redline | 2f2d4587b0faf105a6d992856d7a92c03f599b68b84bd41b8c2cb32419b90a47

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
12-08-2022 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36f9f1d6c34e3277fd8e4de52ffa1f5f.exe
Size

907KB
MD5

36f9f1d6c34e3277fd8e4de52ffa1f5f
SHA1

579c4e71f6f22f224195da1fd7bed927bcb0f990
SHA256

2f2d4587b0faf105a6d992856d7a92c03f599b68b84bd41b8c2cb32419b90a47
SHA512

45b90fc788c797f5526e5db190ec32a77a2c1ed5c135914c0a7d829dfafb553bef84d3084a1c27f4c65c388f438681ae17bb3e9cb006e6108698f93737dc409f

Score

10^/10

redline 5 5076357887 @tag12312341 nam3 ruxarr_gg discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

redline

Botnet

5076357887

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Extracted

Family

redline

Botnet

RuXaRR_GG

insttaller.com:40915

Attributes

auth_value
4a733ff307847db3ee220c11d113a305

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 9 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
behavioral2/memory/932-167-0x0000000000050000-0x0000000000070000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
behavioral2/memory/6836-270-0x0000000000250000-0x0000000000294000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
behavioral2/memory/6812-286-0x0000000000FF0000-0x0000000001010000-memory.dmp	family_redline
behavioral2/memory/5876-294-0x0000000000BD0000-0x0000000000BF0000-memory.dmp	family_redline
behavioral2/memory/7140-296-0x0000000000680000-0x00000000006A0000-memory.dmp	family_redline

Executes dropped EXE 10 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exereal.exesafert44.exetag.exejshainx.exeffnameedit.exerawxdev.exeme.exe

pid	process
4484	F0geI.exe
1832	kukurzka9000.exe
932	namdoitntn.exe
864	real.exe
6836	safert44.exe
6812	tag.exe
5876	jshainx.exe
7140	ffnameedit.exe
6520	rawxdev.exe
5708	me.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

36f9f1d6c34e3277fd8e4de52ffa1f5f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 12 IoCs

Processes:

36f9f1d6c34e3277fd8e4de52ffa1f5f.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\me.exe	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\50d0018a-f7a9-49df-99a7-16601bf1fb04.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220812084202.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jshainx.exe	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\rawxdev.exe	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5820 4484 WerFault.exe F0geI.exe

pid	pid_target	process	target process
5820	4484	WerFault.exe	F0geI.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

real.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exereal.exetag.exejshainx.exeffnameedit.exesafert44.exenamdoitntn.exeidentity_helper.exemsedge.exe

pid	process
5344	msedge.exe
5344	msedge.exe
5276	msedge.exe
5276	msedge.exe
5312	msedge.exe
5312	msedge.exe
5320	msedge.exe
5320	msedge.exe
5260	msedge.exe
5260	msedge.exe
5292	msedge.exe
5292	msedge.exe
5284	msedge.exe
5284	msedge.exe
5304	msedge.exe
5304	msedge.exe
4892	msedge.exe
4892	msedge.exe
864	real.exe
864	real.exe
6812	tag.exe
6812	tag.exe
5876	jshainx.exe
5876	jshainx.exe
7140	ffnameedit.exe
7140	ffnameedit.exe
6836	safert44.exe
6836	safert44.exe
932	namdoitntn.exe
932	namdoitntn.exe
6040	identity_helper.exe
6040	identity_helper.exe
6628	msedge.exe
6628	msedge.exe
6628	msedge.exe
6628	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tag.exejshainx.exeffnameedit.exesafert44.exenamdoitntn.exe

description	pid	process
Token: SeDebugPrivilege	6812	tag.exe
Token: SeDebugPrivilege	5876	jshainx.exe
Token: SeDebugPrivilege	7140	ffnameedit.exe
Token: SeDebugPrivilege	6836	safert44.exe
Token: SeDebugPrivilege	932	namdoitntn.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

