redline | f0f8fb599991890cfa572fa802710ca60a61f8d2f64edc7a0e7b24b7811c20d1

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2022 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce6afbcf08be70895d0dc65e5d72bc0c.exe
Size

1.1MB
MD5

ce6afbcf08be70895d0dc65e5d72bc0c
SHA1

0891df1c147c5af34a2213fcda1a24c4cae9c634
SHA256

f0f8fb599991890cfa572fa802710ca60a61f8d2f64edc7a0e7b24b7811c20d1
SHA512

e1efe945788a30ec4567e06fc305201075866783ab8c20ec6ef995512d23b62f802b657c545ee020b2f8d9c11111898e6619be6f8f41d76d941573cb67feeff3

Score

10^/10

redline 5 nam3 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
behavioral2/memory/4876-164-0x0000000000320000-0x0000000000364000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
behavioral2/memory/4568-163-0x0000000000410000-0x0000000000430000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exereal.exesafert44.exeEU1.exe

pid process

1196 F0geI.exe
2348 kukurzka9000.exe
4568 namdoitntn.exe
2896 real.exe
4876 safert44.exe
4332 EU1.exe

pid	process
1196	F0geI.exe
2348	kukurzka9000.exe
4568	namdoitntn.exe
2896	real.exe
4876	safert44.exe
4332	EU1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ce6afbcf08be70895d0dc65e5d72bc0c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	ce6afbcf08be70895d0dc65e5d72bc0c.exe

Loads dropped DLL 3 IoCs

Processes:

F0geI.exe

pid process

1196 F0geI.exe
1196 F0geI.exe
1196 F0geI.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
1196	F0geI.exe
1196	F0geI.exe
1196	F0geI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 8 IoCs

Processes:

setup.exece6afbcf08be70895d0dc65e5d72bc0c.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\8a70acdf-34b4-4a5c-8654-2b0999713054.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220815162542.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	ce6afbcf08be70895d0dc65e5d72bc0c.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	ce6afbcf08be70895d0dc65e5d72bc0c.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	ce6afbcf08be70895d0dc65e5d72bc0c.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	ce6afbcf08be70895d0dc65e5d72bc0c.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	ce6afbcf08be70895d0dc65e5d72bc0c.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\EU1.exe	ce6afbcf08be70895d0dc65e5d72bc0c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5868 1196 WerFault.exe F0geI.exe

pid	pid_target	process	target process
5868	1196	WerFault.exe	F0geI.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

real.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exereal.exenamdoitntn.exesafert44.exeidentity_helper.exemsedge.exe

pid	process
3684	msedge.exe
3684	msedge.exe
4408	msedge.exe
4408	msedge.exe
1584	msedge.exe
1584	msedge.exe
4412	msedge.exe
4412	msedge.exe
3464	msedge.exe
3464	msedge.exe
2896	real.exe
2896	real.exe
4568	namdoitntn.exe
4568	namdoitntn.exe
4876	safert44.exe
4876	safert44.exe
1332	identity_helper.exe
1332	identity_helper.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3464 msedge.exe
3464 msedge.exe
3464 msedge.exe
3464 msedge.exe
3464 msedge.exe
3464 msedge.exe
3464 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

namdoitntn.exesafert44.exe

description pid process

Token: SeDebugPrivilege 4568 namdoitntn.exe
Token: SeDebugPrivilege 4876 safert44.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

3464 msedge.exe
3464 msedge.exe

pid	process
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe

description	pid	process
Token: SeDebugPrivilege	4568	namdoitntn.exe
Token: SeDebugPrivilege	4876	safert44.exe

