redline | 30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
12-08-2022 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe
Size

905KB
MD5

9c885861af4f1ddd664e91eee0b27b68
SHA1

4ba421d39913e4cfea5ab6f9431cf344fbaff03b
SHA256

30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441
SHA512

e93a37333acb84e0e640f0300fb1905d3c9b3a5beb25a6db896e71996f0b4a77eb00bd8e4c80168b501deff218a6aff8157d9347fd7cbd91f79d4d6b046c71bd

Score

10^/10

redline 4 5076357887 @tag12312341 nam3 ruxarr_gg discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

redline

Botnet

5076357887

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Extracted

Family

redline

Botnet

RuXaRR_GG

insttaller.com:40915

Attributes

auth_value
4a733ff307847db3ee220c11d113a305

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 15 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
behavioral1/memory/3064-197-0x0000000000370000-0x0000000000390000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
behavioral1/memory/5592-217-0x0000000000B10000-0x0000000000B54000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
behavioral1/memory/4128-233-0x00000000001B0000-0x00000000001D0000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
behavioral1/memory/6368-240-0x0000000000A90000-0x0000000000AB0000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
behavioral1/memory/6568-249-0x0000000000A60000-0x0000000000A80000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exereal.exesafert44.exetag.exejshainx.exeffnameedit.exerawxdev.exeEU1.exe

pid	process
1676	F0geI.exe
5072	kukurzka9000.exe
3064	namdoitntn.exe
5820	real.exe
5592	safert44.exe
4128	tag.exe
6368	jshainx.exe
6568	ffnameedit.exe
6656	rawxdev.exe
6700	EU1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe

Loads dropped DLL 3 IoCs

Processes:

F0geI.exe

pid process

1676 F0geI.exe
1676 F0geI.exe
1676 F0geI.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 12 IoCs

Processes:

30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jshainx.exe	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\98763f1b-aa23-469c-af80-f1363e056357.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220812044139.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\rawxdev.exe	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\EU1.exe	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6956 1676 WerFault.exe F0geI.exe

pid	pid_target	process	target process
6956	1676	WerFault.exe	F0geI.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

real.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exereal.exetag.exejshainx.exeffnameedit.exenamdoitntn.exeidentity_helper.exemsedge.exe

pid	process
1860	msedge.exe
1860	msedge.exe
1116	msedge.exe
1116	msedge.exe
2328	msedge.exe
2328	msedge.exe
4644	msedge.exe
4644	msedge.exe
5388	msedge.exe
5388	msedge.exe
5448	msedge.exe
5448	msedge.exe
6120	msedge.exe
6120	msedge.exe
5820	real.exe
5820	real.exe
4128	tag.exe
4128	tag.exe
6368	jshainx.exe
6368	jshainx.exe
6568	ffnameedit.exe
6568	ffnameedit.exe
3064	namdoitntn.exe
3064	namdoitntn.exe
6888	identity_helper.exe
6888	identity_helper.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tag.exejshainx.exeffnameedit.exenamdoitntn.exe

description	pid	process
Token: SeDebugPrivilege	4128	tag.exe
Token: SeDebugPrivilege	6368	jshainx.exe
Token: SeDebugPrivilege	6568	ffnameedit.exe
Token: SeDebugPrivilege	3064	namdoitntn.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