4892 msedge.exe
4892 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

36f9f1d6c34e3277fd8e4de52ffa1f5f.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 2356 wrote to memory of 4008	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	msedge.exe
PID 2356 wrote to memory of 4008	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	msedge.exe
PID 2356 wrote to memory of 4744	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	msedge.exe
PID 2356 wrote to memory of 4744	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	msedge.exe
PID 2356 wrote to memory of 1612	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	msedge.exe
PID 2356 wrote to memory of 1612	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	msedge.exe
PID 1612 wrote to memory of 3280	1612	msedge.exe	msedge.exe
PID 1612 wrote to memory of 3280	1612	msedge.exe	msedge.exe
PID 4744 wrote to memory of 3472	4744	msedge.exe	msedge.exe
PID 4744 wrote to memory of 3472	4744	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3468	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3468	4008	msedge.exe	msedge.exe
PID 2356 wrote to memory of 3644	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	msedge.exe
PID 2356 wrote to memory of 3644	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	msedge.exe
PID 3644 wrote to memory of 956	3644	msedge.exe	msedge.exe
PID 3644 wrote to memory of 956	3644	msedge.exe	msedge.exe
PID 2356 wrote to memory of 4452	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	msedge.exe
PID 2356 wrote to memory of 4452	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	msedge.exe
PID 4452 wrote to memory of 1132	4452	msedge.exe	msedge.exe
PID 4452 wrote to memory of 1132	4452	msedge.exe	msedge.exe
PID 2356 wrote to memory of 4928	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	msedge.exe
PID 2356 wrote to memory of 4928	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	msedge.exe
PID 4928 wrote to memory of 3108	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3108	4928	msedge.exe	msedge.exe
PID 2356 wrote to memory of 4892	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	msedge.exe
PID 2356 wrote to memory of 4892	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	msedge.exe
PID 4892 wrote to memory of 4196	4892	msedge.exe	msedge.exe
PID 4892 wrote to memory of 4196	4892	msedge.exe	msedge.exe
PID 2356 wrote to memory of 4268	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	msedge.exe
PID 2356 wrote to memory of 4268	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	msedge.exe
PID 4268 wrote to memory of 3848	4268	msedge.exe	msedge.exe
PID 4268 wrote to memory of 3848	4268	msedge.exe	msedge.exe
PID 2356 wrote to memory of 4484	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	F0geI.exe
PID 2356 wrote to memory of 4484	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	F0geI.exe
PID 2356 wrote to memory of 4484	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	F0geI.exe
PID 2356 wrote to memory of 1832	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	kukurzka9000.exe
PID 2356 wrote to memory of 1832	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	kukurzka9000.exe
PID 2356 wrote to memory of 1832	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	kukurzka9000.exe
PID 2356 wrote to memory of 932	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	namdoitntn.exe
PID 2356 wrote to memory of 932	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	namdoitntn.exe
PID 2356 wrote to memory of 932	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	namdoitntn.exe
PID 2356 wrote to memory of 864	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	real.exe
PID 2356 wrote to memory of 864	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	real.exe
PID 2356 wrote to memory of 864	2356	36f9f1d6c34e3277fd8e4de52ffa1f5f.exe	real.exe
PID 3644 wrote to memory of 1492	3644	msedge.exe	msedge.exe
PID 3644 wrote to memory of 1492	3644	msedge.exe	msedge.exe
PID 1612 wrote to memory of 1760	1612	msedge.exe	msedge.exe
PID 1612 wrote to memory of 1760	1612	msedge.exe	msedge.exe
PID 1612 wrote to memory of 1760	1612	msedge.exe	msedge.exe
PID 3644 wrote to memory of 1492	3644	msedge.exe	msedge.exe
PID 3644 wrote to memory of 1492	3644	msedge.exe	msedge.exe
PID 3644 wrote to memory of 1492	3644	msedge.exe	msedge.exe
PID 3644 wrote to memory of 1492	3644	msedge.exe	msedge.exe
PID 3644 wrote to memory of 1492	3644	msedge.exe	msedge.exe
