redline | 8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
12-08-2022 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe
Size

907KB
MD5

2f4fb5ce456ea53ff85beb68e9169db0
SHA1

0784ae94ea2f6e3f145778f4931b08f8f689c3fd
SHA256

8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d
SHA512

42df59d0ccb7945adf515083dae9511fc4758e0a7b83bbbee30db65a98fadccaaffa61b260b317f299cacaa504735f7daca8a146ed6c2cd56ad274982b6461e5

Score

10^/10

redline 5 5076357887 @tag12312341 nam3 ruxarr_gg discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

redline

Botnet

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Extracted

Family

redline

Botnet

RuXaRR_GG

insttaller.com:40915

Attributes

auth_value
4a733ff307847db3ee220c11d113a305

Extracted

Family

redline

Botnet

5076357887

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
behavioral1/memory/5320-252-0x0000000000810000-0x0000000000830000-memory.dmp	family_redline
behavioral1/memory/5472-283-0x0000000000CD0000-0x0000000000CF0000-memory.dmp	family_redline
behavioral1/memory/7048-282-0x00000000004F0000-0x0000000000534000-memory.dmp	family_redline
behavioral1/memory/7296-287-0x0000000000210000-0x0000000000230000-memory.dmp	family_redline
behavioral1/memory/7240-286-0x0000000000BF0000-0x0000000000C10000-memory.dmp	family_redline

Executes dropped EXE 10 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exereal.exesafert44.exetag.exejshainx.exeffnameedit.exerawxdev.exeEU1.exe

pid	process
1612	F0geI.exe
6832	kukurzka9000.exe
5320	namdoitntn.exe
7016	real.exe
7048	safert44.exe
5472	tag.exe
7240	jshainx.exe
7296	ffnameedit.exe
7352	rawxdev.exe
7384	EU1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 12 IoCs

Processes:

8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jshainx.exe	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220812073050.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\rawxdev.exe	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\EU1.exe	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\24c9c735-f493-469a-80d9-5e2faa216e68.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5512 1612 WerFault.exe F0geI.exe

pid	pid_target	process	target process
5512	1612	WerFault.exe	F0geI.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

real.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exereal.exejshainx.exesafert44.exetag.exeffnameedit.exenamdoitntn.exeidentity_helper.exemsedge.exe

pid	process
5252	msedge.exe
5252	msedge.exe
5292	msedge.exe
5292	msedge.exe
5324	msedge.exe
5324	msedge.exe
5372	msedge.exe
5372	msedge.exe
5364	msedge.exe
5364	msedge.exe
5240	msedge.exe
5240	msedge.exe
5300	msedge.exe
5300	msedge.exe
5316	msedge.exe
5316	msedge.exe
1468	msedge.exe
1468	msedge.exe
7016	real.exe
7016	real.exe
7240	jshainx.exe
7240	jshainx.exe
7048	safert44.exe
7048	safert44.exe
5472	tag.exe
5472	tag.exe
7296	ffnameedit.exe
7296	ffnameedit.exe
5320	namdoitntn.exe
5320	namdoitntn.exe
7712	identity_helper.exe
7712	identity_helper.exe
7320	msedge.exe
7320	msedge.exe
7320	msedge.exe
7320	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

jshainx.exesafert44.exetag.exeffnameedit.exenamdoitntn.exe

description	pid	process
Token: SeDebugPrivilege	7240	jshainx.exe
Token: SeDebugPrivilege	7048	safert44.exe
Token: SeDebugPrivilege	5472	tag.exe
Token: SeDebugPrivilege	7296	ffnameedit.exe
Token: SeDebugPrivilege	5320	namdoitntn.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

