Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2022 06:27
Static task
static1
Behavioral task
behavioral1
Sample
80d6b02dd96ee97a652f31f586673fa8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
80d6b02dd96ee97a652f31f586673fa8.exe
Resource
win10v2004-20220812-en
General
-
Target
80d6b02dd96ee97a652f31f586673fa8.exe
-
Size
929KB
-
MD5
80d6b02dd96ee97a652f31f586673fa8
-
SHA1
5ad394ed630321cba7c8640c8cefd5f6b1c1db7e
-
SHA256
7f9507e2305941a7263daeba121ce8a83c91bdbe5ad7df94a9dfc0ab4158271f
-
SHA512
03fbc3bdea3aafa7951844f6f081659ad7dc8f92addbe8aad6a1bbe5fcce0f1090b23628ed799dc9b311bf11b4775e9be5d2b54be60b0bdc0127848bae64ec75
Malware Config
Extracted
redline
nam3
103.89.90.61:34589
-
auth_value
64b900120bbceaa6a9c60e9079492895
Extracted
redline
@tag12312341
62.204.41.144:14096
-
auth_value
71466795417275fac01979e57016e277
Extracted
redline
4
31.41.244.134:11643
-
auth_value
a516b2d034ecd34338f12b50347fbd92
Extracted
redline
5076357887
195.54.170.157:16525
-
auth_value
0dfaff60271d374d0c206d19883e06f3
Extracted
redline
RuXaRR_GG
insttaller.com:40915
-
auth_value
4a733ff307847db3ee220c11d113a305
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 15 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe family_redline C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe family_redline behavioral2/memory/2044-180-0x0000000000B30000-0x0000000000B50000-memory.dmp family_redline C:\Program Files (x86)\Company\NewProduct\tag.exe family_redline C:\Program Files (x86)\Company\NewProduct\safert44.exe family_redline C:\Program Files (x86)\Company\NewProduct\safert44.exe family_redline behavioral2/memory/1984-191-0x00000000002C0000-0x00000000002E0000-memory.dmp family_redline C:\Program Files (x86)\Company\NewProduct\tag.exe family_redline C:\Program Files (x86)\Company\NewProduct\jshainx.exe family_redline C:\Program Files (x86)\Company\NewProduct\jshainx.exe family_redline C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe family_redline C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe family_redline behavioral2/memory/3960-194-0x0000000000C70000-0x0000000000C90000-memory.dmp family_redline behavioral2/memory/2864-188-0x0000000000100000-0x0000000000144000-memory.dmp family_redline behavioral2/memory/996-198-0x00000000001E0000-0x0000000000200000-memory.dmp family_redline -
Executes dropped EXE 11 IoCs
Processes:
F0geI.exekukurzka9000.exenamdoitntn.exenuplat.exereal.exesafert44.exetag.exejshainx.exeffnameedit.exerawxdev.exeme.exepid process 3744 F0geI.exe 3592 kukurzka9000.exe 2044 namdoitntn.exe 940 nuplat.exe 4884 real.exe 2864 safert44.exe 1984 tag.exe 3960 jshainx.exe 996 ffnameedit.exe 3436 rawxdev.exe 3100 me.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
80d6b02dd96ee97a652f31f586673fa8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 80d6b02dd96ee97a652f31f586673fa8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 13 IoCs
Processes:
80d6b02dd96ee97a652f31f586673fa8.exesetup.exedescription ioc process File opened for modification C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe 80d6b02dd96ee97a652f31f586673fa8.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\safert44.exe 80d6b02dd96ee97a652f31f586673fa8.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\rawxdev.exe 80d6b02dd96ee97a652f31f586673fa8.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220813082744.pma setup.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\F0geI.exe 80d6b02dd96ee97a652f31f586673fa8.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe 80d6b02dd96ee97a652f31f586673fa8.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\nuplat.exe 80d6b02dd96ee97a652f31f586673fa8.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\real.exe 80d6b02dd96ee97a652f31f586673fa8.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\tag.exe 80d6b02dd96ee97a652f31f586673fa8.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jshainx.exe 80d6b02dd96ee97a652f31f586673fa8.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe 80d6b02dd96ee97a652f31f586673fa8.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\me.exe 80d6b02dd96ee97a652f31f586673fa8.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\037fa8ac-37d7-41be-89a8-cfb3e63f59d3.tmp setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 8 3744 WerFault.exe F0geI.