redline | de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2022 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe
Size

1.7MB
MD5

1b4fc049d71cc0d02f977f371d551a38
SHA1

0d931401e0a05dc958331a7c7684fdb18ffa5d61
SHA256

de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167
SHA512

40adce95029949271c8afc412fe3b623e30d83ab3670b24437f6dbeb2e85358b17fc564fec61af00832120e8fd0d090a27bfe60c11ec9f537673e201e3e0ee1e

Score

10^/10

redline 5 5076357887 @tag12312341 nam3 ruxarr_gg discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

redline

Botnet

5076357887

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Extracted

Family

redline

Botnet

RuXaRR_GG

insttaller.com:40915

Attributes

auth_value
4a733ff307847db3ee220c11d113a305

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 15 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
behavioral1/memory/5344-204-0x0000000000B70000-0x0000000000B90000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
behavioral1/memory/5692-216-0x00000000006F0000-0x0000000000734000-memory.dmp	family_redline
behavioral1/memory/5856-227-0x0000000000540000-0x0000000000560000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
behavioral1/memory/6100-239-0x0000000000C10000-0x0000000000C30000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
behavioral1/memory/3188-249-0x00000000007E0000-0x0000000000800000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exereal.exesafert44.exetag.exejshainx.exeffnameedit.exerawxdev.exeWW1.exe

pid	process
2184	F0geI.exe
3900	kukurzka9000.exe
5344	namdoitntn.exe
5588	real.exe
5692	safert44.exe
5856	tag.exe
6100	jshainx.exe
3188	ffnameedit.exe
5408	rawxdev.exe
5748	WW1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe

Loads dropped DLL 3 IoCs

Processes:

F0geI.exe

pid process

2184 F0geI.exe
2184 F0geI.exe
2184 F0geI.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 12 IoCs

Processes:

de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\rawxdev.exe	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jshainx.exe	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\WW1.exe	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3940747a-f95e-47c1-a81b-494376432505.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220813061256.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4192 2184 WerFault.exe F0geI.exe

pid	pid_target	process	target process
4192	2184	WerFault.exe	F0geI.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

real.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exereal.exenamdoitntn.exejshainx.exesafert44.exeffnameedit.exeidentity_helper.exemsedge.exe

pid	process
2276	msedge.exe
2276	msedge.exe
1500	msedge.exe
1500	msedge.exe
2428	msedge.exe
2428	msedge.exe
1324	msedge.exe
1324	msedge.exe
2692	msedge.exe
2692	msedge.exe
5140	msedge.exe
5140	msedge.exe
5588	real.exe
5588	real.exe
5344	namdoitntn.exe
5344	namdoitntn.exe
6100	jshainx.exe
6100	jshainx.exe
5692	safert44.exe
5692	safert44.exe
3188	ffnameedit.exe
3188	ffnameedit.exe
2320	identity_helper.exe
2320	identity_helper.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

namdoitntn.exejshainx.exesafert44.exeffnameedit.exe

description	pid	process
Token: SeDebugPrivilege	5344	namdoitntn.exe
Token: SeDebugPrivilege	6100	jshainx.exe
Token: SeDebugPrivilege	5692	safert44.exe
Token: SeDebugPrivilege	3188	ffnameedit.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