1468 msedge.exe
1468 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 5016 wrote to memory of 608	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	msedge.exe
PID 5016 wrote to memory of 608	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	msedge.exe
PID 5016 wrote to memory of 4700	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	msedge.exe
PID 5016 wrote to memory of 4700	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	msedge.exe
PID 5016 wrote to memory of 1468	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	msedge.exe
PID 5016 wrote to memory of 1468	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	msedge.exe
PID 608 wrote to memory of 1364	608	msedge.exe	msedge.exe
PID 608 wrote to memory of 1364	608	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2320	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2320	4700	msedge.exe	msedge.exe
PID 1468 wrote to memory of 4424	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 4424	1468	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4408	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	msedge.exe
PID 5016 wrote to memory of 4408	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	msedge.exe
PID 4408 wrote to memory of 1144	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 1144	4408	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3856	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	msedge.exe
PID 5016 wrote to memory of 3856	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	msedge.exe
PID 5016 wrote to memory of 2100	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	msedge.exe
PID 5016 wrote to memory of 2100	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	msedge.exe
PID 3856 wrote to memory of 3480	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 3480	3856	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3680	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	msedge.exe
PID 5016 wrote to memory of 3680	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	msedge.exe
PID 2100 wrote to memory of 4852	2100	msedge.exe	msedge.exe
PID 2100 wrote to memory of 4852	2100	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4064	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4064	3680	msedge.exe	msedge.exe
PID 5016 wrote to memory of 2268	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	msedge.exe
PID 5016 wrote to memory of 2268	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	msedge.exe
PID 2268 wrote to memory of 2296	2268	msedge.exe	msedge.exe
PID 2268 wrote to memory of 2296	2268	msedge.exe	msedge.exe
PID 5016 wrote to memory of 1612	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	F0geI.exe
PID 5016 wrote to memory of 1612	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	F0geI.exe
PID 5016 wrote to memory of 1612	5016	8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe	F0geI.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe
PID 1468 wrote to memory of 2060	1468	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe
"C:\Users\Admin\AppData\Local\Temp\8e5ea2bc3b2e0b05700912fb4a0d2c7bfb74ca0f31d273948ffe4fc3f584461d.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AbtZ4
2⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x78,0xdc,0x100,0x40,0x104,0x7ffb0bc946f8,0x7ffb0bc94708,0x7ffb0bc94718
3⤵
PID:1364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,10256303911572477530,3976633656749217132,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
3⤵
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,10256303911572477530,3976633656749217132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
2⤵
- Suspicious use of WriteProcessMemory
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0bc946f8,0x7ffb0bc94708,0x7ffb0bc94718
3⤵
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,1150776480686621326,15864830356145285933,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
3⤵
PID:5132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,1150776480686621326,15864830356145285933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffb0bc946f8,0x7ffb0bc94708,0x7ffb0bc94718
3⤵
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
3⤵
PID:2060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
3⤵
PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
3⤵
PID:5952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
3⤵
PID:6132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
3⤵
PID:6516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
3⤵
PID:6708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
3⤵
PID:6804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
3⤵
PID:6900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
3⤵
PID:7008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
3⤵
PID:7112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
3⤵
PID:7144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5664 /prefetch:8
3⤵
PID:6884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6768 /prefetch:8
3⤵
PID:6920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
3⤵
PID:5612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
3⤵
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8628 /prefetch:8
3⤵
PID:6392

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:5572

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff6d1af5460,0x7ff6d1af5470,0x7ff6d1af5480
4⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8628 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:7712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7632 /prefetch:8
3⤵
PID:5592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8768 /prefetch:8
3⤵
PID:6820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:7320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9196 /prefetch:8
3⤵
PID:5524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1696 /prefetch:8
3⤵
PID:3696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,15453246576219408417,14913925270674975476,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:8
3⤵
PID:2392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
2⤵
- Suspicious use of WriteProcessMemory
PID:4408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb0bc946f8,0x7ffb0bc94708,0x7ffb0bc94718
3⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,1570739826241907582,5005877187853036018,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
3⤵
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,1570739826241907582,5005877187853036018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
2⤵
- Suspicious use of WriteProcessMemory
PID:3856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb0bc946f8,0x7ffb0bc94708,0x7ffb0bc94718
3⤵
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4195540988803887843,14131847614827214776,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
3⤵
PID:684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,4195540988803887843,14131847614827214776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nhGL4
2⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb0bc946f8,0x7ffb0bc94708,0x7ffb0bc94718
3⤵
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,3415623108298840047,11160092787910126098,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
3⤵
PID:5144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,3415623108298840047,11160092787910126098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A3AZ4
2⤵
- Suspicious use of WriteProcessMemory
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb0bc946f8,0x7ffb0bc94708,0x7ffb0bc94718
3⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4667599181005302075,7030237398818017342,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
3⤵
PID:5164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,4667599181005302075,7030237398818017342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1ALSZ4
2⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb0bc946f8,0x7ffb0bc94708,0x7ffb0bc94718
3⤵
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13769602269534151791,662907573446739663,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
3⤵
PID:5156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13769602269534151791,662907573446739663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5316

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 764
3⤵
- Program crash
PID:5512

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:6832

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5320

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:7016

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7048

C:\Program Files (x86)\Company\NewProduct\tag.exe
"C:\Program Files (x86)\Company\NewProduct\tag.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5472