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nuplat.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nuplat.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nuplat.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exenuplat.exeidentity_helper.exeffnameedit.exejshainx.exenamdoitntn.exemsedge.exepid process 5320 msedge.exe 5320 msedge.exe 5476 msedge.exe 5476 msedge.exe 5504 msedge.exe 5504 msedge.exe 5880 msedge.exe 5880 msedge.exe 6032 msedge.exe 6032 msedge.exe 1056 msedge.exe 1056 msedge.exe 2008 msedge.exe 2008 msedge.exe 940 nuplat.exe 940 nuplat.exe 5528 identity_helper.exe 5528 identity_helper.exe 996 ffnameedit.exe 996 ffnameedit.exe 3960 jshainx.exe 3960 jshainx.exe 2044 namdoitntn.exe 2044 namdoitntn.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
Processes:
msedge.exepid process 2008 msedge.exe 2008 msedge.exe 2008 msedge.exe 2008 msedge.exe 2008 msedge.exe 2008 msedge.exe 2008 msedge.exe 2008 msedge.exe 2008 msedge.exe 2008 msedge.exe 2008 msedge.exe 2008 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ffnameedit.exejshainx.exenamdoitntn.exedescription pid process Token: SeDebugPrivilege 996 ffnameedit.exe Token: SeDebugPrivilege 3960 jshainx.exe Token: SeDebugPrivilege 2044 namdoitntn.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 2008 msedge.exe 2008 msedge.exe 2008 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
80d6b02dd96ee97a652f31f586673fa8.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exedescription pid process target process PID 4724 wrote to memory of 4420 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 4724 wrote to memory of 4420 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 4724 wrote to memory of 4720 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 4724 wrote to memory of 4720 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 4420 wrote to memory of 3584 4420 msedge.exe msedge.exe PID 4420 wrote to memory of 3584 4420 msedge.exe msedge.exe PID 4720 wrote to memory of 1724 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1724 4720 msedge.exe msedge.exe PID 4724 wrote to memory of 5060 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 4724 wrote to memory of 5060 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 5060 wrote to memory of 4924 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 4924 5060 msedge.exe msedge.exe PID 4724 wrote to memory of 4892 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 4724 wrote to memory of 4892 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 4892 wrote to memory of 4904 4892 msedge.exe msedge.exe PID 4892 wrote to memory of 4904 4892 msedge.exe msedge.exe PID 4724 wrote to memory of 4448 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 4724 wrote to memory of 4448 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 4448 wrote to memory of 480 4448 msedge.exe msedge.exe PID 4448 wrote to memory of 480 4448 msedge.exe msedge.exe PID 4724 wrote to memory of 2008 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 4724 wrote to memory of 2008 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 2008 wrote to memory of 5012 2008 msedge.exe msedge.exe PID 2008 wrote to memory of 5012 2008 msedge.exe msedge.exe PID 4724 wrote to memory of 1496 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 4724 wrote to memory of 1496 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 1496 wrote to memory of 1344 1496 msedge.exe msedge.exe PID 1496 wrote to memory of 1344 1496 msedge.exe msedge.exe PID 4724 wrote to memory of 2716 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 4724 wrote to memory of 2716 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 4724 wrote to memory of 1960 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 4724 wrote to memory of 1960 4724 80d6b02dd96ee97a652f31f586673fa8.exe msedge.exe PID 2716 wrote to memory of 4452 2716 msedge.exe msedge.exe PID 2716 wrote to memory of 4452 2716 msedge.exe msedge.exe PID 1960 wrote to memory of 1376 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 1376 1960 msedge.exe msedge.exe PID 4724 wrote to memory of 3744 4724 80d6b02dd96ee97a652f31f586673fa8.exe F0geI.exe PID 4724 wrote to memory of 3744 4724 80d6b02dd96ee97a652f31f586673fa8.exe F0geI.exe PID 