4644 msedge.exe
4644 msedge.exe
4644 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 3396 wrote to memory of 4448	3396	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe	msedge.exe
PID 3396 wrote to memory of 4448	3396	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe	msedge.exe
PID 3396 wrote to memory of 4644	3396	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe	msedge.exe
PID 3396 wrote to memory of 4644	3396	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe	msedge.exe
PID 3396 wrote to memory of 4332	3396	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe	msedge.exe
PID 3396 wrote to memory of 4332	3396	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe	msedge.exe
PID 3396 wrote to memory of 4412	3396	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe	msedge.exe
PID 3396 wrote to memory of 4412	3396	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe	msedge.exe
PID 4644 wrote to memory of 4420	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 4420	4644	msedge.exe	msedge.exe
PID 4332 wrote to memory of 4388	4332	msedge.exe	msedge.exe
PID 4332 wrote to memory of 4388	4332	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1340	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1340	4448	msedge.exe	msedge.exe
PID 4412 wrote to memory of 4892	4412	msedge.exe	msedge.exe
PID 4412 wrote to memory of 4892	4412	msedge.exe	msedge.exe
PID 3396 wrote to memory of 4016	3396	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe	msedge.exe
PID 3396 wrote to memory of 4016	3396	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe	msedge.exe
PID 4016 wrote to memory of 5012	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 5012	4016	msedge.exe	msedge.exe
PID 3396 wrote to memory of 2224	3396	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe	msedge.exe
PID 3396 wrote to memory of 2224	3396	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe	msedge.exe
PID 2224 wrote to memory of 1500	2224	msedge.exe	msedge.exe
PID 2224 wrote to memory of 1500	2224	msedge.exe	msedge.exe
PID 3396 wrote to memory of 1396	3396	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe	msedge.exe
PID 3396 wrote to memory of 1396	3396	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe	msedge.exe
PID 3396 wrote to memory of 2252	3396	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe	msedge.exe
PID 3396 wrote to memory of 2252	3396	30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe	msedge.exe
PID 1396 wrote to memory of 4076	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4076	1396	msedge.exe	msedge.exe
PID 2252 wrote to memory of 4344	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 4344	2252	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe
PID 4644 wrote to memory of 3520	4644	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe
"C:\Users\Admin\AppData\Local\Temp\30bd7de6bb1a1ba574999d7a6f4e3c8f20b9e4e6f477d4dfb3bc47269bf6b441.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AbtZ4
2⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbfa7146f8,0x7ffbfa714708,0x7ffbfa714718
3⤵
PID:1340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,11093415717536871879,5700089387117665568,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
3⤵
PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,11093415717536871879,5700089387117665568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbfa7146f8,0x7ffbfa714708,0x7ffbfa714718
3⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
3⤵
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
3⤵
PID:1560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
3⤵
PID:5264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
3⤵
PID:5780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
3⤵
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
3⤵
PID:6104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
3⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
3⤵
PID:5832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
3⤵
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
3⤵
PID:6284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
3⤵
PID:6484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6048 /prefetch:8
3⤵
PID:6872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
3⤵
PID:6948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
3⤵
PID:6964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6932 /prefetch:8
3⤵
PID:7120

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:7128

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff662405460,0x7ff662405470,0x7ff662405480
4⤵
PID:6260

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6932 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7488 /prefetch:8
3⤵
PID:32

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7232 /prefetch:8
3⤵
PID:3516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5144 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,6604390875642451878,5459236477613710252,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6904 /prefetch:8
3⤵
PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
2⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbfa7146f8,0x7ffbfa714708,0x7ffbfa714718
3⤵
PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,5313427324922663022,7107893629615048971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
2⤵
- Suspicious use of WriteProcessMemory
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,9352023343236350636,9005454525823186744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,9352023343236350636,9005454525823186744,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
3⤵
PID:5300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
2⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbfa7146f8,0x7ffbfa714708,0x7ffbfa714718
3⤵
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,8857194370989975582,6771421488477084844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nhGL4
2⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xa4,0xdc,0x100,0x9c,0x104,0x7ffbfa7146f8,0x7ffbfa714708,0x7ffbfa714718
3⤵
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,3869943954023469657,8728033554691770552,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
3⤵
PID:6068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,3869943954023469657,8728033554691770552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A3AZ4
2⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbfa7146f8,0x7ffbfa714708,0x7ffbfa714718
3⤵
PID:4076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1ALSZ4
2⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffbfa7146f8,0x7ffbfa714708,0x7ffbfa714718
3⤵
PID:4344

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:5072

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 768
3⤵
- Program crash
PID:6956

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5820

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
PID:5592

C:\Program Files (x86)\Company\NewProduct\tag.exe
"C:\Program Files (x86)\Company\NewProduct\tag.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Program Files (x86)\Company\NewProduct\jshainx.exe
"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6368

C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
"C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6568

C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
"C:\Program Files (x86)\Company\NewProduct\rawxdev.exe"
2⤵
- Executes dropped EXE
PID:6656

C:\Program Files (x86)\Company\NewProduct\EU1.exe
"C:\Program Files (x86)\Company\NewProduct\EU1.exe"
2⤵
- Executes dropped EXE
PID:6700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xdc,0x104,0x7ffbfa7146f8,0x7ffbfa714708,0x7ffbfa714718
1⤵
PID:4892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1676 -ip 1676
1⤵
PID:6880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
Filesize
107KB

MD5
4bf892a854af9af2802f526837819f6e

SHA1
09f2e9938466e74a67368ecd613efdc57f80c30b

SHA256
713eeb4e9271fe4b15160d900ad78498838bb33f7f97ad544a705ab2a46d97cf

SHA512
7ef9d8cb4daf6be60c5a41439dab4e7384676b34de2341ac52cb33815645fbb51a4b78725ea97479d287a8d7a0a61b4b337b1ad49cce2a23c9192fd9b7678d44