C:\Program Files (x86)\Company\NewProduct\jshainx.exe
"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7240

C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
"C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7296

C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
"C:\Program Files (x86)\Company\NewProduct\rawxdev.exe"
2⤵
- Executes dropped EXE
PID:7352

C:\Program Files (x86)\Company\NewProduct\EU1.exe
"C:\Program Files (x86)\Company\NewProduct\EU1.exe"
2⤵
- Executes dropped EXE
PID:7384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1612 -ip 1612
1⤵
PID:5800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
c4a47148567a832cd418610f961bb97c

SHA1
b4b734d0cae5c409ef6bd0ed9957886c0426be64

SHA256
60116dad840aba9c8d89753ad5cc8ac435e2dc7a0d8a57726fac83e7af29a896

SHA512
004bb6701593f9d019482f06ca2cc1dfc82381bed519d2721e0e4298e214031b154629d02a9adc9e4b306c1aa34399da3a6a001e8776a27bada494f4dd6384d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
442B

MD5
b3a8e8a0f9131a85300a8316730cf8ae

SHA1
3a0549b17c10391584a5329f0faddf962506a0e6

SHA256
5f5cffa940e228c9b4c453c8803d507a8d723248c35f0bf15782ec5e9622da53

SHA512
21ef26d928283906d142e302018a1ab68a0e4f19e75a274a806c900eaa8f794ab1d1895d0981987682f69b1c3eeaaa88bdc2b9940e984714f607ef05168fbada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
954659a20e7ea3b8da457d848390aa1d

SHA1
4c629c277b38ae537dd7c5be19d86cc2dc889cfb

SHA256
1f31a86c553182eb8fd602c13d73abf7553fae731d9cea484828c09439bc18b5

SHA512
abf8e0942c0f2ea74c0d679d88d4c111d266fb6ef0c9b0d30776a00e6a4f1d4204f165b6e734770f6fdece16da64974224c05d23e256ca4dbda27d0ad0360e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
e1a56fbfa1fd11bf5d94e93e7374a493

SHA1
15b87a308c71a4cca9c3bf43cd8bbfa8d2235386

SHA256
3e42d5c630be7525d477c0d198b6a2bd9898b48cc4dc5333d033631b2d4b5a89

SHA512
65f76f04b7665cb89ced867d8f24f7bbba90fa6dd80844f08e48b59e2c3c37298dd15f11178620a6a9bbf4c8e2bf86b4794f3127b613e94dfe69bbb4d8e8a7ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
ae6e24e1a51323af5e56eeb4565f05db

SHA1
cda51934caacf092a4590df8e8271c421ffaa883

SHA256
6683104f0514de455fd81dc42e934defaef32252d7be5e8769afbeb0dbf2d634

SHA512
ead92e8f8de99c357d48be6b0b0f0912adf9ba258815ca8bf9e5b23d21d1a8e52ac5519b3ff24b16ed48a1e68061f25e44ba5df2a5515dc9956face0bd6bdb46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
965479cf15abd208aacc0abe340c7b73

SHA1
99aa4cd6fdf119d526da9518a1cb0ae6af46a9cc

SHA256
25bccd8ca585e42c91cc398928fc0de251d0c010a712846c3d5aaed71e86e33d

SHA512
b70cbb65ac250b37c7731fc23a1ab17887fa5e3d8492a2baf4fabad791de99750693b48f2512de238439cb027b24732786e4eaa66048b50baa16d222c2951203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
2f7cfe43b5392e5623dbfc64c78215b2

SHA1
371ff3718621c6053173775560f1b6fbdcd428c5

SHA256
07c803e5d49affb0109de7a22aa6dbea1367597108d2d99153101fac1d0b1a7f

SHA512
07d6d50582bdedec730975846b2a7e7f815f1ae0a79ed52ea78b4cff0a4ae3c7577ce54bcb84c0949acf8cb16d2a3aac586823ab6b8dd2081ea208019965aa7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
8e5b8cbea6b82a741eaa382dd06d962c

SHA1
5d84299d085c9198e00d9929e867de06a9b8941b

SHA256
25a172a1735f2ef9f9d46eadd4944f21c101a60ce4e3eea27b08e72e7c9cbd1c

SHA512
55121df59b7dd0445b2445f6be3f10e4630766739c310fafa7fd5af09e9941feb35b49c603462153e2059af28faffeb7c3a84a31d07f006fe2bbfbbeb4aa43db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
2f7cfe43b5392e5623dbfc64c78215b2