4724 wrote to memory of 3744 4724 80d6b02dd96ee97a652f31f586673fa8.exe F0geI.exe PID 4724 wrote to memory of 3592 4724 80d6b02dd96ee97a652f31f586673fa8.exe kukurzka9000.exe PID 4724 wrote to memory of 3592 4724 80d6b02dd96ee97a652f31f586673fa8.exe kukurzka9000.exe PID 4724 wrote to memory of 3592 4724 80d6b02dd96ee97a652f31f586673fa8.exe kukurzka9000.exe PID 4724 wrote to memory of 2044 4724 80d6b02dd96ee97a652f31f586673fa8.exe namdoitntn.exe PID 4724 wrote to memory of 2044 4724 80d6b02dd96ee97a652f31f586673fa8.exe namdoitntn.exe PID 4724 wrote to memory of 2044 4724 80d6b02dd96ee97a652f31f586673fa8.exe namdoitntn.exe PID 4724 wrote to memory of 940 4724 80d6b02dd96ee97a652f31f586673fa8.exe nuplat.exe PID 4724 wrote to memory of 940 4724 80d6b02dd96ee97a652f31f586673fa8.exe nuplat.exe PID 4724 wrote to memory of 940 4724 80d6b02dd96ee97a652f31f586673fa8.exe nuplat.exe PID 4724 wrote to memory of 4884 4724 80d6b02dd96ee97a652f31f586673fa8.exe real.exe PID 4724 wrote to memory of 4884 4724 80d6b02dd96ee97a652f31f586673fa8.exe real.exe PID 4724 wrote to memory of 4884 4724 80d6b02dd96ee97a652f31f586673fa8.exe real.exe PID 4724 wrote to memory of 2864 4724 80d6b02dd96ee97a652f31f586673fa8.exe safert44.exe PID 4724 wrote to memory of 2864 4724 80d6b02dd96ee97a652f31f586673fa8.exe safert44.exe PID 4724 wrote to memory of 2864 4724 80d6b02dd96ee97a652f31f586673fa8.exe safert44.exe PID 4724 wrote to memory of 1984 4724 80d6b02dd96ee97a652f31f586673fa8.exe tag.exe PID 4724 wrote to memory of 1984 4724 80d6b02dd96ee97a652f31f586673fa8.exe tag.exe PID 4724 wrote to memory of 1984 4724 80d6b02dd96ee97a652f31f586673fa8.exe tag.exe PID 4724 wrote to memory of 3960 4724 80d6b02dd96ee97a652f31f586673fa8.exe jshainx.exe PID 4724 wrote to memory of 3960 4724 80d6b02dd96ee97a652f31f586673fa8.exe jshainx.exe PID 4724 wrote to memory of 3960 4724 80d6b02dd96ee97a652f31f586673fa8.exe jshainx.exe PID 4724 wrote to memory of 996 4724 80d6b02dd96ee97a652f31f586673fa8.exe ffnameedit.exe PID 4724 wrote to memory of 996 4724 80d6b02dd96ee97a652f31f586673fa8.exe ffnameedit.exe PID 4724 wrote to memory of 996 4724 80d6b02dd96ee97a652f31f586673fa8.exe ffnameedit.exe PID 4724 wrote to memory of 3436 4724 80d6b02dd96ee97a652f31f586673fa8.exe rawxdev.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\80d6b02dd96ee97a652f31f586673fa8.exe"C:\Users\Admin\AppData\Local\Temp\80d6b02dd96ee97a652f31f586673fa8.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AbtZ42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xb0,0xdc,0x100,0x40,0x104,0x7ffcc5b646f8,0x7ffcc5b64708,0x7ffcc5b647183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,938560305366288581,12549102739770429568,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,938560305366288581,12549102739770429568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcc5b646f8,0x7ffcc5b64708,0x7ffcc5b647183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16277724104425642116,15093860693980684533,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,16277724104425642116,15093860693980684533,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:33⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xb4,0x104,0x7ffcc5b646f8,0x7ffcc5b64708,0x7ffcc5b647183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,7908008005233786375,2177616713016853184,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,7908008005233786375,2177616713016853184,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:33⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc5b646f8,0x7ffcc5b64708,0x7ffcc5b647183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,2289810977031457739,17466349752216348333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1naEL42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc5b646f8,0x7ffcc5b64708,0x7ffcc5b647183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,7355858409094476335,12035334883882507938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,7355858409094476335,12035334883882507938,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX42⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcc5b646f8,0x7ffcc5b64708,0x7ffcc5b647183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3148 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7076 