redline | 3e8cd0eb4715ef2b9f3b9f676b90eb16b0842d289a34fdd41e46c106a845d983

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2022 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ccbac1663570c8901fcb75111b07497.exe
Size

1.1MB
MD5

8ccbac1663570c8901fcb75111b07497
SHA1

a4772fd7f75d1d755e7494184aa35313182769d2
SHA256

3e8cd0eb4715ef2b9f3b9f676b90eb16b0842d289a34fdd41e46c106a845d983
SHA512

d9cb06f7bfbbaace59a5834f8ba1cd1e9de1d03370dc550d0b17527a52a09f3f6bb35ccd86ff3ef8b95673300d036779f2158faeefb9a5a7e139f1f8e9a7a96a

Score

10^/10

redline 5 nam3 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
behavioral2/memory/3920-178-0x0000000000740000-0x0000000000760000-memory.dmp	family_redline
behavioral2/memory/4080-190-0x0000000000150000-0x0000000000194000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exereal.exesafert44.execaptain09876.exeme.exeSETUP_~1.EXEAlwgckdftdslvwbqpdbjc13t.exeSETUP_~1.EXESETUP_~1.EXEAlwgckdftdslvwbqpdbjc13t.exeEC8E.exe

pid	process
1436	F0geI.exe
3536	kukurzka9000.exe
3920	namdoitntn.exe
400	real.exe
4080	safert44.exe
3460	captain09876.exe
5296	me.exe
6016	SETUP_~1.EXE
4636	Alwgckdftdslvwbqpdbjc13t.exe
3100	SETUP_~1.EXE
3284	SETUP_~1.EXE
5656	Alwgckdftdslvwbqpdbjc13t.exe
1376	EC8E.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EC8E.exe8ccbac1663570c8901fcb75111b07497.exeSETUP_~1.EXEAlwgckdftdslvwbqpdbjc13t.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	EC8E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	8ccbac1663570c8901fcb75111b07497.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	SETUP_~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	Alwgckdftdslvwbqpdbjc13t.exe

Loads dropped DLL 6 IoCs

Processes:

F0geI.exeSETUP_~1.EXE

pid process

1436 F0geI.exe
1436 F0geI.exe
1436 F0geI.exe
3284 SETUP_~1.EXE
3284 SETUP_~1.EXE
3284 SETUP_~1.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

captain09876.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	captain09876.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	captain09876.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

Processes:

SETUP_~1.EXEAlwgckdftdslvwbqpdbjc13t.exe

description	pid	process	target process
PID 6016 set thread context of 3284	6016	SETUP_~1.EXE	SETUP_~1.EXE
PID 4636 set thread context of 5656	4636	Alwgckdftdslvwbqpdbjc13t.exe	Alwgckdftdslvwbqpdbjc13t.exe

Drops file in Program Files directory 9 IoCs

Processes:

8ccbac1663570c8901fcb75111b07497.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	8ccbac1663570c8901fcb75111b07497.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	8ccbac1663570c8901fcb75111b07497.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	8ccbac1663570c8901fcb75111b07497.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	8ccbac1663570c8901fcb75111b07497.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\captain09876.exe	8ccbac1663570c8901fcb75111b07497.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220819052646.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	8ccbac1663570c8901fcb75111b07497.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\me.exe	8ccbac1663570c8901fcb75111b07497.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\87ed8c7c-9d54-440e-a000-ad10963b8ae4.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2980 1436 WerFault.exe F0geI.exe
1476 3772 WerFault.exe explorer.exe

pid	pid_target	process	target process
2980	1436	WerFault.exe	F0geI.exe
1476	3772	WerFault.exe	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Alwgckdftdslvwbqpdbjc13t.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Alwgckdftdslvwbqpdbjc13t.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Alwgckdftdslvwbqpdbjc13t.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Alwgckdftdslvwbqpdbjc13t.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

real.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exereal.exepowershell.exesafert44.exenamdoitntn.exeidentity_helper.exeSETUP_~1.EXEpowershell.exeAlwgckdftdslvwbqpdbjc13t.exeAlwgckdftdslvwbqpdbjc13t.exemsedge.exe