2692 msedge.exe
2692 msedge.exe
2692 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 5020 wrote to memory of 2692	5020	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe	msedge.exe
PID 5020 wrote to memory of 2692	5020	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe	msedge.exe
PID 5020 wrote to memory of 3524	5020	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe	msedge.exe
PID 5020 wrote to memory of 3524	5020	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe	msedge.exe
PID 5020 wrote to memory of 4648	5020	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe	msedge.exe
PID 5020 wrote to memory of 4648	5020	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe	msedge.exe
PID 3524 wrote to memory of 4912	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 4912	3524	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4272	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4272	2692	msedge.exe	msedge.exe
PID 5020 wrote to memory of 4596	5020	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe	msedge.exe
PID 5020 wrote to memory of 4596	5020	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe	msedge.exe
PID 4648 wrote to memory of 800	4648	msedge.exe	msedge.exe
PID 4648 wrote to memory of 800	4648	msedge.exe	msedge.exe
PID 4596 wrote to memory of 2964	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 2964	4596	msedge.exe	msedge.exe
PID 5020 wrote to memory of 3656	5020	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe	msedge.exe
PID 5020 wrote to memory of 3656	5020	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe	msedge.exe
PID 3656 wrote to memory of 996	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 996	3656	msedge.exe	msedge.exe
PID 5020 wrote to memory of 3520	5020	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe	msedge.exe
PID 5020 wrote to memory of 3520	5020	de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 3520 wrote to memory of 4656	3520	msedge.exe	msedge.exe
PID 3520 wrote to memory of 4656	3520	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe
PID 2692 wrote to memory of 4440	2692	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe
"C:\Users\Admin\AppData\Local\Temp\de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AbtZ4
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1d2946f8,0x7fff1d294708,0x7fff1d294718
3⤵
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
3⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
3⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
3⤵
PID:3872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
3⤵
PID:5492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
3⤵
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
3⤵
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
3⤵
PID:2516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
3⤵
PID:5680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
3⤵
PID:5752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
3⤵
PID:5916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
3⤵
PID:6112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6612 /prefetch:8
3⤵
PID:3336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
3⤵
PID:5224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
3⤵
PID:5228

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8544 /prefetch:8
3⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff6cf7f5460,0x7ff6cf7f5470,0x7ff6cf7f5480
4⤵
PID:1356

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8544 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8984 /prefetch:8
3⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5712 /prefetch:8
3⤵
PID:1344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
3⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=9148 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6676 /prefetch:8
3⤵
PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1444,9148769963701081688,9961110435269621042,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6508 /prefetch:8
3⤵
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
2⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x78,0xdc,0x100,0x74,0x104,0x7fff1d2946f8,0x7fff1d294708,0x7fff1d294718
3⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,14338725394346674595,5490118491260556987,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
3⤵
PID:1120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,14338725394346674595,5490118491260556987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
2⤵
- Suspicious use of WriteProcessMemory
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1d2946f8,0x7fff1d294708,0x7fff1d294718
3⤵
PID:800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,4873935872330685077,7473023005252296692,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
3⤵
PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,4873935872330685077,7473023005252296692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
2⤵
- Suspicious use of WriteProcessMemory
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,214441298584924105,401945499097951402,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
3⤵
PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,214441298584924105,401945499097951402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
2⤵
- Suspicious use of WriteProcessMemory
PID:3656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1d2946f8,0x7fff1d294708,0x7fff1d294718
3⤵
PID:996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,12856370886589350543,8469115956676503732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nhGL4
2⤵
- Suspicious use of WriteProcessMemory
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1d2946f8,0x7fff1d294708,0x7fff1d294718
3⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A3AZ4
2⤵
PID:1924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1d2946f8,0x7fff1d294708,0x7fff1d294718
3⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1ALSZ4
2⤵
PID:1512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1d2946f8,0x7fff1d294708,0x7fff1d294718
3⤵
PID:3212

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 760
3⤵
- Program crash
PID:4192

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:3900

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5344

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5588

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5692

C:\Program Files (x86)\Company\NewProduct\jshainx.exe
"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6100

C:\Program Files (x86)\Company\NewProduct\tag.exe
"C:\Program Files (x86)\Company\NewProduct\tag.exe"
2⤵
- Executes dropped EXE
PID:5856

C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
"C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
"C:\Program Files (x86)\Company\NewProduct\rawxdev.exe"
2⤵
- Executes dropped EXE
PID:5408

C:\Program Files (x86)\Company\NewProduct\WW1.exe
"C:\Program Files (x86)\Company\NewProduct\WW1.exe"
2⤵
- Executes dropped EXE
PID:5748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1d2946f8,0x7fff1d294708,0x7fff1d294718
1⤵
PID:2964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2184 -ip 2184
1⤵
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\WW1.exe
Filesize
281KB