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7076 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7272 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7628 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x114,0x12c,0xbc,0xec,0x7ff6a70e5460,0x7ff6a70e5470,0x7ff6a70e54804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7628 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8572 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8580 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7744 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8184 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,2144552914467303790,3171431547124167841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5164 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nhGL42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcc5b646f8,0x7ffcc5b64708,0x7ffcc5b647183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,1805005278426192887,13492767295589364047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1805005278426192887,13492767295589364047,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A3AZ42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcc5b646f8,0x7ffcc5b64708,0x7ffcc5b647183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,11452581600769205338,12651821380084219917,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,11452581600769205338,12651821380084219917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:33⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1ALSZ42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcc5b646f8,0x7ffcc5b64708,0x7ffcc5b647183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,4527250860304538478,9819510054855673314,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,4527250860304538478,9819510054855673314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exe"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 7603⤵
- Program crash
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\nuplat.exe"C:\Program Files (x86)\Company\NewProduct\nuplat.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Company\NewProduct\real.exe"C:\Program Files (x86)\Company\NewProduct\real.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\safert44.exe"C:\Program Files (x86)\Company\NewProduct\safert44.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\tag.exe"C:\Program Files (x86)\Company\NewProduct\tag.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exe"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\rawxdev.exe"C:\Program Files (x86)\Company\NewProduct\rawxdev.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\me.exe"C:\Program Files (x86)\Company\NewProduct\me.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3744 -ip 37441⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
339KB
MD5501e0f6fa90340e3d7ff26f276cd582e
SHA11bce4a6153f71719e786f8f612fbfcd23d3e130a
SHA256f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b
SHA512dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
339KB
MD5501e0f6fa90340e3d7ff26f276cd582e
SHA11bce4a6153f71719e786f8f612fbfcd23d3e130a
SHA256f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b
SHA512dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69
-
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exeFilesize
107KB
MD54bf892a854af9af2802f526837819f6e
SHA109f2e9938466e74a67368ecd613efdc57f80c30b
SHA256713eeb4e9271fe4b15160d900ad78498838bb33f7f97ad544a705ab2a46d97cf
SHA5127ef9d8cb4daf6be60c5a41439dab4e7384676b34de2341ac52cb33815645fbb51a4b78725ea97479d287a8d7a0a61b4b337b1ad49cce2a23c9192fd9b7678d44
-
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exeFilesize
107KB
MD54bf892a854af9af2802f526837819f6e
SHA109f2e9938466e74a67368ecd613efdc57f80c30b
SHA256713eeb4e9271fe4b15160d900ad78498838bb33f7f97ad544a705ab2a46d97cf
SHA5127ef9d8cb4daf6be60c5a41439dab4e7384676b34de2341ac52cb33815645fbb51a4b78725ea97479d287a8d7a0a61b4b337b1ad49cce2a23c9192fd9b7678d44
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exeFilesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exeFilesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
491KB
MD5681d98300c552b8c470466d9e8328c8a
SHA1d15f4a432a2abce96ba9ba74443e566c1ffb933f
SHA2568bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912