PID 3644 wrote to memory of 1492	3644	msedge.exe	msedge.exe
PID 3644 wrote to memory of 1492	3644	msedge.exe	msedge.exe
PID 3644 wrote to memory of 1492	3644	msedge.exe	msedge.exe
PID 3644 wrote to memory of 1492	3644	msedge.exe	msedge.exe
PID 3644 wrote to memory of 1492	3644	msedge.exe	msedge.exe
PID 3644 wrote to memory of 1492	3644	msedge.exe	msedge.exe
PID 3644 wrote to memory of 1492	3644	msedge.exe	msedge.exe
PID 3644 wrote to memory of 1492	3644	msedge.exe	msedge.exe
PID 3644 wrote to memory of 1492	3644	msedge.exe	msedge.exe
PID 3644 wrote to memory of 1492	3644	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\36f9f1d6c34e3277fd8e4de52ffa1f5f.exe
"C:\Users\Admin\AppData\Local\Temp\36f9f1d6c34e3277fd8e4de52ffa1f5f.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AbtZ4
2⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1ff546f8,0x7fff1ff54708,0x7fff1ff54718
3⤵
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13436384688927694114,14061911679250627000,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
3⤵
PID:5156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,13436384688927694114,14061911679250627000,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
2⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1ff546f8,0x7fff1ff54708,0x7fff1ff54718
3⤵
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,2411992890713250515,9847006163243672031,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
3⤵
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,2411992890713250515,9847006163243672031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
2⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xfc,0x100,0x80,0x104,0x7fff1ff546f8,0x7fff1ff54708,0x7fff1ff54718
3⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,1013679206665263222,11397618291713281350,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
3⤵
PID:1760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,1013679206665263222,11397618291713281350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
2⤵
- Suspicious use of WriteProcessMemory
PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1ff546f8,0x7fff1ff54708,0x7fff1ff54718
3⤵
PID:956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,3691025382774333302,14449874061380762949,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
3⤵
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,3691025382774333302,14449874061380762949,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
2⤵
- Suspicious use of WriteProcessMemory
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1ff546f8,0x7fff1ff54708,0x7fff1ff54718
3⤵
PID:1132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,3281775397751641524,1240171982053710418,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
3⤵
PID:5144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,3281775397751641524,1240171982053710418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nhGL4
2⤵
- Suspicious use of WriteProcessMemory
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1ff546f8,0x7fff1ff54708,0x7fff1ff54718
3⤵
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,512070363944039671,16433325213545117701,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
3⤵
PID:5136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,512070363944039671,16433325213545117701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A3AZ4
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1ff546f8,0x7fff1ff54708,0x7fff1ff54718
3⤵
PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
3⤵
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
3⤵
PID:5468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
3⤵
PID:6288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
3⤵
PID:5164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
3⤵
PID:6652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
3⤵
PID:6788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4420 /prefetch:1
3⤵
PID:6932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
3⤵
PID:7048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
3⤵
PID:7128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
3⤵
PID:6200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
3⤵
PID:6600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5732 /prefetch:8
3⤵
PID:6844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
3⤵
PID:2516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
3⤵
PID:5324