pid	process
1160	msedge.exe
1160	msedge.exe
1168	msedge.exe
1168	msedge.exe
4540	msedge.exe
4540	msedge.exe
3400	msedge.exe
3400	msedge.exe
5280	msedge.exe
5280	msedge.exe
3124	msedge.exe
3124	msedge.exe
400	real.exe
400	real.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
4080	safert44.exe
4080	safert44.exe
3920	namdoitntn.exe
3920	namdoitntn.exe
5740	identity_helper.exe
5740	identity_helper.exe
6016	SETUP_~1.EXE
6016	SETUP_~1.EXE
6016	SETUP_~1.EXE
6016	SETUP_~1.EXE
6016	SETUP_~1.EXE
6016	SETUP_~1.EXE
5176	powershell.exe
5176	powershell.exe
5176	powershell.exe
4636	Alwgckdftdslvwbqpdbjc13t.exe
4636	Alwgckdftdslvwbqpdbjc13t.exe
5656	Alwgckdftdslvwbqpdbjc13t.exe
5656	Alwgckdftdslvwbqpdbjc13t.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
2080
2080
2080
2080
2080
2080
2080
2080
2080
2080
2080
2080
2080
2080
2080
2080
2080
2080
2080
2080
2080
2080
2080
2080

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Alwgckdftdslvwbqpdbjc13t.exe

pid process

5656 Alwgckdftdslvwbqpdbjc13t.exe
2080
2080
2080
2080
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

3124 msedge.exe
3124 msedge.exe
3124 msedge.exe
3124 msedge.exe
3124 msedge.exe
3124 msedge.exe
3124 msedge.exe
3124 msedge.exe

pid	process
5656	Alwgckdftdslvwbqpdbjc13t.exe
2080
2080
2080
2080

pid	process
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

SETUP_~1.EXEpowershell.exesafert44.exenamdoitntn.exeAlwgckdftdslvwbqpdbjc13t.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	6016	SETUP_~1.EXE
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	4080	safert44.exe
Token: SeDebugPrivilege	3920	namdoitntn.exe
Token: SeDebugPrivilege	4636	Alwgckdftdslvwbqpdbjc13t.exe
Token: SeDebugPrivilege	5176	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeShutdownPrivilege	2080
Token: SeCreatePagefilePrivilege	2080