SHA512b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
491KB
MD5681d98300c552b8c470466d9e8328c8a
SHA1d15f4a432a2abce96ba9ba74443e566c1ffb933f
SHA2568bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912
SHA512b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887
-
C:\Program Files (x86)\Company\NewProduct\me.exeFilesize
286KB
MD529f986a025ca64b6e5fbc50fcefc8743
SHA14930311ffe1eac17a468c454d2ac37532b79c454
SHA256766033bd59297068c74324bfffca88887a4f02588bac347e277644011fb6b090
SHA5127af798f1480c18952597699189eff78d2ac638b40bffbc651954807b81d667207dd6d4ad073a787d40a423a15361d625f49b556109f998d2c56fa66d71c7268a
-
C:\Program Files (x86)\Company\NewProduct\me.exeFilesize
286KB
MD529f986a025ca64b6e5fbc50fcefc8743
SHA14930311ffe1eac17a468c454d2ac37532b79c454
SHA256766033bd59297068c74324bfffca88887a4f02588bac347e277644011fb6b090
SHA5127af798f1480c18952597699189eff78d2ac638b40bffbc651954807b81d667207dd6d4ad073a787d40a423a15361d625f49b556109f998d2c56fa66d71c7268a
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
107KB
MD5bbd8ea73b7626e0ca5b91d355df39b7f
SHA166e298653beb7f652eb44922010910ced6242879
SHA2561aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e
SHA512625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
107KB
MD5bbd8ea73b7626e0ca5b91d355df39b7f
SHA166e298653beb7f652eb44922010910ced6242879
SHA2561aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e
SHA512625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f
-
C:\Program Files (x86)\Company\NewProduct\nuplat.exeFilesize
287KB
MD517c42a0dad379448ee1e6b21c85e5ac9
SHA12fec7fbb4a47092f9c17cd5ebb509a6403cb6d69
SHA256e080161f57d4eaaad9173b63219ba5a9c2c595324a6b3ffe96783db40839807b
SHA5125ddfe9af625c54e417452fe582041cdd373b52d4ededbcba71a88050fd834bc8af822257f7ad606e89db3fde15be98f58c1d8ff139dac71d81a23f669617a189
-
C:\Program Files (x86)\Company\NewProduct\nuplat.exeFilesize
287KB
MD517c42a0dad379448ee1e6b21c85e5ac9
SHA12fec7fbb4a47092f9c17cd5ebb509a6403cb6d69
SHA256e080161f57d4eaaad9173b63219ba5a9c2c595324a6b3ffe96783db40839807b
SHA5125ddfe9af625c54e417452fe582041cdd373b52d4ededbcba71a88050fd834bc8af822257f7ad606e89db3fde15be98f58c1d8ff139dac71d81a23f669617a189
-
C:\Program Files (x86)\Company\NewProduct\rawxdev.exeFilesize
287KB
MD5c1595ffe08cf9360cda3a95c2104d2d9
SHA17d2727bf305fd7ffcf4119f7d545b189135b06f6
SHA256dc55684473d7a957277eb4dc82deab4cadc83bd21f2c9a6c4b1b3f579cc1b7f3
SHA5128847577ecd6590fdc4dbd0447e8a990c8d8835e733106a3b910edf4ee4fbac4e1ca6b61468c8fdef83982e5bd347b21525dc605e6d596bb6f2ca940dab256619
-
C:\Program Files (x86)\Company\NewProduct\rawxdev.exeFilesize
287KB
MD5c1595ffe08cf9360cda3a95c2104d2d9
SHA17d2727bf305fd7ffcf4119f7d545b189135b06f6
SHA256dc55684473d7a957277eb4dc82deab4cadc83bd21f2c9a6c4b1b3f579cc1b7f3
SHA5128847577ecd6590fdc4dbd0447e8a990c8d8835e733106a3b910edf4ee4fbac4e1ca6b61468c8fdef83982e5bd347b21525dc605e6d596bb6f2ca940dab256619
-
C:\Program Files (x86)\Company\NewProduct\real.exeFilesize
286KB
MD58a370815d8a47020150efa559ffdf736
SHA1ba9d8df8f484b8da51161a0e29fd29e5001cff5d
SHA256975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58
SHA512d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf
-
C:\Program Files (x86)\Company\NewProduct\real.exeFilesize
286KB
MD58a370815d8a47020150efa559ffdf736
SHA1ba9d8df8f484b8da51161a0e29fd29e5001cff5d
SHA256975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58
SHA512d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf
-
C:\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
244KB
MD5dbe947674ea388b565ae135a09cc6638
SHA1ae8e1c69bd1035a92b7e06baad5e387de3a70572
SHA25686aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709
SHA51267441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893
-
C:\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
244KB
MD5dbe947674ea388b565ae135a09cc6638
SHA1ae8e1c69bd1035a92b7e06baad5e387de3a70572
SHA25686aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709
SHA51267441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893
-
C:\Program Files (x86)\Company\NewProduct\tag.exeFilesize
107KB
MD52ebc22860c7d9d308c018f0ffb5116ff
SHA178791a83f7161e58f9b7df45f9be618e9daea4cd
SHA2568e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89
SHA512d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e
-
C:\Program Files (x86)\Company\NewProduct\tag.exeFilesize