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:8
3⤵
PID:6060

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7df2c5460,0x7ff7df2c5470,0x7ff7df2c5480
4⤵
PID:1788

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7200 /prefetch:8
3⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
3⤵
PID:1632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4884 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,2731234251772322844,10273906307029684307,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4948 /prefetch:8
3⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1ALSZ4
2⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1ff546f8,0x7fff1ff54708,0x7fff1ff54718
3⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,14794199128851261809,7596806358766663715,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
3⤵
PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,14794199128851261809,7596806358766663715,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5312

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 1292
3⤵
- Program crash
PID:5820

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:1832

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:864

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6836

C:\Program Files (x86)\Company\NewProduct\tag.exe
"C:\Program Files (x86)\Company\NewProduct\tag.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6812

C:\Program Files (x86)\Company\NewProduct\jshainx.exe
"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5876

C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
"C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7140

C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
"C:\Program Files (x86)\Company\NewProduct\rawxdev.exe"
2⤵
- Executes dropped EXE
PID:6520

C:\Program Files (x86)\Company\NewProduct\me.exe
"C:\Program Files (x86)\Company\NewProduct\me.exe"
2⤵
- Executes dropped EXE
PID:5708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4484 -ip 4484
1⤵
PID:6300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
112KB

MD5
30e375798049100677ea16b7c578a4ee

SHA1
bcab7401a5f34ac0e6f795ece8d3ed12944ae99f

SHA256
ea5c90cfc97f429a2f9e0b1e9b16778b5b19bd8e83a896a30002de70af84e1ce

SHA512
f8ae930e26ecfe06dc30d4f39858b0eec6b4a81a8139883712505b5c6b58504d463d986ef58c7151a247fe157c6013b570b9d39e1d4a860061e37e0419900582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
762eebe5cab6e49628aa82fdfce70327

SHA1
daedf62ed4b2b94007c5d311371e2df3c72fa479

SHA256
d9a4d7c16709c3ef604c4975f8ccbc7b164ae23bb35041529cfc2a91e8cdf9c1

SHA512
3bd553102f60e5f8a4adeb2aff8425f030f8e2a39d1a60e6ec70bff9bfd4cded6f5a102691821148adc0c014a24b5aa04dfb11e147a59fad7bd7cb84d9e15f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
3e435b2050e78fd58007d43ff41800cc

SHA1
8974c587905f3bd67439179191fa8ce9ac71d2ee

SHA256
3b7aff3aecb1d5c829d8d22e0524498833ece111774210351d0502ab2901c835

SHA512
e979dc367d74d55a6a8f16795cfa9dbd59d89e6d41e184cc11fc62a68042ba5852ee4b9de045c94a6540a4b7e1a17b8fc7438a16b484544340e80d74ab938eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
68a0f555bb54eef75029f0f9c4c112fd

SHA1
c22e60a088ba36baf1e74da09588edb81a8643d0

SHA256
642fb9b0269a07ebc4d18b368af030079ab35e0b6e9efaeef840729ba126f5b0

SHA512
a27ff9e35e977284e75dfb8f48bf98fe8053677e4ead510468c8c0aff6a149222cf2a0f2526cd22ff9af33c2116cc39766bfe981bf0c12fe1746296d7787df2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
36f858d334f5b0dfcd5456feab529d06

SHA1
053ec575aec17adec1637d8bcd84f6d03778c1c3

SHA256
0c64ebea27dc5e816b8846b10a1d5217835557d27ce76800e720c1a2b2d28f3a

SHA512
805f54358a4973e001d8a9e7c720ecd25764008ee8a5416a49179ab66673fa22ebb2c37a5d52f440aae3e8b88e8d584e3652f2b38310e176e6ee02613e9cdc8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
4385a035b8cf3ce2b56bb16b54bd3f93

SHA1
3d63e942f223b2ff9982f49db692b74bc699b85c

SHA256
5d4a5ff8052edd9969e6a96f4e8cf4c12d9ef4e0a57ce49f19b7e8e9b65c1fcb

SHA512
8249282e568c526ee5e22063e9ac3e28a022e1c8daec9bbd375610e51ef02aa693eaa4d87939458aeed25e9029d09786327a7c48766d0579198e6ea34d4c854d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
d2f1ba135a1ff6f032aedc932adad7c0

SHA1
d73c4820baf7a64b2e3a3af8dd174ba880622916

SHA256
c8ba7b80c92772a21dfca1b7d0b52b34dc6417db193232c9f8f188db9b3f9461

SHA512
f8663e41603ae040059563519dc257fc62d5bf0f1c685eec25284112c90526b7ae494bd7e6b996c4b3cb154189de99dba03b9a94b44bea0858a56d603d4e6ecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
762eebe5cab6e49628aa82fdfce70327

SHA1
daedf62ed4b2b94007c5d311371e2df3c72fa479

SHA256
d9a4d7c16709c3ef604c4975f8ccbc7b164ae23bb35041529cfc2a91e8cdf9c1

SHA512
3bd553102f60e5f8a4adeb2aff8425f030f8e2a39d1a60e6ec70bff9bfd4cded6f5a102691821148adc0c014a24b5aa04dfb11e147a59fad7bd7cb84d9e15f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
3e435b2050e78fd58007d43ff41800cc

SHA1
8974c587905f3bd67439179191fa8ce9ac71d2ee

SHA256
3b7aff3aecb1d5c829d8d22e0524498833ece111774210351d0502ab2901c835

SHA512
e979dc367d74d55a6a8f16795cfa9dbd59d89e6d41e184cc11fc62a68042ba5852ee4b9de045c94a6540a4b7e1a17b8fc7438a16b484544340e80d74ab938eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
af687b3b742d7e6ef5560057c4b96fd2