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

3124 msedge.exe
3124 msedge.exe
3124 msedge.exe

pid	process
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8ccbac1663570c8901fcb75111b07497.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4828 wrote to memory of 980	4828	8ccbac1663570c8901fcb75111b07497.exe	msedge.exe
PID 4828 wrote to memory of 980	4828	8ccbac1663570c8901fcb75111b07497.exe	msedge.exe
PID 4828 wrote to memory of 1068	4828	8ccbac1663570c8901fcb75111b07497.exe	msedge.exe
PID 4828 wrote to memory of 1068	4828	8ccbac1663570c8901fcb75111b07497.exe	msedge.exe
PID 4828 wrote to memory of 3124	4828	8ccbac1663570c8901fcb75111b07497.exe	msedge.exe
PID 4828 wrote to memory of 3124	4828	8ccbac1663570c8901fcb75111b07497.exe	msedge.exe
PID 4828 wrote to memory of 364	4828	8ccbac1663570c8901fcb75111b07497.exe	msedge.exe
PID 4828 wrote to memory of 364	4828	8ccbac1663570c8901fcb75111b07497.exe	msedge.exe
PID 364 wrote to memory of 1960	364	msedge.exe	msedge.exe
PID 364 wrote to memory of 1960	364	msedge.exe	msedge.exe
PID 3124 wrote to memory of 2432	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 2432	3124	msedge.exe	msedge.exe
PID 1068 wrote to memory of 1480	1068	msedge.exe	msedge.exe
PID 1068 wrote to memory of 1480	1068	msedge.exe	msedge.exe
PID 980 wrote to memory of 1656	980	msedge.exe	msedge.exe
PID 980 wrote to memory of 1656	980	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1864	4828	8ccbac1663570c8901fcb75111b07497.exe	msedge.exe
PID 4828 wrote to memory of 1864	4828	8ccbac1663570c8901fcb75111b07497.exe	msedge.exe
PID 1864 wrote to memory of 3296	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 3296	1864	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1436	4828	8ccbac1663570c8901fcb75111b07497.exe	F0geI.exe
PID 4828 wrote to memory of 1436	4828	8ccbac1663570c8901fcb75111b07497.exe	F0geI.exe
PID 4828 wrote to memory of 1436	4828	8ccbac1663570c8901fcb75111b07497.exe	F0geI.exe
PID 4828 wrote to memory of 3536	4828	8ccbac1663570c8901fcb75111b07497.exe	kukurzka9000.exe
PID 4828 wrote to memory of 3536	4828	8ccbac1663570c8901fcb75111b07497.exe	kukurzka9000.exe
PID 4828 wrote to memory of 3536	4828	8ccbac1663570c8901fcb75111b07497.exe	kukurzka9000.exe
PID 4828 wrote to memory of 3920	4828	8ccbac1663570c8901fcb75111b07497.exe	namdoitntn.exe
PID 4828 wrote to memory of 3920	4828	8ccbac1663570c8901fcb75111b07497.exe	namdoitntn.exe
PID 4828 wrote to memory of 3920	4828	8ccbac1663570c8901fcb75111b07497.exe	namdoitntn.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 3108	3124	msedge.exe	msedge.exe
PID 980 wrote to memory of 3152	980	msedge.exe	msedge.exe
PID 980 wrote to memory of 3152	980	msedge.exe	msedge.exe
PID 980 wrote to memory of 3152	980	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\8ccbac1663570c8901fcb75111b07497.exe
"C:\Users\Admin\AppData\Local\Temp\8ccbac1663570c8901fcb75111b07497.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
2⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb00bb46f8,0x7ffb00bb4708,0x7ffb00bb4718
3⤵
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,14450129398782809885,1321184880914505027,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
3⤵
PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,14450129398782809885,1321184880914505027,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
2⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb00bb46f8,0x7ffb00bb4708,0x7ffb00bb4718
3⤵
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,3178030930101005833,15133057564159521609,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
3⤵
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,3178030930101005833,15133057564159521609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb00bb46f8,0x7ffb00bb4708,0x7ffb00bb4718
3⤵
PID:2432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,574515558851403969,4343328331114572471,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
3⤵
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,574515558851403969,4343328331114572471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,574515558851403969,4343328331114572471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 /prefetch:8
3⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,574515558851403969,4343328331114572471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
3⤵
PID:5208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,574515558851403969,4343328331114572471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
3⤵
PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,574515558851403969,4343328331114572471,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:1
3⤵
PID:5784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,574515558851403969,4343328331114572471,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
3⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,574515558851403969,4343328331114572471,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
3⤵
PID:6040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,574515558851403969,4343328331114572471,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
3⤵
PID:6108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,574515558851403969,4343328331114572471,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5516 /prefetch:8
3⤵
PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,574515558851403969,4343328331114572471,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
3⤵
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,574515558851403969,4343328331114572471,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
3⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,574515558851403969,4343328331114572471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1980 /prefetch:8
3⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6bb465460,0x7ff6bb465470,0x7ff6bb465480
4⤵
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,574515558851403969,4343328331114572471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1980 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,574515558851403969,4343328331114572471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7208 /prefetch:8
3⤵
PID:4000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,574515558851403969,4343328331114572471,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6008 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,574515558851403969,4343328331114572471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7300 /prefetch:8
3⤵
PID:5916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
2⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffb00bb46f8,0x7ffb00bb4708,0x7ffb00bb4718
3⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1436,10475302993986266406,2178552919540786109,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nXvZ4
2⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb00bb46f8,0x7ffb00bb4708,0x7ffb00bb4718
3⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16704841558969356984,18377152670019542761,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
3⤵
PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,16704841558969356984,18377152670019542761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5280

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 760
3⤵
- Program crash
PID:2980

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:3536

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:400

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Program Files (x86)\Company\NewProduct\captain09876.exe
"C:\Program Files (x86)\Company\NewProduct\captain09876.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3460

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Users\Admin\AppData\Local\Temp\Alwgckdftdslvwbqpdbjc13t.exe
"C:\Users\Admin\AppData\Local\Temp\Alwgckdftdslvwbqpdbjc13t.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5176

C:\Users\Admin\AppData\Local\Temp\Alwgckdftdslvwbqpdbjc13t.exe
C:\Users\Admin\AppData\Local\Temp\Alwgckdftdslvwbqpdbjc13t.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5656

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
4⤵
- Executes dropped EXE
PID:3100

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3284

C:\Program Files (x86)\Company\NewProduct\me.exe
"C:\Program Files (x86)\Company\NewProduct\me.exe"
2⤵
- Executes dropped EXE
PID:5296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1436 -ip 1436
1⤵
PID:64