pid	process
3464	msedge.exe
3464	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ce6afbcf08be70895d0dc65e5d72bc0c.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4016 wrote to memory of 4768	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	msedge.exe
PID 4016 wrote to memory of 4768	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	msedge.exe
PID 4016 wrote to memory of 3464	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	msedge.exe
PID 4016 wrote to memory of 3464	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	msedge.exe
PID 4016 wrote to memory of 4864	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	msedge.exe
PID 4016 wrote to memory of 4864	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	msedge.exe
PID 4016 wrote to memory of 836	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	msedge.exe
PID 4016 wrote to memory of 836	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	msedge.exe
PID 4864 wrote to memory of 4276	4864	msedge.exe	msedge.exe
PID 4864 wrote to memory of 4276	4864	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4100	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4100	3464	msedge.exe	msedge.exe
PID 4768 wrote to memory of 4552	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 4552	4768	msedge.exe	msedge.exe
PID 836 wrote to memory of 4692	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 4692	836	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1196	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	F0geI.exe
PID 4016 wrote to memory of 1196	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	F0geI.exe
PID 4016 wrote to memory of 1196	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	F0geI.exe
PID 4016 wrote to memory of 2348	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	kukurzka9000.exe
PID 4016 wrote to memory of 2348	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	kukurzka9000.exe
PID 4016 wrote to memory of 2348	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	kukurzka9000.exe
PID 4016 wrote to memory of 4568	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	namdoitntn.exe
PID 4016 wrote to memory of 4568	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	namdoitntn.exe
PID 4016 wrote to memory of 4568	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	namdoitntn.exe
PID 4016 wrote to memory of 2896	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	real.exe
PID 4016 wrote to memory of 2896	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	real.exe
PID 4016 wrote to memory of 2896	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	real.exe
PID 4016 wrote to memory of 4876	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	safert44.exe
PID 4016 wrote to memory of 4876	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	safert44.exe
PID 4016 wrote to memory of 4876	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	safert44.exe
PID 4016 wrote to memory of 4332	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	EU1.exe
PID 4016 wrote to memory of 4332	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	EU1.exe
PID 4016 wrote to memory of 4332	4016	ce6afbcf08be70895d0dc65e5d72bc0c.exe	EU1.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3288	3464	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\ce6afbcf08be70895d0dc65e5d72bc0c.exe
"C:\Users\Admin\AppData\Local\Temp\ce6afbcf08be70895d0dc65e5d72bc0c.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
2⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd21e246f8,0x7ffd21e24708,0x7ffd21e24718
3⤵
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10481814192056908023,5561941748977375699,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
3⤵
PID:3792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,10481814192056908023,5561941748977375699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd21e246f8,0x7ffd21e24708,0x7ffd21e24718
3⤵
PID:4100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6701952639781704204,7620556064168602768,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
3⤵
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,6701952639781704204,7620556064168602768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,6701952639781704204,7620556064168602768,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
3⤵
PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6701952639781704204,7620556064168602768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
3⤵
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6701952639781704204,7620556064168602768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
3⤵
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6701952639781704204,7620556064168602768,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
3⤵
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6701952639781704204,7620556064168602768,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
3⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6701952639781704204,7620556064168602768,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
3⤵
PID:5136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,6701952639781704204,7620556064168602768,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 /prefetch:8
3⤵
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6701952639781704204,7620556064168602768,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
3⤵
PID:5504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6701952639781704204,7620556064168602768,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
3⤵
PID:5520

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6701952639781704204,7620556064168602768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6956 /prefetch:8
3⤵
PID:5980

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:6116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff733e85460,0x7ff733e85470,0x7ff733e85480
4⤵
PID:2600

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6701952639781704204,7620556064168602768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6956 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,6701952639781704204,7620556064168602768,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1732 /prefetch:8
3⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,6701952639781704204,7620556064168602768,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5356 /prefetch:8
3⤵
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,6701952639781704204,7620556064168602768,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 /prefetch:8
3⤵
PID:620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6701952639781704204,7620556064168602768,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7956 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
2⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd21e246f8,0x7ffd21e24708,0x7ffd21e24718
3⤵
PID:4276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5800024711455784635,6347298057350252343,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
3⤵
PID:1700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,5800024711455784635,6347298057350252343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
2⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd21e246f8,0x7ffd21e24708,0x7ffd21e24718
3⤵
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,5586619752169078009,14739207015232248005,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
3⤵
PID:980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,5586619752169078009,14739207015232248005,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4408