107KB
MD52ebc22860c7d9d308c018f0ffb5116ff
SHA178791a83f7161e58f9b7df45f9be618e9daea4cd
SHA2568e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89
SHA512d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5af05481b81fdeb6c34b41fa28542b8e1
SHA130982103d4ad165cda1b492f96da553b0d5a8663
SHA25661fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2
SHA5126671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5af05481b81fdeb6c34b41fa28542b8e1
SHA130982103d4ad165cda1b492f96da553b0d5a8663
SHA25661fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2
SHA5126671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5af05481b81fdeb6c34b41fa28542b8e1
SHA130982103d4ad165cda1b492f96da553b0d5a8663
SHA25661fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2
SHA5126671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5af05481b81fdeb6c34b41fa28542b8e1
SHA130982103d4ad165cda1b492f96da553b0d5a8663
SHA25661fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2
SHA5126671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5af05481b81fdeb6c34b41fa28542b8e1
SHA130982103d4ad165cda1b492f96da553b0d5a8663
SHA25661fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2
SHA5126671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5af05481b81fdeb6c34b41fa28542b8e1
SHA130982103d4ad165cda1b492f96da553b0d5a8663
SHA25661fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2
SHA5126671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5af05481b81fdeb6c34b41fa28542b8e1
SHA130982103d4ad165cda1b492f96da553b0d5a8663
SHA25661fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2
SHA5126671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5af05481b81fdeb6c34b41fa28542b8e1
SHA130982103d4ad165cda1b492f96da553b0d5a8663
SHA25661fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2
SHA5126671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5af05481b81fdeb6c34b41fa28542b8e1
SHA130982103d4ad165cda1b492f96da553b0d5a8663
SHA25661fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2
SHA5126671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5af05481b81fdeb6c34b41fa28542b8e1
SHA130982103d4ad165cda1b492f96da553b0d5a8663
SHA25661fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2
SHA5126671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5af05481b81fdeb6c34b41fa28542b8e1
SHA130982103d4ad165cda1b492f96da553b0d5a8663
SHA25661fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2
SHA5126671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5af05481b81fdeb6c34b41fa28542b8e1
SHA130982103d4ad165cda1b492f96da553b0d5a8663
SHA25661fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2
SHA5126671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5af05481b81fdeb6c34b41fa28542b8e1
SHA130982103d4ad165cda1b492f96da553b0d5a8663
SHA25661fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2
SHA5126671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5af05481b81fdeb6c34b41fa28542b8e1
SHA130982103d4ad165cda1b492f96da553b0d5a8663
SHA25661fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2
SHA5126671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5af05481b81fdeb6c34b41fa28542b8e1
SHA130982103d4ad165cda1b492f96da553b0d5a8663
SHA25661fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2
SHA5126671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5af05481b81fdeb6c34b41fa28542b8e1
SHA130982103d4ad165cda1b492f96da553b0d5a8663
SHA25661fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2
SHA5126671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5af05481b81fdeb6c34b41fa28542b8e1
SHA130982103d4ad165cda1b492f96da553b0d5a8663
SHA25661fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2
SHA5126671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD571b657795f1d63721f304fcf46915016
SHA1d2cabf753a2b8888642a3a26878e7f47784153b2
SHA256f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28
SHA512dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD571b657795f1d63721f304fcf46915016
SHA1d2cabf753a2b8888642a3a26878e7f47784153b2
SHA256f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28
SHA512dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD571b657795f1d63721f304fcf46915016
SHA1d2cabf753a2b8888642a3a26878e7f47784153b2
SHA256f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28