C:\Users\Admin\AppData\Local\Temp\EC8E.exe
C:\Users\Admin\AppData\Local\Temp\EC8E.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:1376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 872
2⤵
- Program crash
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3772 -ip 3772
1⤵
PID:4224

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\captain09876.exe
Filesize
704KB

MD5
ce94ce7de8279ecf9519b12f124543c3

SHA1
be2563e381439ed33869a052391eec1ddd40faa0

SHA256
f88d6fc5fd36ef3a9c54cf7101728a39a2a2694a0a64f6af1e1befacfbc03f20

SHA512
9697cfc31b3344a2929b02ecdf9235756f4641dbb0910e9f6099382916447e2d06e41c153fad50890823f068ae412fb9a55fd274b3b9c7929f2ca972112cc5b7

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
764KB

MD5
8044b9ea12d49d849f8b516ac3d8173b

SHA1
68a078e750dad5befd1212a62c903379c1e3525c

SHA256
22850fcde13fdc68136d790dee2f85d48069a029a618ceddfd4c6f90b9845d81

SHA512
44df6449741275a07f7a3eeb718a1cff7ab6004a5b7501f28fe4269f8601b6ad2a3e6a7beeff0b41e3f2bdf24b6906d49e04b150ae75a33f9537665e4f39eb28

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
764KB

MD5
8044b9ea12d49d849f8b516ac3d8173b

SHA1
68a078e750dad5befd1212a62c903379c1e3525c

SHA256
22850fcde13fdc68136d790dee2f85d48069a029a618ceddfd4c6f90b9845d81

SHA512
44df6449741275a07f7a3eeb718a1cff7ab6004a5b7501f28fe4269f8601b6ad2a3e6a7beeff0b41e3f2bdf24b6906d49e04b150ae75a33f9537665e4f39eb28

Download Submit
C:\Program Files (x86)\Company\NewProduct\me.exe
Filesize
274KB

MD5
2eee4c301ce357df8f235957fcb774b3

SHA1
f9fd1eac58b5f40475269a1e8eb1675227e2389c

SHA256
66cc79df9054fda09648b64a230427d4a574f8349de871e922fbd20432b431f1

SHA512
590589c3f8ee16f12539b943ba04402771372fe7748fb689c03b5681466ec8d3f3778007224e0a7fac1413f188aaee59a754cad2d0194af1130a8ad3191466fc

Download Submit
C:\Program Files (x86)\Company\NewProduct\me.exe
Filesize
274KB

MD5
2eee4c301ce357df8f235957fcb774b3

SHA1
f9fd1eac58b5f40475269a1e8eb1675227e2389c

SHA256
66cc79df9054fda09648b64a230427d4a574f8349de871e922fbd20432b431f1

SHA512
590589c3f8ee16f12539b943ba04402771372fe7748fb689c03b5681466ec8d3f3778007224e0a7fac1413f188aaee59a754cad2d0194af1130a8ad3191466fc

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
275KB

MD5
a2414bb5522d3844b6c9a84537d7ce43

SHA1
56c91fc4fe09ce07320c03f186f3d5d293a6089d

SHA256
31f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173

SHA512
408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
275KB

MD5
a2414bb5522d3844b6c9a84537d7ce43

SHA1
56c91fc4fe09ce07320c03f186f3d5d293a6089d

SHA256
31f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173

SHA512
408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
1ba053a6fe8fb69a0d172752a8403ef6

SHA1
7ddc87014708a8c90fdea555e32b86df4e671282

SHA256
104388581d3971502d5207206cc0f65cd345605381620b4fbdeaab7297c126aa

SHA512
3879d520cfff0defb371061c5667d2604ef058987522f731902bc4c7210924a6f6e3940b3ca79c513589360628359aca0c880041c562a30060cb5c071bdf13ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
cc0dc2a112c8090c79aec0d18e5456c6

SHA1
eba09ab8b64c2c848a2a27f1b9ce22f7a0cc4543

SHA256
cac90c44484586eecf6458049531c5550755496fd75eeceda0f27b4e9c221e0e

SHA512
a0e72c07adfaf94d5598f2c266cf28c220524a2f546458285f792bced52b9827be35b9bf3575661ca843abcb732a1ffdef87848b99f3b4457182de1f54469d8e

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e0652753ffba69e75a830c7b31362548