SHA1
371ff3718621c6053173775560f1b6fbdcd428c5

SHA256
07c803e5d49affb0109de7a22aa6dbea1367597108d2d99153101fac1d0b1a7f

SHA512
07d6d50582bdedec730975846b2a7e7f815f1ae0a79ed52ea78b4cff0a4ae3c7577ce54bcb84c0949acf8cb16d2a3aac586823ab6b8dd2081ea208019965aa7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
e1a56fbfa1fd11bf5d94e93e7374a493

SHA1
15b87a308c71a4cca9c3bf43cd8bbfa8d2235386

SHA256
3e42d5c630be7525d477c0d198b6a2bd9898b48cc4dc5333d033631b2d4b5a89

SHA512
65f76f04b7665cb89ced867d8f24f7bbba90fa6dd80844f08e48b59e2c3c37298dd15f11178620a6a9bbf4c8e2bf86b4794f3127b613e94dfe69bbb4d8e8a7ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
954659a20e7ea3b8da457d848390aa1d

SHA1
4c629c277b38ae537dd7c5be19d86cc2dc889cfb

SHA256
1f31a86c553182eb8fd602c13d73abf7553fae731d9cea484828c09439bc18b5

SHA512
abf8e0942c0f2ea74c0d679d88d4c111d266fb6ef0c9b0d30776a00e6a4f1d4204f165b6e734770f6fdece16da64974224c05d23e256ca4dbda27d0ad0360e14

Download Submit
\??\pipe\LOCAL\crashpad_1468_AZDVWTKUKAAOJDSA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2100_XAOLUXKKIIRRERPI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2268_OMWCRPUQKIXXKXZP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3680_UBQGGITSKWKNTIUX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3856_VGUCULFPWWIGUHUT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4408_HKAJDFJQJYYHXSDO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4700_UUFPEGCJLODUPCKA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_608_SMNVLQGMIPALEOQF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/608-132-0x0000000000000000-mapping.dmp

Download
memory/684-184-0x0000000000000000-mapping.dmp

Download
memory/1144-139-0x0000000000000000-mapping.dmp

Download
memory/1364-135-0x0000000000000000-mapping.dmp

Download
memory/1428-273-0x0000000000000000-mapping.dmp

Download
memory/1444-183-0x0000000000000000-mapping.dmp

Download
memory/1468-134-0x0000000000000000-mapping.dmp

Download
memory/1612-219-0x00000000005CD000-0x00000000005DE000-memory.dmp

Filesize
68KB

Download
memory/1612-221-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1612-220-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/1612-294-0x00000000005CD000-0x00000000005DE000-memory.dmp