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 760
3⤵
- Program crash
PID:5868

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:2348

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2896

C:\Program Files (x86)\Company\NewProduct\EU1.exe
"C:\Program Files (x86)\Company\NewProduct\EU1.exe"
2⤵
- Executes dropped EXE
PID:4332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1196 -ip 1196
1⤵
PID:5844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
281KB

MD5
ba3a49c828d27a3c6b1bc179e76af540

SHA1
373f8edd1a12b4e333bd54c03553f0874091f60e

SHA256
e7071de8c17a23fc79c11e89d59af2049796fcbf6a46523e1e9a1071772158f1

SHA512
e0c9e9eb2943ae9a6edfb6d7f9681f3e3050f6f5f6e17485be93f597fae7442aded2eca90712c452dd8ad6cb23162be2a51deb67fdb3ba8bf72239615696b0fb

Download Submit
C:\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
281KB

MD5
ba3a49c828d27a3c6b1bc179e76af540

SHA1
373f8edd1a12b4e333bd54c03553f0874091f60e

SHA256
e7071de8c17a23fc79c11e89d59af2049796fcbf6a46523e1e9a1071772158f1

SHA512
e0c9e9eb2943ae9a6edfb6d7f9681f3e3050f6f5f6e17485be93f597fae7442aded2eca90712c452dd8ad6cb23162be2a51deb67fdb3ba8bf72239615696b0fb

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
1.4MB

MD5
ec59f38fa35c0cf3babd976f5f23c74e

SHA1
2f7600ac9df0869fae48d99afe9569d83efafc8b

SHA256
6d0d294e321014a3129d3533ce143f08b0a3639cc50ddaf236396b82a595925e

SHA512
d4d2c4078dd40bc57d421750ac26f5467f082f6b4fae422d574ca406b928b6bb1e4f7cbb80a80b11f3908134028c6b7bb3b67c17e02d1899a6cda6e0312c3574

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
1.4MB

MD5
ec59f38fa35c0cf3babd976f5f23c74e

SHA1
2f7600ac9df0869fae48d99afe9569d83efafc8b

SHA256
6d0d294e321014a3129d3533ce143f08b0a3639cc50ddaf236396b82a595925e

SHA512
d4d2c4078dd40bc57d421750ac26f5467f082f6b4fae422d574ca406b928b6bb1e4f7cbb80a80b11f3908134028c6b7bb3b67c17e02d1899a6cda6e0312c3574

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
282KB

MD5
474861050e6a7b65bc4521096cb05454

SHA1
4e1aabe27598171a89c219aab860b325a4358b22

SHA256
ccd962957659555af7c607deb20a4ec34a1578af037d5310ffd07bd092f0ebc7

SHA512
42afff00dd616fc73d1c338184149ddb66376e808cd2da39a94357c8d296a245ab0f1e474aac1789d613efef3c1867e0c3a2e41c07ac21bcc07e00ea08309a79

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
282KB

MD5
474861050e6a7b65bc4521096cb05454

SHA1
4e1aabe27598171a89c219aab860b325a4358b22

SHA256
ccd962957659555af7c607deb20a4ec34a1578af037d5310ffd07bd092f0ebc7

SHA512
42afff00dd616fc73d1c338184149ddb66376e808cd2da39a94357c8d296a245ab0f1e474aac1789d613efef3c1867e0c3a2e41c07ac21bcc07e00ea08309a79

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
112KB

MD5
30e375798049100677ea16b7c578a4ee

SHA1
bcab7401a5f34ac0e6f795ece8d3ed12944ae99f

SHA256
ea5c90cfc97f429a2f9e0b1e9b16778b5b19bd8e83a896a30002de70af84e1ce

SHA512
f8ae930e26ecfe06dc30d4f39858b0eec6b4a81a8139883712505b5c6b58504d463d986ef58c7151a247fe157c6013b570b9d39e1d4a860061e37e0419900582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
2b967b064fa89a4462bdc84a9da36077