SHA1
2daede2707cf9cdea1926a862ca398384a5c55aa

SHA256
60b78bd274e3250335941adfd6db0a94d39a2fe0891467f7d8af4a5ca38d1ae0

SHA512
38816ecffe0dc699e7ace9c3dc7e4a787741458f2dd2381c8541049f7a6331ea96d047be93a5e0a7fd5a0c5fc30eabf73d44ac5e77441d03d4d070f19f3ea5aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
6b761a83b81c79d1fad5ee893824ea4b

SHA1
8a2e1cb68b29d5c2731b0f0807e6b64a005f40eb

SHA256
cad78cb101cfcb7075433a5d66fb0939d54da24a1379cac95db9e305005557c4

SHA512
4ef06df763fb082a677953253aed0ffb7388ce0c608f5cb47b849ce34d39db33b3f311be4252d5459a7a716f7b74d385e529c8cf42f80d11bd2303591e96d45d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
a9998924c943403ea663503f39e9e123

SHA1
2285428cc66e107e71ed466a9ac327504c60a2d8

SHA256
66ef48d453495f7be711784f490eb64baa5a6bec1041eca23bbf5035f3c13873

SHA512
de007072d5d2461032ef70aa5370e242319db9ef5023b5fbb096cc260b16f5e36bca3c619e16901a6ba22024fdc686049d28d8f7189c981ffe7dfc5355aa5fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
3KB

MD5
b54ad8c74113593df18159ff7eec9408

SHA1
054295258bdc15dab4ac74076538eb1872cf13bf

SHA256
048ceb8b8bcccf1cdb41ef66d2299109fd26bf6e67c9a6e65afbc4f67cb413bc

SHA512
b71e1af902d3708052ed52a655e2379e4d9ec145556e8435dcd0e0d580f0193ea7f901d0ce49c0575892af45eaccf3d26133f6405ae55a54605eb4c114859072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
6b761a83b81c79d1fad5ee893824ea4b

SHA1
8a2e1cb68b29d5c2731b0f0807e6b64a005f40eb

SHA256
cad78cb101cfcb7075433a5d66fb0939d54da24a1379cac95db9e305005557c4

SHA512
4ef06df763fb082a677953253aed0ffb7388ce0c608f5cb47b849ce34d39db33b3f311be4252d5459a7a716f7b74d385e529c8cf42f80d11bd2303591e96d45d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
a9998924c943403ea663503f39e9e123

SHA1
2285428cc66e107e71ed466a9ac327504c60a2d8

SHA256
66ef48d453495f7be711784f490eb64baa5a6bec1041eca23bbf5035f3c13873

SHA512
de007072d5d2461032ef70aa5370e242319db9ef5023b5fbb096cc260b16f5e36bca3c619e16901a6ba22024fdc686049d28d8f7189c981ffe7dfc5355aa5fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
2ad0715edcaf7e8f6b803f5fe9ac1c82

SHA1
33511f916b36a021e530377368c8601481f54b72

SHA256
dc7a4d5aa049426de302112311e62fc9a44c4998f6bbb2911c8f3c05efdd6c58

SHA512
18c7b0fcbf05fe5ae9be53cc1e2f4590ddc4870faa8a11f9ac1988794d682ba6341fee7189a41fa7964418c1ea625bf43e76cfbc0d56ebae64e25e3f6586cc48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
d4b8c110321c3fba41431c30e457b666

SHA1
7529909b87d1b90a2258d57d86012944f43732cf

SHA256
3a9fbb8902026cc7614524d1dfaa62c53ae9d29dc1ebdf76c3f65b76261fff10

SHA512
03de1d76f258eed7abd10e8bb00a801b30e6726249839a7457efd29f97cbc20a321b415c930a9b2b9ddd0d13cbdfe2043a6be95c3a8477a72e3d7a91d6eb4664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
10000a94b598e46b00d706cd4b7b009b

SHA1
817ab17678603b364f4d42c778c8945060ffd571

SHA256
9c0109c887fcb7463d285f198686a83ea5ffb6748979e3211bebb5166cd95ca0

SHA512
c07d6eb08a78a8ff7ffbf8ed9d237fe7e726c06bc35a4c99e69bd1102e817f26975a8b64019624ce467c3d8674c38057d82a737b39ff2e77c0bbe24836d12d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
Filesize
334.1MB