MD5
1885946b127569cff6c03bea7175c3a0

SHA1
9bde463fc59f36f7fca6ab4d5f31b52cf979fc22

SHA256
6e445a4ed5beff50cf4935e54d2c48e25bade941378fe8fe3f0914413e90e09b

SHA512
e954c609b998b01b85614d3bda84a410d48db0559d68a69d7b07cfbed9cf4311f7c0b60fcc060c874dd757e774112283ec7f22c32a6ecf268a775becfea72a0b

Download Submit
C:\Program Files (x86)\Company\NewProduct\WW1.exe
Filesize
281KB

MD5
1885946b127569cff6c03bea7175c3a0

SHA1
9bde463fc59f36f7fca6ab4d5f31b52cf979fc22

SHA256
6e445a4ed5beff50cf4935e54d2c48e25bade941378fe8fe3f0914413e90e09b

SHA512
e954c609b998b01b85614d3bda84a410d48db0559d68a69d7b07cfbed9cf4311f7c0b60fcc060c874dd757e774112283ec7f22c32a6ecf268a775becfea72a0b

Download Submit
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
Filesize
107KB

MD5
4bf892a854af9af2802f526837819f6e

SHA1
09f2e9938466e74a67368ecd613efdc57f80c30b

SHA256
713eeb4e9271fe4b15160d900ad78498838bb33f7f97ad544a705ab2a46d97cf

SHA512
7ef9d8cb4daf6be60c5a41439dab4e7384676b34de2341ac52cb33815645fbb51a4b78725ea97479d287a8d7a0a61b4b337b1ad49cce2a23c9192fd9b7678d44

Download Submit
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
Filesize
107KB

MD5
4bf892a854af9af2802f526837819f6e

SHA1
09f2e9938466e74a67368ecd613efdc57f80c30b

SHA256
713eeb4e9271fe4b15160d900ad78498838bb33f7f97ad544a705ab2a46d97cf

SHA512
7ef9d8cb4daf6be60c5a41439dab4e7384676b34de2341ac52cb33815645fbb51a4b78725ea97479d287a8d7a0a61b4b337b1ad49cce2a23c9192fd9b7678d44

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
1.4MB

MD5
8df3405e9cd1a18d10568e0d32e6dc39

SHA1
a084252242da8dbf97f23d7785fdf2b8d9677d3b

SHA256
79516c040ffbb1121904be5b09cd8a7e6fb78885dcc08a9e33781258680b639b

SHA512
6f3e242723983ea2d04d0857d88e2706d53ec9d9b8c030e25e28a60f70813bdd8a8082db60f70b79ed20d6544b8fc069b7fd096da78bbd64b08a5435adfbaa87

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
1.4MB

MD5
8df3405e9cd1a18d10568e0d32e6dc39

SHA1
a084252242da8dbf97f23d7785fdf2b8d9677d3b

SHA256
79516c040ffbb1121904be5b09cd8a7e6fb78885dcc08a9e33781258680b639b

SHA512
6f3e242723983ea2d04d0857d88e2706d53ec9d9b8c030e25e28a60f70813bdd8a8082db60f70b79ed20d6544b8fc069b7fd096da78bbd64b08a5435adfbaa87

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
Filesize
1.2MB

MD5
919cf73749642aa08fb76e9254af5efa

SHA1
08c25ab3572b9035496aec516342e37a25a84883

SHA256
2a31d54ca5b61e6c51c9fb64f3c8d7f081ccd9f5bf525396101d68c3d6050db3

SHA512
5b632aa85adf0dafa2eacee4addd2329334ddf3d7f6c12e8bce2c302722c7ccd61cfac5fa194870e9f775b64275d8c9e14c9f160e3fbb6d0cc03f9432c9a28f6

Download Submit
C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
Filesize
1.2MB

MD5
919cf73749642aa08fb76e9254af5efa

SHA1
08c25ab3572b9035496aec516342e37a25a84883

SHA256
2a31d54ca5b61e6c51c9fb64f3c8d7f081ccd9f5bf525396101d68c3d6050db3

SHA512
5b632aa85adf0dafa2eacee4addd2329334ddf3d7f6c12e8bce2c302722c7ccd61cfac5fa194870e9f775b64275d8c9e14c9f160e3fbb6d0cc03f9432c9a28f6