SHA1
3b7dc95abca48c93f67f01a10e75b504955e3082

SHA256
6446901f86135d1cffe4b4794400ba4e7f4a6efd13975fdd420588dbcf0dffa7

SHA512
27e3a41e699025b49022cb572738a4fdae8200da80f02bd1d1b57eaf02e05f2db22070e0943a4b5c0089bc0a1effffb6c95b14ed5cd3fdc4c0bb1eb08ddf6d92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
3674fc23e56233434546762e9a63cf5d

SHA1
5ffda76bcd981ad8dfb78ea7e9ee01b58fd5f088

SHA256
eb3ac0d9c8e9a021f0867f0e6993a31e81e518910863eb22cd1da1a138c9e756

SHA512
4bb5b2e0817bf7ecaee540d6f46414b6976557cbe962c5eb6192bab88f227257fcb1a768a26ffd7d11b5f665b922bf213a16aa52dcbecab2c303f3e0b168407f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
d928c25b5fe86ce8c522ef3401b9ab13

SHA1
5da02594ccba062a62f6ab33cb45ef99220d2f74

SHA256
3a156ce9a1dffd010c5f5dd16bd93b1b39d1f1729e286fe588a757d0d3a5c7c8

SHA512
da5112dba1750122d196738928ce7cd80997ed07a6f2aefa7e8ec7862977f63b0f9b0bb6264365a712bfeec76bd615cdee799ba045429581dadbcc54536264ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
3674fc23e56233434546762e9a63cf5d

SHA1
5ffda76bcd981ad8dfb78ea7e9ee01b58fd5f088

SHA256
eb3ac0d9c8e9a021f0867f0e6993a31e81e518910863eb22cd1da1a138c9e756

SHA512
4bb5b2e0817bf7ecaee540d6f46414b6976557cbe962c5eb6192bab88f227257fcb1a768a26ffd7d11b5f665b922bf213a16aa52dcbecab2c303f3e0b168407f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
d928c25b5fe86ce8c522ef3401b9ab13

SHA1
5da02594ccba062a62f6ab33cb45ef99220d2f74

SHA256
3a156ce9a1dffd010c5f5dd16bd93b1b39d1f1729e286fe588a757d0d3a5c7c8

SHA512
da5112dba1750122d196738928ce7cd80997ed07a6f2aefa7e8ec7862977f63b0f9b0bb6264365a712bfeec76bd615cdee799ba045429581dadbcc54536264ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
1fc0e805a69766773f1464f9ca892800

SHA1
22ea2b75df403e626219be6d718953bc2477a6f1

SHA256
d17252c73e18d5091464ee061583dac1e453ec372522afcc81fc211f424a1781

SHA512
9e07d1c8be96b5fcf1b32923e70d847e79e4b9153ef17e704df464063010059b8bc7614e529e43022addb7b2627157c8520f2fb7c27f9dab97e68d9f88298c12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
2b967b064fa89a4462bdc84a9da36077

SHA1
3b7dc95abca48c93f67f01a10e75b504955e3082

SHA256
6446901f86135d1cffe4b4794400ba4e7f4a6efd13975fdd420588dbcf0dffa7

SHA512
27e3a41e699025b49022cb572738a4fdae8200da80f02bd1d1b57eaf02e05f2db22070e0943a4b5c0089bc0a1effffb6c95b14ed5cd3fdc4c0bb1eb08ddf6d92

Download Submit
\??\pipe\LOCAL\crashpad_3464_FMHZSBHONXMFTFBU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4768_TNLCDSGDKTKIBTCB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4864_WLSYPGXGBBLSQEUO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_836_TSDVMPEBVCAMVSRE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/620-265-0x0000000000000000-mapping.dmp

Download
memory/836-135-0x0000000000000000-mapping.dmp

Download
memory/980-175-0x0000000000000000-mapping.dmp

Download
memory/1180-227-0x0000000000000000-mapping.dmp

Download
memory/1196-140-0x0000000000000000-mapping.dmp

Download
memory/1196-251-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1196-192-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/1196-185-0x000000000071D000-0x000000000072D000-memory.dmp