MD5
ce25658ac9291c713590b834d96406bb

SHA1
5a45881222b0e35968427eaf3185c9534ad54943

SHA256
0dfa582e65cf4e9ea1fd9575518fff57b71b3f0f850df643319c611d39a8c2c2

SHA512
8f7bee11566fa8978a0e1716b51ba4e7735e98fc715a9eed0fb3b6e156abfa46f378035935b5ed8967f98bcb3ef83599208a00225bbf0cb2655306846e3d354c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
Filesize
334.1MB

MD5
ce25658ac9291c713590b834d96406bb

SHA1
5a45881222b0e35968427eaf3185c9534ad54943

SHA256
0dfa582e65cf4e9ea1fd9575518fff57b71b3f0f850df643319c611d39a8c2c2

SHA512
8f7bee11566fa8978a0e1716b51ba4e7735e98fc715a9eed0fb3b6e156abfa46f378035935b5ed8967f98bcb3ef83599208a00225bbf0cb2655306846e3d354c

Download Submit
\??\pipe\LOCAL\crashpad_1068_UZZLQWQWHLRULXHJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_1864_QOQZJBXZVKHONGWI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3124_JHYEXHKMEHRTVHFP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_364_MOFBCHIFVHDKAUTL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_980_TQNQFPSLYSKGMTKA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/364-135-0x0000000000000000-mapping.dmp

Download
memory/400-171-0x0000000000000000-mapping.dmp

Download
memory/400-235-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/740-285-0x0000000000000000-mapping.dmp

Download
memory/848-315-0x00007FFAFD360000-0x00007FFAFDE21000-memory.dmp

Filesize
10.8MB

Download
memory/848-311-0x0000000000000000-mapping.dmp

Download
memory/868-259-0x0000000000000000-mapping.dmp

Download
memory/980-132-0x0000000000000000-mapping.dmp

Download
memory/1068-133-0x0000000000000000-mapping.dmp

Download
memory/1160-166-0x0000000000000000-mapping.dmp

Download
memory/1168-165-0x0000000000000000-mapping.dmp

Download
memory/1376-306-0x0000000000000000-mapping.dmp

Download
memory/1376-309-0x00007FFAFD360000-0x00007FFAFDE21000-memory.dmp

Filesize
10.8MB

Download
memory/1376-308-0x00000163321A0000-0x00000163321C2000-memory.dmp

Filesize
136KB

Download
memory/1376-307-0x0000016331B60000-0x0000016331C78000-memory.dmp

Filesize
1.1MB

Download
memory/1436-184-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/1436-283-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1436-181-0x000000000081C000-0x000000000082D000-memory.dmp

Filesize
68KB

Download
memory/1436-265-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1436-264-0x000000000081C000-0x000000000082D000-memory.dmp

Filesize
68KB

Download
memory/1436-185-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1436-150-0x0000000000000000-mapping.dmp

Download
memory/1480-138-0x0000000000000000-mapping.dmp

Download
memory/1656-139-0x0000000000000000-mapping.dmp

Download
memory/1864-140-0x0000000000000000-mapping.dmp

Download
memory/1948-314-0x0000000000000000-mapping.dmp

Download
memory/1948-316-0x00000000010E0000-0x00000000010EC000-memory.dmp

Filesize
48KB

Download
memory/1960-136-0x0000000000000000-mapping.dmp

Download
memory/2092-275-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/2092-273-0x00000000024C0000-0x00000000024F6000-memory.dmp

Filesize
216KB

Download
memory/2092-280-0x00000000074C0000-0x0000000007B3A000-memory.dmp

Filesize
6.5MB

Download
memory/2092-272-0x0000000000000000-mapping.dmp

Download
memory/2092-279-0x0000000005E40000-0x0000000005E5E000-memory.dmp

Filesize
120KB

Download
memory/2092-274-0x0000000004F70000-0x0000000005598000-memory.dmp

Filesize
6.2MB

Download
memory/2092-281-0x0000000006300000-0x000000000631A000-memory.dmp

Filesize
104KB

Download
memory/2432-137-0x0000000000000000-mapping.dmp

Download
memory/3100-289-0x0000000000000000-mapping.dmp

Download
memory/3108-163-0x0000000000000000-mapping.dmp

Download
memory/3124-134-0x0000000000000000-mapping.dmp

Download
memory/3152-164-0x0000000000000000-mapping.dmp

Download
memory/3284-298-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3284-294-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3284-293-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3284-291-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3284-290-0x0000000000000000-mapping.dmp

