbf697cb8cabc5b2b42a1f0cdb593f97f2f85ea850

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\YTCKKLI6.cookie
Filesize
172B

MD5
3c245ffa58ff7fbfd43e3330aee8e6b5

SHA1
ac0607a3baf8ad65e88ad50d22674371574e1247

SHA256
374bf47dcb927af9a6a342dda886367aa514e9abbcbecea5166900dad3fd197c

SHA512
63c0038223f3f854090c14101539275e8f4d886f2035fd8e36068ba0537e6866d17ed7cc73cdaa4456e324a72c1c2602df06d163a1133841a2a352b721bf9c83

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
6b9e0f6ee28a900a2397914d087da050

SHA1
149d24d9863a2cef5944bc78a94f08c745dc4e1f

SHA256
565e005d3d03c19e77cd786fe2ccdc254e73ac73b0e563ea3bd479053ab4efba

SHA512
45aa6ffda820626bf5b8b76cd05cef50e6f114fc95f5ba90baa8395b4fd914bff52da357cac00ce0b07f17c36baf1fb9344bf845bfda49fb53d74dde1dcda9e9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
6b9e0f6ee28a900a2397914d087da050

SHA1
149d24d9863a2cef5944bc78a94f08c745dc4e1f

SHA256
565e005d3d03c19e77cd786fe2ccdc254e73ac73b0e563ea3bd479053ab4efba

SHA512
45aa6ffda820626bf5b8b76cd05cef50e6f114fc95f5ba90baa8395b4fd914bff52da357cac00ce0b07f17c36baf1fb9344bf845bfda49fb53d74dde1dcda9e9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
03e9b826164c2428e230605083b6b683

SHA1
3e56d7a090e128eeb0e3571ab585d18d9d434c8c

SHA256
cd6a791130c5f8ad65425aae434e22e958972df5e4efb9cd393bffa51a91ff2f

SHA512
771b2d1307a6e49fbab084c2d939f55babdc4eca7370b806ed4422b07cf307898c7bf17da6993b118186acdd9ae3ca3f16ed1ed5e189acaa4d98f2592b7a20a9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
30dafdbb3c94e06d004cf4de0ffa9b96

SHA1
a05ce20f6f884e916256c5340c45ce4e29718042

SHA256
09c29defece26f3c05e75e6a863d75329ab88e6df5a7432b3f2b73580f32474d

SHA512
859fcad7c182d7edcf864da345b85785095e161e5cfe6cc7107363a4cd6223a2fc31dfad68b122640484d3b18ff9010e14cf137da36284384a80f98d8baa7705

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
340B

MD5
1c354142b0f9d6911b80d54b96ca55d3

SHA1
24d27f49aea74ef20e28564543231e9b2f796243

SHA256
efda432d32c93b830c764a2fd2ba17170427d7175389c16b1b73aa56e897b507

SHA512
6acce239d236ce04f2415fd1b0aa4a9282ab70c8f3ad5fa362f76f4d5aec7f39a43312035e7c4b7c4c3bff50f726248280062a380140a1abba5ce3de141646b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
340B

MD5
1c354142b0f9d6911b80d54b96ca55d3

SHA1
24d27f49aea74ef20e28564543231e9b2f796243

SHA256
efda432d32c93b830c764a2fd2ba17170427d7175389c16b1b73aa56e897b507

SHA512
6acce239d236ce04f2415fd1b0aa4a9282ab70c8f3ad5fa362f76f4d5aec7f39a43312035e7c4b7c4c3bff50f726248280062a380140a1abba5ce3de141646b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.pri
Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
memory/3704-136-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-162-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-159-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-160-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-161-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-150-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-163-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-134-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-165-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-166-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-168-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-167-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-169-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-170-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-171-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-172-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-173-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-174-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-175-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-176-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-177-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-178-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-179-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-180-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-181-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-157-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-149-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-156-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-155-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-148-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-154-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-118-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-146-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-153-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-145-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-144-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-152-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-147-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-142-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-143-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-141-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-140-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-139-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-119-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-138-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-120-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-137-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-151-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-135-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-121-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-122-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-164-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-158-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-133-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-123-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-124-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-125-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-132-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-131-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-130-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-128-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-129-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-127-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-126-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4216-665-0x0000000000890000-0x00000000008B0000-memory.dmp

Filesize
128KB

Download
memory/4216-348-0x0000000000000000-mapping.dmp

Download
memory/4216-839-0x00000000051D0000-0x00000000052DA000-memory.dmp

Filesize
1.0MB

Download
memory/4216-975-0x0000000005430000-0x0000000005496000-memory.dmp

Filesize
408KB

Download
memory/4216-834-0x0000000005610000-0x0000000005C16000-memory.dmp

Filesize
6.0MB

Download
memory/4216-874-0x0000000005140000-0x000000000518B000-memory.dmp

Filesize
300KB

Download
memory/4476-676-0x0000000000CF0000-0x0000000000D10000-memory.dmp

Filesize
128KB

Download
memory/4476-856-0x0000000005560000-0x000000000559E000-memory.dmp

Filesize
248KB

Download
memory/4476-1026-0x0000000006F80000-0x0000000007142000-memory.dmp

Filesize
1.8MB

Download
memory/4476-979-0x0000000006570000-0x0000000006A6E000-memory.dmp

Filesize
5.0MB

Download
memory/4476-976-0x0000000005970000-0x0000000005A02000-memory.dmp

Filesize
584KB

Download
memory/4476-990-0x0000000006090000-0x00000000060AE000-memory.dmp

Filesize
120KB

Download
memory/4476-973-0x00000000058F0000-0x0000000005966000-memory.dmp

Filesize
472KB

Download
memory/4476-358-0x0000000000000000-mapping.dmp

Download
memory/4476-1027-0x0000000007680000-0x0000000007BAC000-memory.dmp

Filesize
5.2MB

Download
memory/4476-837-0x0000000005500000-0x0000000005512000-memory.dmp

Filesize
72KB

Download
memory/4476-1033-0x0000000006EF0000-0x0000000006F40000-memory.dmp

Filesize
320KB

Download
memory/4700-368-0x0000000000000000-mapping.dmp

Download
memory/4700-695-0x0000000000800000-0x0000000000820000-memory.dmp

Filesize
128KB

Download
memory/4832-379-0x0000000000000000-mapping.dmp

Download
memory/4904-672-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/4904-662-0x000000000071A000-0x000000000072B000-memory.dmp

Filesize
68KB

Download
memory/4904-1055-0x000000000071A000-0x000000000072B000-memory.dmp

Filesize
68KB

Download
memory/4904-1056-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4904-685-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4904-956-0x000000000071A000-0x000000000072B000-memory.dmp

Filesize
68KB

Download
memory/4904-957-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4904-322-0x0000000000000000-mapping.dmp

Download
memory/4936-920-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/4936-325-0x0000000000000000-mapping.dmp

Download
memory/4936-924-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4936-928-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5000-327-0x0000000000000000-mapping.dmp

Download
memory/5000-643-0x00000000003B0000-0x00000000003D0000-memory.dmp

Filesize
128KB

Download
memory/5020-390-0x0000000000000000-mapping.dmp

Download
memory/5048-333-0x0000000000000000-mapping.dmp

Download
memory/5100-747-0x0000000002C60000-0x0000000002C66000-memory.dmp

Filesize
24KB

Download
memory/5100-339-0x0000000000000000-mapping.dmp

Download
memory/5100-663-0x00000000007F0000-0x0000000000834000-memory.dmp

Filesize
272KB

Download