Filesize
68KB

Download
memory/1612-155-0x0000000000000000-mapping.dmp

Download
memory/2060-181-0x0000000000000000-mapping.dmp

Download
memory/2100-141-0x0000000000000000-mapping.dmp

Download
memory/2268-150-0x0000000000000000-mapping.dmp

Download
memory/2296-152-0x0000000000000000-mapping.dmp

Download
memory/2320-136-0x0000000000000000-mapping.dmp

Download
memory/3480-142-0x0000000000000000-mapping.dmp

Download
memory/3680-143-0x0000000000000000-mapping.dmp

Download
memory/3696-315-0x0000000000000000-mapping.dmp

Download
memory/3856-140-0x0000000000000000-mapping.dmp

Download
memory/4064-147-0x0000000000000000-mapping.dmp

Download
memory/4408-138-0x0000000000000000-mapping.dmp

Download
memory/4424-137-0x0000000000000000-mapping.dmp

Download
memory/4564-305-0x0000000000000000-mapping.dmp

Download
memory/4700-133-0x0000000000000000-mapping.dmp

Download
memory/4852-144-0x0000000000000000-mapping.dmp

Download
memory/5132-185-0x0000000000000000-mapping.dmp

Download
memory/5144-186-0x0000000000000000-mapping.dmp

Download
memory/5156-187-0x0000000000000000-mapping.dmp

Download
memory/5164-188-0x0000000000000000-mapping.dmp

Download
memory/5184-189-0x0000000000000000-mapping.dmp

Download
memory/5240-190-0x0000000000000000-mapping.dmp

Download
memory/5252-191-0x0000000000000000-mapping.dmp

Download
memory/5292-192-0x0000000000000000-mapping.dmp

Download
memory/5300-193-0x0000000000000000-mapping.dmp

Download
memory/5316-194-0x0000000000000000-mapping.dmp

Download
memory/5320-296-0x0000000008250000-0x00000000082C6000-memory.dmp

Filesize
472KB

Download
memory/5320-252-0x0000000000810000-0x0000000000830000-memory.dmp

Filesize
128KB

Download
memory/5320-297-0x00000000082D0000-0x0000000008362000-memory.dmp

Filesize
584KB

Download
memory/5320-298-0x0000000008920000-0x0000000008EC4000-memory.dmp

Filesize
5.6MB

Download
memory/5320-299-0x0000000008490000-0x00000000084AE000-memory.dmp

Filesize
120KB

Download
memory/5320-300-0x0000000008690000-0x00000000086F6000-memory.dmp

Filesize
408KB

Download
memory/5320-301-0x0000000008ED0000-0x0000000009092000-memory.dmp

Filesize
1.8MB

Download
memory/5320-246-0x0000000000000000-mapping.dmp

Download
memory/5320-302-0x00000000095D0000-0x0000000009AFC000-memory.dmp

Filesize
5.2MB

Download
memory/5324-195-0x0000000000000000-mapping.dmp

Download
memory/5364-196-0x0000000000000000-mapping.dmp

Download
memory/5372-197-0x0000000000000000-mapping.dmp

Download
memory/5388-202-0x0000000000000000-mapping.dmp

Download
memory/5472-281-0x0000000000000000-mapping.dmp

Download
memory/5472-291-0x0000000005520000-0x0000000005532000-memory.dmp

Filesize
72KB

Download
memory/5472-283-0x0000000000CD0000-0x0000000000CF0000-memory.dmp

Filesize
128KB

Download
memory/5472-292-0x0000000005650000-0x000000000575A000-memory.dmp

Filesize
1.0MB

Download
memory/5524-313-0x0000000000000000-mapping.dmp

Download
memory/5572-304-0x0000000000000000-mapping.dmp

Download
memory/5592-308-0x0000000000000000-mapping.dmp

Download
memory/5612-270-0x0000000000000000-mapping.dmp

Download
memory/5952-214-0x0000000000000000-mapping.dmp

Download
memory/6132-216-0x0000000000000000-mapping.dmp

Download
memory/6516-218-0x0000000000000000-mapping.dmp

Download
memory/6708-223-0x0000000000000000-mapping.dmp

Download
memory/6804-225-0x0000000000000000-mapping.dmp

Download
memory/6820-310-0x0000000000000000-mapping.dmp

Download
memory/6832-295-0x0000000002340000-0x0000000002352000-memory.dmp

Filesize
72KB

Download
memory/6832-226-0x0000000000000000-mapping.dmp

Download
memory/6832-256-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/6832-255-0x0000000002340000-0x0000000002352000-memory.dmp

Filesize
72KB

Download
memory/6884-243-0x0000000000000000-mapping.dmp

Download
memory/6900-230-0x0000000000000000-mapping.dmp

Download
memory/6920-254-0x0000000000000000-mapping.dmp

Download
memory/7008-233-0x0000000000000000-mapping.dmp

Download
memory/7016-249-0x0000000000000000-mapping.dmp

Download
memory/7016-257-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/7048-282-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/7048-280-0x0000000000000000-mapping.dmp

Download
memory/7112-239-0x0000000000000000-mapping.dmp

Download
memory/7144-241-0x0000000000000000-mapping.dmp

Download
memory/7240-286-0x0000000000BF0000-0x0000000000C10000-memory.dmp

Filesize
128KB

Download
memory/7240-284-0x0000000000000000-mapping.dmp

Download
memory/7240-293-0x00000000054A0000-0x00000000054DC000-memory.dmp

Filesize
240KB

Download
memory/7240-290-0x00000000059C0000-0x0000000005FD8000-memory.dmp

Filesize
6.1MB

Download
memory/7240-303-0x0000000006820000-0x0000000006870000-memory.dmp

Filesize
320KB

Download
memory/7296-287-0x0000000000210000-0x0000000000230000-memory.dmp

Filesize
128KB

Download
memory/7296-285-0x0000000000000000-mapping.dmp

Download
memory/7320-311-0x0000000000000000-mapping.dmp

Download
memory/7352-288-0x0000000000000000-mapping.dmp

Download
memory/7384-289-0x0000000000000000-mapping.dmp

Download
memory/7712-306-0x0000000000000000-mapping.dmp

Download