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
282KB

MD5
474861050e6a7b65bc4521096cb05454

SHA1
4e1aabe27598171a89c219aab860b325a4358b22

SHA256
ccd962957659555af7c607deb20a4ec34a1578af037d5310ffd07bd092f0ebc7

SHA512
42afff00dd616fc73d1c338184149ddb66376e808cd2da39a94357c8d296a245ab0f1e474aac1789d613efef3c1867e0c3a2e41c07ac21bcc07e00ea08309a79

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
282KB

MD5
474861050e6a7b65bc4521096cb05454

SHA1
4e1aabe27598171a89c219aab860b325a4358b22

SHA256
ccd962957659555af7c607deb20a4ec34a1578af037d5310ffd07bd092f0ebc7

SHA512
42afff00dd616fc73d1c338184149ddb66376e808cd2da39a94357c8d296a245ab0f1e474aac1789d613efef3c1867e0c3a2e41c07ac21bcc07e00ea08309a79

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e0652753ffba69e75a830c7b31362548

SHA1
2daede2707cf9cdea1926a862ca398384a5c55aa

SHA256
60b78bd274e3250335941adfd6db0a94d39a2fe0891467f7d8af4a5ca38d1ae0

SHA512
38816ecffe0dc699e7ace9c3dc7e4a787741458f2dd2381c8541049f7a6331ea96d047be93a5e0a7fd5a0c5fc30eabf73d44ac5e77441d03d4d070f19f3ea5aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
5edc92eefd32e90071fcb22c867839ac

SHA1
f06b3603015d2b4ffdb11e2c2b4241acdb7af521

SHA256
b0667bbf8cd4804bf6c675c4363ed3d538aa830318252a28b58bec421d619cc8

SHA512
7b9d3b6e7726b750d1cccd22335a12d7addb93c5270db956f563aa715043bb45d88181cb42f817f050bf7eda7dba49c0f49c7ffd8abc5f5f311c54f36ede28c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
03be1578e14ba6054b7831f73487462f

SHA1
0342ddbfe4849ebdaeed2cd22b58ca48101778a7

SHA256
c5898773692d19aef6a1c7fadac93668b0a1b58edf99122a25318d25994966d6

SHA512
9ced6fc5c4fca5eea200ef6a03af607096914b8b4a2db218a1de52160592c6e887fd4c6f952d0d1b3b3e7e414fe090234b8717156706e379c7d5d47c5be1ce76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
51a69d6078e4016f159dd7082080a7ee

SHA1
891f2dba8a7f8741029436da6a7327fe25016e23

SHA256
8c4be89e59469d58fe876b079a294dfe10df46d0d0fb42063f2911f722765068

SHA512
b421fcc1afe3f32efb85b275621644cf667c10b96bcefd9722f52d7ac2d6adb3ce0c47348b0b23dcbd96acfb9b1023a3ecc3ada0792f0086d53b976529a0e90d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
51a69d6078e4016f159dd7082080a7ee

SHA1
891f2dba8a7f8741029436da6a7327fe25016e23

SHA256
8c4be89e59469d58fe876b079a294dfe10df46d0d0fb42063f2911f722765068

SHA512
b421fcc1afe3f32efb85b275621644cf667c10b96bcefd9722f52d7ac2d6adb3ce0c47348b0b23dcbd96acfb9b1023a3ecc3ada0792f0086d53b976529a0e90d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
d4314c1648ef8d64e6e060c0c3202d3b

SHA1
5d7a0d196dc001dde53567438d1cdfe8f56f4f2e

SHA256
f7e12036537b5a8ec9eb5613fd02eb226c3fdedae809f1bfe48856a676a50759

SHA512
076793ebb86b9bb24c3cbb160c461653ad6eee26e4169be45b8dbc2deb3426065d2be006621baf289f5b846a9e084e7d0f1633fff2800a73234c0aff9050c0e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
d4314c1648ef8d64e6e060c0c3202d3b