SHA512dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD571b657795f1d63721f304fcf46915016
SHA1d2cabf753a2b8888642a3a26878e7f47784153b2
SHA256f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28
SHA512dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD571b657795f1d63721f304fcf46915016
SHA1d2cabf753a2b8888642a3a26878e7f47784153b2
SHA256f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28
SHA512dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD571b657795f1d63721f304fcf46915016
SHA1d2cabf753a2b8888642a3a26878e7f47784153b2
SHA256f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28
SHA512dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD571b657795f1d63721f304fcf46915016
SHA1d2cabf753a2b8888642a3a26878e7f47784153b2
SHA256f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28
SHA512dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD571b657795f1d63721f304fcf46915016
SHA1d2cabf753a2b8888642a3a26878e7f47784153b2
SHA256f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28
SHA512dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD571b657795f1d63721f304fcf46915016
SHA1d2cabf753a2b8888642a3a26878e7f47784153b2
SHA256f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28
SHA512dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD571b657795f1d63721f304fcf46915016
SHA1d2cabf753a2b8888642a3a26878e7f47784153b2
SHA256f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28
SHA512dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD52c6d9f2ec68954ff388a74f073308724
SHA11fa378196a93aef518547289ac556e939dfe03b5
SHA2565e748c09e53188f83e3a8da6f1b120313a923b6cbb445fb3350581ab6c1a1a42
SHA5129366b80ba818b4e3221bf9c200bb052b82754bea55e4fa0c3ae11ce8c30cf7f011d98cf947800150905a69640d25cd83d7200b00185450185bce93ae8e0d7ce1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5ea414c9b71ae63eb7074dee0f9caceb4
SHA192b0e5153f4ceda9a9a5254cf86872f5c5ec7bad
SHA25622c7102683db9aa5d752cbaa7c85c9dc2de5d72388930afced56f62577b908cb
SHA5127716b4eb7f98d7534cd628b0829aa644ec742c7b34905e224b7229aa93c0d874577627b00d7b53a360596b11ecc5c88eb23dd9576b9970bfd1956893e198c0bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5bb8b4f5d76c4d69158a61580e2938868
SHA1a4ed8fd2aa175c78d3db6ae9b48ddda37e5ad7d1
SHA2567722f19870caac6328789f48dc4ee9575d0c6d30f37e3e7bf43c558d0a1484be
SHA5123342014e8f805405c887f621f3f20f1622d0c46c2214a9f4ec166e6ac172d4e1aaf62de7f73861001207c655485ff0b71fcd54f5cb302b9e882de34fbc3dcfc6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD52bbb8be1cc63e993cde5aa076a0b8dc6
SHA1b655c92dee7174c5161488657010ede96817d7eb
SHA256786b2e9ab4b859fdf76efaf72a3d5999d0f6f2cd553c68dba12daac33aa0469e
SHA5121524232adb4b11c31f8096be292a0d6eb9b65582c0309a92181400e52993490e090ba12521b5a2e0051e90655ba0128c97ada1ecacf6fcf19dd926050fd97e17
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD52c6d9f2ec68954ff388a74f073308724
SHA11fa378196a93aef518547289ac556e939dfe03b5
SHA2565e748c09e53188f83e3a8da6f1b120313a923b6cbb445fb3350581ab6c1a1a42
SHA5129366b80ba818b4e3221bf9c200bb052b82754bea55e4fa0c3ae11ce8c30cf7f011d98cf947800150905a69640d25cd83d7200b00185450185bce93ae8e0d7ce1
-
\??\pipe\LOCAL\crashpad_1496_EUUAQQNQGZZYKHEBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_1960_HOVCRDJXQBRWHRYDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_2008_YRHUFGIEGSTZUBFVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_2716_IATVYQQCLVFNVGQNMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4420_OFENVKIVEOFZKUDWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4448_EXZVOSUYBRDBDQTGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_5060_HLJCGLENAKNAGLFZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/8-221-0x0000000000000000-mapping.dmp
-
memory/480-144-0x0000000000000000-mapping.dmp
-
memory/940-290-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/940-174-0x0000000000000000-mapping.dmp
-
memory/996-195-0x0000000000000000-mapping.dmp
-
memory/996-198-0x00000000001E0000-0x0000000000200000-memory.dmpFilesize
128KB
-
memory/1056-260-0x0000000000000000-mapping.dmp
-
memory/1344-150-0x0000000000000000-mapping.dmp
-
memory/1360-316-0x0000000000000000-mapping.dmp
-
memory/1376-155-0x0000000000000000-mapping.dmp
-
memory/1496-148-0x0000000000000000-mapping.dmp
-
memory/1576-323-0x0000000000000000-mapping.dmp
-