Download
memory/3296-144-0x0000000000000000-mapping.dmp

Download
memory/3400-191-0x0000000000000000-mapping.dmp

Download
memory/3460-187-0x0000000000000000-mapping.dmp

Download
memory/3536-225-0x0000000003D50000-0x0000000003D62000-memory.dmp

Filesize
72KB

Download
memory/3536-154-0x0000000000000000-mapping.dmp

Download
memory/3536-227-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3580-263-0x0000000000000000-mapping.dmp

Download
memory/3772-312-0x0000000000880000-0x00000000008F4000-memory.dmp

Filesize
464KB

Download
memory/3772-310-0x0000000000000000-mapping.dmp

Download
memory/3772-313-0x0000000000810000-0x000000000087B000-memory.dmp

Filesize
428KB

Download
memory/3920-178-0x0000000000740000-0x0000000000760000-memory.dmp

Filesize
128KB

Download
memory/3920-270-0x0000000005AE0000-0x0000000005AFE000-memory.dmp

Filesize
120KB

Download
memory/3920-271-0x0000000007A90000-0x0000000007AF6000-memory.dmp

Filesize
408KB

Download
memory/3920-158-0x0000000000000000-mapping.dmp

Download
memory/3920-213-0x00000000075B0000-0x00000000075EC000-memory.dmp

Filesize
240KB

Download
memory/4000-297-0x0000000000000000-mapping.dmp

Download
memory/4080-277-0x00000000083E0000-0x000000000890C000-memory.dmp

Filesize
5.2MB

Download
memory/4080-268-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download
memory/4080-183-0x0000000000000000-mapping.dmp

Download
memory/4080-276-0x0000000006990000-0x0000000006B52000-memory.dmp

Filesize
1.8MB

Download
memory/4080-190-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/4080-269-0x0000000005180000-0x00000000051F6000-memory.dmp

Filesize
472KB

Download
memory/4080-282-0x0000000007960000-0x00000000079B0000-memory.dmp

Filesize
320KB

Download
memory/4080-212-0x0000000004D40000-0x0000000004E4A000-memory.dmp

Filesize
1.0MB

Download
memory/4080-211-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/4080-209-0x0000000005250000-0x0000000005868000-memory.dmp

Filesize
6.1MB

Download
memory/4080-267-0x0000000006210000-0x00000000067B4000-memory.dmp

Filesize
5.6MB

Download
memory/4216-182-0x0000000000000000-mapping.dmp

Download
memory/4284-170-0x0000000000000000-mapping.dmp

Download
memory/4336-284-0x0000000000000000-mapping.dmp

Download
memory/4540-174-0x0000000000000000-mapping.dmp

Download
memory/4636-288-0x0000000000F40000-0x0000000000F90000-memory.dmp

Filesize
320KB

Download
memory/4636-287-0x0000000000000000-mapping.dmp

Download
memory/5140-196-0x0000000000000000-mapping.dmp

Download
memory/5176-295-0x0000000000000000-mapping.dmp

Download
memory/5208-200-0x0000000000000000-mapping.dmp

Download
memory/5240-261-0x0000000000000000-mapping.dmp

Download
memory/5280-197-0x0000000000000000-mapping.dmp

Download
memory/5296-198-0x0000000000000000-mapping.dmp

Download
memory/5384-205-0x0000000000000000-mapping.dmp

Download
memory/5656-303-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5656-301-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5656-299-0x0000000000000000-mapping.dmp

Download
memory/5656-300-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5740-286-0x0000000000000000-mapping.dmp

Download
memory/5784-210-0x0000000000000000-mapping.dmp

Download
memory/5824-302-0x0000000000000000-mapping.dmp

Download
memory/5896-216-0x0000000000000000-mapping.dmp

Download
memory/5916-305-0x0000000000000000-mapping.dmp

Download
memory/6016-254-0x0000000000000000-mapping.dmp

Download
memory/6016-266-0x0000000006330000-0x0000000006352000-memory.dmp

Filesize
136KB

Download
memory/6016-258-0x0000000000C30000-0x0000000000C80000-memory.dmp

Filesize
320KB

Download
memory/6040-221-0x0000000000000000-mapping.dmp

Download
memory/6108-223-0x0000000000000000-mapping.dmp

Download