SHA1
5d7a0d196dc001dde53567438d1cdfe8f56f4f2e

SHA256
f7e12036537b5a8ec9eb5613fd02eb226c3fdedae809f1bfe48856a676a50759

SHA512
076793ebb86b9bb24c3cbb160c461653ad6eee26e4169be45b8dbc2deb3426065d2be006621baf289f5b846a9e084e7d0f1633fff2800a73234c0aff9050c0e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
5edc92eefd32e90071fcb22c867839ac

SHA1
f06b3603015d2b4ffdb11e2c2b4241acdb7af521

SHA256
b0667bbf8cd4804bf6c675c4363ed3d538aa830318252a28b58bec421d619cc8

SHA512
7b9d3b6e7726b750d1cccd22335a12d7addb93c5270db956f563aa715043bb45d88181cb42f817f050bf7eda7dba49c0f49c7ffd8abc5f5f311c54f36ede28c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
03be1578e14ba6054b7831f73487462f

SHA1
0342ddbfe4849ebdaeed2cd22b58ca48101778a7

SHA256
c5898773692d19aef6a1c7fadac93668b0a1b58edf99122a25318d25994966d6

SHA512
9ced6fc5c4fca5eea200ef6a03af607096914b8b4a2db218a1de52160592c6e887fd4c6f952d0d1b3b3e7e414fe090234b8717156706e379c7d5d47c5be1ce76

Download Submit
\??\pipe\LOCAL\crashpad_2692_GDQQZCPXETTXNYWR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3524_JEFMDBTULHQLZKYJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4596_JFLYIHFNVODJZVRR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4648_DZPXEEWBGHBVMRJJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/220-309-0x0000000000000000-mapping.dmp

Download
memory/800-138-0x0000000000000000-mapping.dmp

Download
memory/996-147-0x0000000000000000-mapping.dmp

Download
memory/1120-173-0x0000000000000000-mapping.dmp

Download
memory/1324-182-0x0000000000000000-mapping.dmp

Download
memory/1344-302-0x0000000000000000-mapping.dmp

Download
memory/1356-297-0x0000000000000000-mapping.dmp

Download
memory/1448-300-0x0000000000000000-mapping.dmp

Download
memory/1500-163-0x0000000000000000-mapping.dmp

Download
memory/1512-162-0x0000000000000000-mapping.dmp

Download
memory/1924-156-0x0000000000000000-mapping.dmp

Download
memory/2184-228-0x000000000058C000-0x000000000059D000-memory.dmp

Filesize
68KB

Download
memory/2184-172-0x0000000000000000-mapping.dmp

Download
memory/2184-230-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/2184-285-0x000000000058C000-0x000000000059D000-memory.dmp

Filesize
68KB

Download
memory/2184-286-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2184-290-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2184-231-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2276-159-0x0000000000000000-mapping.dmp

Download
memory/2320-298-0x0000000000000000-mapping.dmp

Download
memory/2428-178-0x0000000000000000-mapping.dmp

Download
memory/2440-171-0x0000000000000000-mapping.dmp

Download
memory/2516-195-0x0000000000000000-mapping.dmp

Download
memory/2692-132-0x0000000000000000-mapping.dmp

Download
memory/2964-139-0x0000000000000000-mapping.dmp

Download
memory/3188-243-0x0000000000000000-mapping.dmp

Download
memory/3188-249-0x00000000007E0000-0x0000000000800000-memory.dmp

Filesize
128KB

Download
memory/3212-164-0x0000000000000000-mapping.dmp

Download
memory/3220-305-0x0000000000000000-mapping.dmp

Download
memory/3336-275-0x0000000000000000-mapping.dmp

Download
memory/3412-179-0x0000000000000000-mapping.dmp

Download
memory/3448-157-0x0000000000000000-mapping.dmp

Download
memory/3520-150-0x0000000000000000-mapping.dmp

Download
memory/3524-133-0x0000000000000000-mapping.dmp

Download
memory/3656-143-0x0000000000000000-mapping.dmp

Download
memory/3872-191-0x0000000000000000-mapping.dmp

Download
memory/3900-187-0x0000000000000000-mapping.dmp

Download
memory/3900-272-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/3900-273-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/4272-136-0x0000000000000000-mapping.dmp