Download Submit
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
Filesize
107KB

MD5
4bf892a854af9af2802f526837819f6e

SHA1
09f2e9938466e74a67368ecd613efdc57f80c30b

SHA256
713eeb4e9271fe4b15160d900ad78498838bb33f7f97ad544a705ab2a46d97cf

SHA512
7ef9d8cb4daf6be60c5a41439dab4e7384676b34de2341ac52cb33815645fbb51a4b78725ea97479d287a8d7a0a61b4b337b1ad49cce2a23c9192fd9b7678d44

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
Filesize
287KB

MD5
c1595ffe08cf9360cda3a95c2104d2d9

SHA1
7d2727bf305fd7ffcf4119f7d545b189135b06f6

SHA256
dc55684473d7a957277eb4dc82deab4cadc83bd21f2c9a6c4b1b3f579cc1b7f3

SHA512
8847577ecd6590fdc4dbd0447e8a990c8d8835e733106a3b910edf4ee4fbac4e1ca6b61468c8fdef83982e5bd347b21525dc605e6d596bb6f2ca940dab256619

Download Submit
C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
Filesize
287KB

MD5
c1595ffe08cf9360cda3a95c2104d2d9

SHA1
7d2727bf305fd7ffcf4119f7d545b189135b06f6

SHA256
dc55684473d7a957277eb4dc82deab4cadc83bd21f2c9a6c4b1b3f579cc1b7f3

SHA512
8847577ecd6590fdc4dbd0447e8a990c8d8835e733106a3b910edf4ee4fbac4e1ca6b61468c8fdef83982e5bd347b21525dc605e6d596bb6f2ca940dab256619

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1caec4ab626ee09852ebdc50fcec4f63

SHA1
eebf46ed927b9224a7f78ec2b3622d3ed7f49b67

SHA256
b4b85b5033c1bf551950a03328c29ba02424d73187b96ec06e7f94ae8d53a386

SHA512
69719414df1bb876951564782369d58963eca8b935dfeb7b8013555ad8d1b95eacb8330b1a73828193e0311ade6aa01aa733b89db73441529cc86de9ef978ebb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c4f8f3860b94d9d4ba66e868429edbdd

SHA1
8d78056168b11c2c67970c34de20c3497e48cc3c

SHA256
3c093cd9e575e6a4d03ffef595cc063a8339c84eeb1cfbaac38aaa2fce29a75a

SHA512
40bd96d19de36e892ad12a48b8af9dfbe06f8e1e522f6100bd8cfd1893de6c51050b8b43a280811435fbde79cc33f4b1b10e4ff87de3f92ff0f15c9eeddc74fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
1ea4c924ee95aa2ce0053d04c17eb35f

SHA1
91659f0f64d04ed984f32d13d1ef89126c923154

SHA256
f1a92cb929f88b9ed55999aaf0caa1b953d0abbc1b115ac47359ab99c622798d

SHA512
359857366b8857cfb56d528d04063a0257946d005954d77c74a4909fe94d535b74da513137f360186e4b1ad6a8a2e37a6ed692276df7da20f4e96f95a80c1216

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
511fa17dc49777335fadfc72791f3246

SHA1
04e4686320077a226a641ad2db5c5e4d3633cdba

SHA256
617bc3566fc06bfb264b65ac2672dae5ef5aaa165012ee6e1369871d46f830cf

SHA512
5dc522d4f3f58d66a18a3e65b8bea2bfd6da489cb01a488396c7946ec53396293a59c4479f076310fb20117bb6097fc11a7b0a6fc2195ea39162f28451bfdedc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
f2904639b0d743d3f0d26288c55202ca

SHA1
4678d3f0344b57e5364050b367d6fbcafe7ee2db

SHA256
2e99d672441bf7b8d45028ed49544b42154271ae954cfc3f0f3e5f6f74104664

SHA512
c80c7cdece896767a93ddb1470e8c9228774929c1d5d75573e8f795c9d93b3d7af5624d8bff6dccd4ce00fe9a18436b2073881daf85e31ae93762394194280de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
241370305e7524a71fff0349cc12d33b

SHA1
ac6d0f2a0ac2eedbc20da8c0e0a4466e097ee40a

SHA256
32e8baee68aecbd9931450692310e1cefb9c2c3e0c443dd7b375e93b2921f104

SHA512
4983bfa44ee4b0ad246931840c76eaf8dfc1ca464f2086851559aba41615a7c5294075455bd79d8752e4030b4ab9c8e9b20a369e83c7f92a01ddb918e7c85ae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
1d1740bdb2faa55bd505fb4a68b8e314