SHA1
84475deea0ce1c3a7a14e74436ac459d43b9601f

SHA256
5bf34adeb20aab959207296e95e19a235e3c4549ef33dea20824916cc6a8b588

SHA512
addd3f72b917e57f6412922772a0ae0640f162dbb825e1f95dd7c8cb9c56e9529630fb25820efa9933ca78bccea88a37615276175be0fadefbd395cfb7192467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
36f858d334f5b0dfcd5456feab529d06

SHA1
053ec575aec17adec1637d8bcd84f6d03778c1c3

SHA256
0c64ebea27dc5e816b8846b10a1d5217835557d27ce76800e720c1a2b2d28f3a

SHA512
805f54358a4973e001d8a9e7c720ecd25764008ee8a5416a49179ab66673fa22ebb2c37a5d52f440aae3e8b88e8d584e3652f2b38310e176e6ee02613e9cdc8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
af687b3b742d7e6ef5560057c4b96fd2

SHA1
84475deea0ce1c3a7a14e74436ac459d43b9601f

SHA256
5bf34adeb20aab959207296e95e19a235e3c4549ef33dea20824916cc6a8b588

SHA512
addd3f72b917e57f6412922772a0ae0640f162dbb825e1f95dd7c8cb9c56e9529630fb25820efa9933ca78bccea88a37615276175be0fadefbd395cfb7192467

Download Submit
\??\pipe\LOCAL\crashpad_1612_UQNPLYSVVPRXGYAZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3644_ZUGWEFSQNMHJARVR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4008_RDHQWIGVAWQDHZRT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4268_BGHFZNQRNUEYDWFA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4452_WFPMOYNNDTMSJGEB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4744_DHTSFYCFMQZWEXYJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4892_ESSQWPENDSRBCLDH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4928_UTMFAVJQZCRPXGNK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/864-203-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/864-163-0x0000000000000000-mapping.dmp

Download
memory/932-161-0x0000000000000000-mapping.dmp

Download
memory/932-263-0x0000000004F20000-0x0000000004F5C000-memory.dmp

Filesize
240KB

Download
memory/932-167-0x0000000000050000-0x0000000000070000-memory.dmp

Filesize
128KB

Download
memory/932-258-0x00000000070F0000-0x00000000071FA000-memory.dmp

Filesize
1.0MB

Download
memory/932-303-0x0000000007060000-0x000000000707E000-memory.dmp

Filesize
120KB

Download
memory/932-299-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/932-253-0x0000000005580000-0x0000000005B98000-memory.dmp

Filesize
6.1MB

Download
memory/932-255-0x0000000006F30000-0x0000000006F42000-memory.dmp

Filesize
72KB

Download
memory/956-139-0x0000000000000000-mapping.dmp

Download
memory/1132-144-0x0000000000000000-mapping.dmp

Download
memory/1492-201-0x0000000000000000-mapping.dmp

Download
memory/1612-134-0x0000000000000000-mapping.dmp

Download
memory/1632-313-0x0000000000000000-mapping.dmp

Download
memory/1760-200-0x0000000000000000-mapping.dmp

Download
memory/1788-308-0x0000000000000000-mapping.dmp

Download
memory/1832-235-0x0000000002140000-0x0000000002152000-memory.dmp

Filesize
72KB

Download
memory/1832-158-0x0000000000000000-mapping.dmp

Download
memory/1832-241-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2240-316-0x0000000000000000-mapping.dmp

Download
memory/2516-290-0x0000000000000000-mapping.dmp

Download
memory/3108-147-0x0000000000000000-mapping.dmp

Download
memory/3280-135-0x0000000000000000-mapping.dmp

Download
memory/3432-202-0x0000000000000000-mapping.dmp

Download
memory/3468-137-0x0000000000000000-mapping.dmp

Download
memory/3472-136-0x0000000000000000-mapping.dmp

Download
memory/3644-138-0x0000000000000000-mapping.dmp

Download
memory/3848-153-0x0000000000000000-mapping.dmp

Download
memory/3976-204-0x0000000000000000-mapping.dmp

Download
memory/4008-132-0x0000000000000000-mapping.dmp

Download
memory/4196-149-0x0000000000000000-mapping.dmp

Download
memory/4268-151-0x0000000000000000-mapping.dmp

Download
memory/4452-140-0x0000000000000000-mapping.dmp

Download
memory/4484-155-0x0000000000000000-mapping.dmp

Download
memory/4484-176-0x000000000062D000-0x000000000063D000-memory.dmp

Filesize
64KB

Download
memory/4484-189-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4484-177-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/4744-133-0x0000000000000000-mapping.dmp