Download
memory/4336-160-0x0000000000000000-mapping.dmp

Download
memory/4440-154-0x0000000000000000-mapping.dmp

Download
memory/4596-137-0x0000000000000000-mapping.dmp

Download
memory/4648-134-0x0000000000000000-mapping.dmp

Download
memory/4656-153-0x0000000000000000-mapping.dmp

Download
memory/4912-135-0x0000000000000000-mapping.dmp

Download
memory/5140-196-0x0000000000000000-mapping.dmp

Download
memory/5224-277-0x0000000000000000-mapping.dmp

Download
memory/5228-279-0x0000000000000000-mapping.dmp

Download
memory/5344-197-0x0000000000000000-mapping.dmp

Download
memory/5344-225-0x0000000007A80000-0x0000000007B8A000-memory.dmp

Filesize
1.0MB

Download
memory/5344-280-0x0000000008240000-0x00000000087E4000-memory.dmp

Filesize
5.6MB

Download
memory/5344-304-0x0000000000000000-mapping.dmp

Download
memory/5344-204-0x0000000000B70000-0x0000000000B90000-memory.dmp

Filesize
128KB

Download
memory/5344-220-0x0000000005EC0000-0x0000000005ED2000-memory.dmp

Filesize
72KB

Download
memory/5344-218-0x0000000005F50000-0x0000000006568000-memory.dmp

Filesize
6.1MB

Download
memory/5344-281-0x0000000005BC0000-0x0000000005C52000-memory.dmp

Filesize
584KB

Download
memory/5344-289-0x0000000008EF0000-0x000000000941C000-memory.dmp

Filesize
5.2MB

Download
memory/5344-288-0x00000000087F0000-0x00000000089B2000-memory.dmp

Filesize
1.8MB

Download
memory/5344-284-0x0000000007EE0000-0x0000000007F46000-memory.dmp

Filesize
408KB

Download
memory/5344-283-0x0000000007A60000-0x0000000007A7E000-memory.dmp

Filesize
120KB

Download
memory/5344-229-0x00000000079B0000-0x00000000079EC000-memory.dmp

Filesize
240KB

Download
memory/5344-282-0x0000000005C60000-0x0000000005CD6000-memory.dmp

Filesize
472KB

Download
memory/5376-199-0x0000000000000000-mapping.dmp

Download
memory/5408-291-0x00000000028F0000-0x000000000294E000-memory.dmp

Filesize
376KB

Download
memory/5408-254-0x0000000000000000-mapping.dmp

Download
memory/5416-203-0x0000000000000000-mapping.dmp

Download
memory/5492-206-0x0000000000000000-mapping.dmp

Download
memory/5588-241-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/5588-207-0x0000000000000000-mapping.dmp

Download
memory/5680-212-0x0000000000000000-mapping.dmp

Download
memory/5692-216-0x00000000006F0000-0x0000000000734000-memory.dmp

Filesize
272KB

Download
memory/5692-287-0x0000000006CE0000-0x0000000006D30000-memory.dmp

Filesize
320KB

Download
memory/5692-211-0x0000000000000000-mapping.dmp

Download
memory/5748-260-0x0000000000000000-mapping.dmp

Download
memory/5752-217-0x0000000000000000-mapping.dmp

Download
memory/5856-227-0x0000000000540000-0x0000000000560000-memory.dmp

Filesize
128KB

Download
memory/5856-219-0x0000000000000000-mapping.dmp

Download
memory/5876-307-0x0000000000000000-mapping.dmp

Download
memory/5916-224-0x0000000000000000-mapping.dmp

Download
memory/5964-296-0x0000000000000000-mapping.dmp

Download
memory/6100-239-0x0000000000C10000-0x0000000000C30000-memory.dmp

Filesize
128KB

Download
memory/6100-232-0x0000000000000000-mapping.dmp

Download
memory/6112-238-0x0000000000000000-mapping.dmp

Download