SHA1
c60261e0fd26ebb841982a37d3dcb3a26b3256d7

SHA256
eb10322800ca6b0f29e5948ef5e69d0f512fe76596bac4f9a8ca78c2f1474609

SHA512
d57882530634b7dc15d47c3ba71a13034440bd8734e752d79479bc96918019d4b3fdfbee4eb75d2e1b981a26797c1409b9f3159f7360e275971d3424217a55b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
f2904639b0d743d3f0d26288c55202ca

SHA1
4678d3f0344b57e5364050b367d6fbcafe7ee2db

SHA256
2e99d672441bf7b8d45028ed49544b42154271ae954cfc3f0f3e5f6f74104664

SHA512
c80c7cdece896767a93ddb1470e8c9228774929c1d5d75573e8f795c9d93b3d7af5624d8bff6dccd4ce00fe9a18436b2073881daf85e31ae93762394194280de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
241370305e7524a71fff0349cc12d33b

SHA1
ac6d0f2a0ac2eedbc20da8c0e0a4466e097ee40a

SHA256
32e8baee68aecbd9931450692310e1cefb9c2c3e0c443dd7b375e93b2921f104

SHA512
4983bfa44ee4b0ad246931840c76eaf8dfc1ca464f2086851559aba41615a7c5294075455bd79d8752e4030b4ab9c8e9b20a369e83c7f92a01ddb918e7c85ae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
1ea4c924ee95aa2ce0053d04c17eb35f

SHA1
91659f0f64d04ed984f32d13d1ef89126c923154

SHA256
f1a92cb929f88b9ed55999aaf0caa1b953d0abbc1b115ac47359ab99c622798d

SHA512
359857366b8857cfb56d528d04063a0257946d005954d77c74a4909fe94d535b74da513137f360186e4b1ad6a8a2e37a6ed692276df7da20f4e96f95a80c1216

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
511fa17dc49777335fadfc72791f3246

SHA1
04e4686320077a226a641ad2db5c5e4d3633cdba

SHA256
617bc3566fc06bfb264b65ac2672dae5ef5aaa165012ee6e1369871d46f830cf

SHA512
5dc522d4f3f58d66a18a3e65b8bea2bfd6da489cb01a488396c7946ec53396293a59c4479f076310fb20117bb6097fc11a7b0a6fc2195ea39162f28451bfdedc

Download Submit
\??\pipe\LOCAL\crashpad_2224_ZQGXQXQVCLSWHAXH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4412_IDJTFBIRZZGBTPRJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4448_YMFCIFEEEIYCJOWH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4644_HTNOFYAUSFCLHKOG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/32-296-0x0000000000000000-mapping.dmp

Download
memory/1116-166-0x0000000000000000-mapping.dmp

Download
memory/1340-136-0x0000000000000000-mapping.dmp

Download
memory/1396-151-0x0000000000000000-mapping.dmp

Download
memory/1500-149-0x0000000000000000-mapping.dmp

Download
memory/1560-170-0x0000000000000000-mapping.dmp

Download
memory/1676-225-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/1676-286-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1676-291-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1676-230-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1676-162-0x0000000000000000-mapping.dmp