Download
memory/4892-148-0x0000000000000000-mapping.dmp

Download
memory/4928-146-0x0000000000000000-mapping.dmp

Download
memory/5052-311-0x0000000000000000-mapping.dmp

Download
memory/5128-205-0x0000000000000000-mapping.dmp

Download
memory/5136-199-0x0000000000000000-mapping.dmp

Download
memory/5144-206-0x0000000000000000-mapping.dmp

Download
memory/5156-197-0x0000000000000000-mapping.dmp

Download
memory/5164-245-0x0000000000000000-mapping.dmp

Download
memory/5260-208-0x0000000000000000-mapping.dmp

Download
memory/5276-212-0x0000000000000000-mapping.dmp

Download
memory/5284-213-0x0000000000000000-mapping.dmp

Download
memory/5292-214-0x0000000000000000-mapping.dmp

Download
memory/5304-215-0x0000000000000000-mapping.dmp

Download
memory/5312-216-0x0000000000000000-mapping.dmp

Download
memory/5320-217-0x0000000000000000-mapping.dmp

Download
memory/5324-292-0x0000000000000000-mapping.dmp

Download
memory/5344-210-0x0000000000000000-mapping.dmp

Download
memory/5344-307-0x0000000000000000-mapping.dmp

Download
memory/5468-230-0x0000000000000000-mapping.dmp

Download
memory/5708-298-0x0000000000000000-mapping.dmp

Download
memory/5876-293-0x0000000000000000-mapping.dmp

Download
memory/5876-294-0x0000000000BD0000-0x0000000000BF0000-memory.dmp

Filesize
128KB

Download
memory/6040-309-0x0000000000000000-mapping.dmp

Download
memory/6200-282-0x0000000000000000-mapping.dmp

Download
memory/6288-249-0x0000000000000000-mapping.dmp

Download
memory/6520-297-0x0000000000000000-mapping.dmp

Download
memory/6600-284-0x0000000000000000-mapping.dmp

Download
memory/6628-314-0x0000000000000000-mapping.dmp

Download
memory/6652-260-0x0000000000000000-mapping.dmp

Download
memory/6788-262-0x0000000000000000-mapping.dmp

Download
memory/6812-286-0x0000000000FF0000-0x0000000001010000-memory.dmp

Filesize
128KB

Download
memory/6812-285-0x0000000000000000-mapping.dmp

Download
memory/6812-300-0x00000000069C0000-0x0000000006F64000-memory.dmp

Filesize
5.6MB

Download
memory/6812-301-0x0000000005D10000-0x0000000005DA2000-memory.dmp

Filesize
584KB

Download
memory/6812-302-0x0000000006840000-0x00000000068B6000-memory.dmp

Filesize
472KB

Download
memory/6836-305-0x0000000006A40000-0x0000000006C02000-memory.dmp

Filesize
1.8MB

Download
memory/6836-304-0x0000000006260000-0x00000000062B0000-memory.dmp

Filesize
320KB

Download
memory/6836-306-0x00000000084A0000-0x00000000089CC000-memory.dmp

Filesize
5.2MB

Download
memory/6836-270-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/6836-267-0x0000000000000000-mapping.dmp

Download
memory/6844-288-0x0000000000000000-mapping.dmp

Download
memory/6932-274-0x0000000000000000-mapping.dmp

Download
memory/7048-278-0x0000000000000000-mapping.dmp

Download
memory/7128-280-0x0000000000000000-mapping.dmp

Download
memory/7140-296-0x0000000000680000-0x00000000006A0000-memory.dmp

Filesize
128KB

Download
memory/7140-295-0x0000000000000000-mapping.dmp

Download