memory/1724-135-0x0000000000000000-mapping.dmp
-
memory/1960-153-0x0000000000000000-mapping.dmp
-
memory/1980-256-0x0000000000000000-mapping.dmp
-
memory/1984-191-0x00000000002C0000-0x00000000002E0000-memory.dmpFilesize
128KB
-
memory/1984-184-0x0000000000000000-mapping.dmp
-
memory/2008-146-0x0000000000000000-mapping.dmp
-
memory/2044-313-0x0000000008B20000-0x00000000090C4000-memory.dmpFilesize
5.6MB
-
memory/2044-314-0x0000000008670000-0x000000000868E000-memory.dmpFilesize
120KB
-
memory/2044-164-0x0000000000000000-mapping.dmp
-
memory/2044-202-0x0000000005AE0000-0x0000000005AF2000-memory.dmpFilesize
72KB
-
memory/2044-180-0x0000000000B30000-0x0000000000B50000-memory.dmpFilesize
128KB
-
memory/2716-151-0x0000000000000000-mapping.dmp
-
memory/2864-181-0x0000000000000000-mapping.dmp
-
memory/2864-188-0x0000000000100000-0x0000000000144000-memory.dmpFilesize
272KB
-
memory/3100-201-0x0000000000000000-mapping.dmp
-
memory/3400-324-0x0000000000000000-mapping.dmp
-
memory/3436-199-0x0000000000000000-mapping.dmp
-
memory/3452-289-0x0000000000000000-mapping.dmp
-
memory/3584-134-0x0000000000000000-mapping.dmp
-
memory/3592-161-0x0000000000000000-mapping.dmp
-
memory/3592-250-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3592-242-0x0000000003980000-0x0000000003992000-memory.dmpFilesize
72KB
-
memory/3744-158-0x0000000000000000-mapping.dmp
-
memory/3744-230-0x00000000005A0000-0x00000000005B0000-memory.dmpFilesize
64KB
-
memory/3744-227-0x00000000004BD000-0x00000000004CD000-memory.dmpFilesize
64KB
-
memory/3744-231-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/3764-255-0x0000000000000000-mapping.dmp
-
memory/3960-321-0x0000000007080000-0x0000000007242000-memory.dmpFilesize
1.8MB
-
memory/3960-194-0x0000000000C70000-0x0000000000C90000-memory.dmpFilesize
128KB
-
memory/3960-187-0x0000000000000000-mapping.dmp
-
memory/3960-205-0x00000000055F0000-0x00000000056FA000-memory.dmpFilesize
1.0MB
-
memory/3960-312-0x0000000005980000-0x0000000005A12000-memory.dmpFilesize
584KB
-
memory/3960-311-0x0000000005860000-0x00000000058D6000-memory.dmpFilesize
472KB
-
memory/3960-215-0x0000000005520000-0x000000000555C000-memory.dmpFilesize
240KB
-
memory/3960-200-0x0000000005A30000-0x0000000006048000-memory.dmpFilesize
6.1MB
-
memory/3960-320-0x0000000006E60000-0x0000000006EB0000-memory.dmpFilesize
320KB
-
memory/3960-319-0x0000000006450000-0x00000000064B6000-memory.dmpFilesize
408KB
-
memory/3960-322-0x0000000007780000-0x0000000007CAC000-memory.dmpFilesize
5.2MB
-
memory/4116-222-0x0000000000000000-mapping.dmp
-
memory/4420-132-0x0000000000000000-mapping.dmp
-
memory/4448-142-0x0000000000000000-mapping.dmp
-
memory/4452-154-0x0000000000000000-mapping.dmp
-
memory/4520-318-0x0000000000000000-mapping.dmp
-
memory/4544-310-0x0000000000000000-mapping.dmp
-
memory/4720-133-0x0000000000000000-mapping.dmp
-
memory/4884-177-0x0000000000000000-mapping.dmp
-
memory/4892-140-0x0000000000000000-mapping.dmp
-
memory/4904-141-0x0000000000000000-mapping.dmp
-
memory/4924-137-0x0000000000000000-mapping.dmp
-
memory/5012-147-0x0000000000000000-mapping.dmp
-
memory/5060-136-0x0000000000000000-mapping.dmp
-
memory/5144-224-0x0000000000000000-mapping.dmp
-
memory/5164-225-0x0000000000000000-mapping.dmp
-
memory/5232-226-0x0000000000000000-mapping.dmp
-
memory/5264-229-0x0000000000000000-mapping.dmp
-
memory/5320-228-0x0000000000000000-mapping.dmp
-
memory/5476-234-0x0000000000000000-mapping.dmp
-
memory/5484-233-0x0000000000000000-mapping.dmp
-
memory/5492-240-0x0000000000000000-mapping.dmp
-
memory/5504-236-0x0000000000000000-mapping.dmp
-
memory/5512-235-0x0000000000000000-mapping.dmp
-
memory/5520-238-0x0000000000000000-mapping.dmp
-
memory/5528-325-0x0000000000000000-mapping.dmp
-
memory/5880-243-0x0000000000000000-mapping.dmp
-
memory/5944-251-0x0000000000000000-mapping.dmp
-
memory/6032-253-0x0000000000000000-mapping.dmp
-
memory/6044-263-0x0000000000000000-mapping.dmp
-
memory/6532-268-0x0000000000000000-mapping.dmp
-
memory/6564-270-0x0000000000000000-mapping.dmp
-
memory/6680-272-0x0000000000000000-mapping.dmp
-
memory/6756-274-0x0000000000000000-mapping.dmp
-
memory/6840-276-0x0000000000000000-mapping.dmp
-
memory/6936-278-0x0000000000000000-mapping.dmp
-
memory/7016-280-0x0000000000000000-mapping.dmp
-
memory/7088-282-0x0000000000000000-mapping.dmp