Download
memory/1676-224-0x000000000069C000-0x00000000006AD000-memory.dmp

Filesize
68KB

Download
memory/1676-285-0x000000000069C000-0x00000000006AD000-memory.dmp

Filesize
68KB

Download
memory/1860-163-0x0000000000000000-mapping.dmp

Download
memory/2132-185-0x0000000000000000-mapping.dmp

Download
memory/2224-148-0x0000000000000000-mapping.dmp

Download
memory/2252-152-0x0000000000000000-mapping.dmp

Download
memory/2328-174-0x0000000000000000-mapping.dmp

Download
memory/3064-282-0x00000000076E0000-0x0000000007C84000-memory.dmp

Filesize
5.6MB

Download
memory/3064-283-0x00000000071E0000-0x0000000007272000-memory.dmp

Filesize
584KB

Download
memory/3064-227-0x00000000055B0000-0x00000000055EC000-memory.dmp

Filesize
240KB

Download
memory/3064-218-0x0000000005760000-0x0000000005D78000-memory.dmp

Filesize
6.1MB

Download
memory/3064-197-0x0000000000370000-0x0000000000390000-memory.dmp

Filesize
128KB

Download
memory/3064-220-0x00000000056C0000-0x00000000056D2000-memory.dmp

Filesize
72KB

Download
memory/3064-183-0x0000000000000000-mapping.dmp

Download
memory/3064-222-0x0000000005390000-0x000000000549A000-memory.dmp

Filesize
1.0MB

Download
memory/3132-229-0x0000000000000000-mapping.dmp

Download
memory/3516-298-0x0000000000000000-mapping.dmp

Download
memory/3520-160-0x0000000000000000-mapping.dmp

Download
memory/3956-301-0x0000000000000000-mapping.dmp

Download
memory/4016-139-0x0000000000000000-mapping.dmp

Download
memory/4076-153-0x0000000000000000-mapping.dmp

Download
memory/4128-290-0x0000000006DB0000-0x00000000072DC000-memory.dmp

Filesize
5.2MB

Download
memory/4128-233-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/4128-289-0x00000000066B0000-0x0000000006872000-memory.dmp

Filesize
1.8MB

Download
memory/4128-228-0x0000000000000000-mapping.dmp

Download
memory/4128-281-0x0000000004D90000-0x0000000004DF6000-memory.dmp

Filesize
408KB

Download
memory/4176-164-0x0000000000000000-mapping.dmp

Download
memory/4332-132-0x0000000000000000-mapping.dmp

Download
memory/4344-154-0x0000000000000000-mapping.dmp

Download
memory/4388-135-0x0000000000000000-mapping.dmp

Download
memory/4412-133-0x0000000000000000-mapping.dmp

Download
memory/4420-134-0x0000000000000000-mapping.dmp

Download
memory/4448-130-0x0000000000000000-mapping.dmp

Download
memory/4644-131-0x0000000000000000-mapping.dmp

Download
memory/4892-137-0x0000000000000000-mapping.dmp

Download
memory/5008-214-0x0000000000000000-mapping.dmp

Download
memory/5012-141-0x0000000000000000-mapping.dmp

Download
memory/5072-169-0x0000000000000000-mapping.dmp

Download
memory/5072-254-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5072-251-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/5264-191-0x0000000000000000-mapping.dmp

Download
memory/5300-193-0x0000000000000000-mapping.dmp

Download
memory/5388-194-0x0000000000000000-mapping.dmp

Download
memory/5448-195-0x0000000000000000-mapping.dmp

Download
memory/5592-217-0x0000000000B10000-0x0000000000B54000-memory.dmp

Filesize
272KB

Download
memory/5592-213-0x0000000000000000-mapping.dmp

Download
memory/5744-299-0x0000000000000000-mapping.dmp

Download
memory/5780-199-0x0000000000000000-mapping.dmp

Download
memory/5820-245-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/5820-200-0x0000000000000000-mapping.dmp

Download
memory/5832-223-0x0000000000000000-mapping.dmp

Download
memory/6068-205-0x0000000000000000-mapping.dmp

Download
memory/6104-209-0x0000000000000000-mapping.dmp

Download
memory/6120-208-0x0000000000000000-mapping.dmp

Download
memory/6260-293-0x0000000000000000-mapping.dmp

Download
memory/6284-235-0x0000000000000000-mapping.dmp

Download
memory/6368-240-0x0000000000A90000-0x0000000000AB0000-memory.dmp

Filesize
128KB

Download
memory/6368-284-0x0000000005680000-0x00000000056F6000-memory.dmp

Filesize
472KB

Download
memory/6368-287-0x0000000005860000-0x000000000587E000-memory.dmp

Filesize
120KB

Download
memory/6368-236-0x0000000000000000-mapping.dmp

Download
memory/6484-242-0x0000000000000000-mapping.dmp

Download
memory/6568-288-0x0000000008810000-0x0000000008860000-memory.dmp

Filesize
320KB

Download
memory/6568-244-0x0000000000000000-mapping.dmp

Download
memory/6568-249-0x0000000000A60000-0x0000000000A80000-memory.dmp

Filesize
128KB

Download
memory/6656-253-0x0000000000000000-mapping.dmp

Download
memory/6700-259-0x0000000000000000-mapping.dmp

Download
memory/6872-276-0x0000000000000000-mapping.dmp

Download
memory/6888-294-0x0000000000000000-mapping.dmp

Download
memory/6948-278-0x0000000000000000-mapping.dmp

Download
memory/6964-280-0x0000000000000000-mapping.dmp

Download
memory/7128-292-0x0000000000000000-mapping.dmp

Download