Filesize
64KB

Download
memory/1196-196-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1196-256-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1332-257-0x0000000000000000-mapping.dmp

Download
memory/1584-179-0x0000000000000000-mapping.dmp

Download
memory/1700-176-0x0000000000000000-mapping.dmp

Download
memory/2096-194-0x0000000000000000-mapping.dmp

Download
memory/2348-226-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/2348-146-0x0000000000000000-mapping.dmp

Download
memory/2348-224-0x0000000003A80000-0x0000000003A92000-memory.dmp

Filesize
72KB

Download
memory/2356-205-0x0000000000000000-mapping.dmp

Download
memory/2600-259-0x0000000000000000-mapping.dmp

Download
memory/2772-221-0x0000000000000000-mapping.dmp

Download
memory/2896-184-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/2896-150-0x0000000000000000-mapping.dmp

Download
memory/3188-261-0x0000000000000000-mapping.dmp

Download
memory/3288-174-0x0000000000000000-mapping.dmp

Download
memory/3464-133-0x0000000000000000-mapping.dmp

Download
memory/3684-181-0x0000000000000000-mapping.dmp

Download
memory/3792-178-0x0000000000000000-mapping.dmp

Download
memory/4100-137-0x0000000000000000-mapping.dmp

Download
memory/4216-210-0x0000000000000000-mapping.dmp

Download
memory/4276-136-0x0000000000000000-mapping.dmp

Download
memory/4332-158-0x0000000000000000-mapping.dmp

Download
memory/4408-180-0x0000000000000000-mapping.dmp

Download
memory/4412-183-0x0000000000000000-mapping.dmp

Download
memory/4552-138-0x0000000000000000-mapping.dmp

Download
memory/4568-252-0x0000000008930000-0x0000000008AF2000-memory.dmp

Filesize
1.8MB

Download
memory/4568-246-0x0000000007230000-0x0000000007296000-memory.dmp

Filesize
408KB

Download
memory/4568-186-0x00000000053D0000-0x00000000053E2000-memory.dmp

Filesize
72KB

Download
memory/4568-182-0x0000000005800000-0x0000000005E18000-memory.dmp

Filesize
6.1MB

Download
memory/4568-250-0x0000000007400000-0x000000000741E000-memory.dmp

Filesize
120KB

Download
memory/4568-248-0x0000000007440000-0x00000000074D2000-memory.dmp

Filesize
584KB

Download
memory/4568-149-0x0000000000000000-mapping.dmp

Download
memory/4568-163-0x0000000000410000-0x0000000000430000-memory.dmp

Filesize
128KB

Download
memory/4692-139-0x0000000000000000-mapping.dmp

Download
memory/4756-263-0x0000000000000000-mapping.dmp

Download
memory/4768-132-0x0000000000000000-mapping.dmp

Download
memory/4832-266-0x0000000000000000-mapping.dmp

Download
memory/4864-134-0x0000000000000000-mapping.dmp

Download
memory/4876-247-0x0000000005180000-0x00000000051F6000-memory.dmp

Filesize
472KB

Download
memory/4876-249-0x0000000006340000-0x00000000068E4000-memory.dmp

Filesize
5.6MB

Download
memory/4876-206-0x0000000004E40000-0x0000000004E7C000-memory.dmp

Filesize
240KB

Download
memory/4876-253-0x0000000009610000-0x0000000009B3C000-memory.dmp

Filesize
5.2MB

Download
memory/4876-164-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/4876-255-0x0000000006970000-0x00000000069C0000-memory.dmp

Filesize
320KB

Download
memory/4876-155-0x0000000000000000-mapping.dmp

Download
memory/4876-198-0x0000000004F10000-0x000000000501A000-memory.dmp

Filesize
1.0MB

Download
memory/5136-232-0x0000000000000000-mapping.dmp

Download
memory/5416-236-0x0000000000000000-mapping.dmp

Download
memory/5504-241-0x0000000000000000-mapping.dmp

Download
memory/5520-243-0x0000000000000000-mapping.dmp

Download
memory/6116-258-0x0000000000000000-mapping.dmp

Download