Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-10-2024 18:03

General

  • Target

    6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe

  • Size

    2.6MB

  • MD5

    e0118ad4299455683d5d0708772742ef

  • SHA1

    c80a27155317c3d08308cf8a55e4790f429bb2dd

  • SHA256

    6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115

  • SHA512

    c6e9de83cbc63505359fb745f5417977df30445ab87d848081d526c8afe1ecb1ffa075bb80370862cd7d57b50c5dc23e68aac784f8e845a9d7195e6eb1ed99ec

  • SSDEEP

    49152:pAI+1NpJc7YrEa2u2hq3PGh0p4EyqaeFEqLh09fqNZesF+AxnMtQSOanD9:pAI+vc8rHJ283PGi4EyduRLh0MNZesFS

Malware Config

Extracted

Family

vidar

Version

53.8

Botnet

1571

C2

https://t.me/spmhaus

https://c.im/@tiagoa33

Attributes
  • profile_id

    1571

Extracted

Family

redline

Botnet

5

C2

176.113.115.146:9582

Attributes
  • auth_value

    d38b30c1ccd6c1e5088d9e5bd9e51b0f

Extracted

Family

redline

Botnet

5076357887

C2

195.54.170.157:16525

Attributes
  • auth_value

    0dfaff60271d374d0c206d19883e06f3

Extracted

Family

redline

Botnet

Molecule JK

C2

insttaller.com:40915

Attributes
  • auth_value

    abb046f9600c78fd9272c2e96c3cfe48

Extracted

Family

redline

Botnet

nam3

C2

103.89.90.61:34589

Attributes
  • auth_value

    64b900120bbceaa6a9c60e9079492895

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

C2

http://193.56.146.177

Attributes
  • user_agent

    mozzzzzzzzzzz

xor.plain

Extracted

Family

raccoon

Botnet

76426c3f362f5a47a469f0e9d8bc3eef

C2

http://45.95.11.158/

Attributes
  • user_agent

    mozzzzzzzzzzz

xor.plain

Extracted

Family

raccoon

Botnet

f23fda14afd5f9052a211b216bdaaf79

C2

http://77.232.39.101

Attributes
  • user_agent

    mozzzzzzzzzzz

xor.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 8 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
    "C:\Users\Admin\AppData\Local\Temp\6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AEmX4
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3372
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
        3⤵
          PID:4760
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
          3⤵
            PID:2452
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:984
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
            3⤵
              PID:4824
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
              3⤵
                PID:4072
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
                3⤵
                  PID:3496
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
                  3⤵
                    PID:4068
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
                    3⤵
                      PID:5244
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
                      3⤵
                        PID:5388
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
                        3⤵
                          PID:5692
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
                          3⤵
                            PID:5876
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
                            3⤵
                              PID:5980
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
                              3⤵
                                PID:6076
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
                                3⤵
                                  PID:4604
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
                                  3⤵
                                    PID:6756
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
                                    3⤵
                                      PID:6764
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
                                      3⤵
                                        PID:7108
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
                                        3⤵
                                          PID:7116
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7724 /prefetch:8
                                          3⤵
                                            PID:5332
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7724 /prefetch:8
                                            3⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:6416
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3124 /prefetch:2
                                            3⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:6804
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1ARmX4
                                          2⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:2268
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
                                            3⤵
                                              PID:2136
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,11997392329957829821,193241046500353937,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
                                              3⤵
                                                PID:5028
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,11997392329957829821,193241046500353937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
                                                3⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:2084
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AAmX4
                                              2⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:1128
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
                                                3⤵
                                                  PID:1112
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,12857327135548108962,10946386260547312420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
                                                  3⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:912
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AFmX4
                                                2⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:4792
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
                                                  3⤵
                                                    PID:1972
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,13804647263910924688,265436008021893973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
                                                    3⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:5348
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AGmX4
                                                  2⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:3440
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
                                                    3⤵
                                                      PID:4988
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,7889946825374594600,12289223455966820718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 /prefetch:3
                                                      3⤵
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:5660
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AJmX4
                                                    2⤵
                                                      PID:4388
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
                                                        3⤵
                                                          PID:4796
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AKmX4
                                                        2⤵
                                                          PID:2036
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
                                                            3⤵
                                                              PID:2016
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AZmX4
                                                            2⤵
                                                              PID:5744
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
                                                                3⤵
                                                                  PID:5860
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AVmX4
                                                                2⤵
                                                                  PID:6068
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
                                                                    3⤵
                                                                      PID:6120
                                                                  • C:\Program Files (x86)\Company\NewProduct\F0geI.exe
                                                                    "C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:5276
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1032
                                                                      3⤵
                                                                      • Program crash
                                                                      PID:2960
                                                                  • C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
                                                                    "C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:5592
                                                                  • C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
                                                                    "C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:5440
                                                                  • C:\Program Files (x86)\Company\NewProduct\real.exe
                                                                    "C:\Program Files (x86)\Company\NewProduct\real.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:4460
                                                                  • C:\Program Files (x86)\Company\NewProduct\safert44.exe
                                                                    "C:\Program Files (x86)\Company\NewProduct\safert44.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:6100
                                                                  • C:\Program Files (x86)\Company\NewProduct\jshainx.exe
                                                                    "C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:6208
                                                                  • C:\Program Files (x86)\Company\NewProduct\brokerius.exe
                                                                    "C:\Program Files (x86)\Company\NewProduct\brokerius.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:6244
                                                                  • C:\Program Files (x86)\Company\NewProduct\captain09876.exe
                                                                    "C:\Program Files (x86)\Company\NewProduct\captain09876.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • Adds Run key to start application
                                                                    PID:6316
                                                                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
                                                                      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
                                                                      3⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:6996
                                                                  • C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe
                                                                    "C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe"
                                                                    2⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:6388
                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                      "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\TypeRes\DllResource.exe"
                                                                      3⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Scheduled Task/Job: Scheduled Task
                                                                      PID:6908
                                                                    • C:\Users\Admin\TypeRes\DllResource.exe
                                                                      "C:\Users\Admin\TypeRes\DllResource.exe"
                                                                      3⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:7096
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe"
                                                                      3⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                      PID:2088
                                                                      • C:\Windows\SysWOW64\chcp.com
                                                                        chcp 65001
                                                                        4⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:5568
                                                                      • C:\Windows\SysWOW64\PING.EXE
                                                                        ping 127.0.0.1
                                                                        4⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                        • Runs ping.exe
                                                                        PID:6884
                                                                  • C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
                                                                    "C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:6432
                                                                  • C:\Program Files (x86)\Company\NewProduct\WW1.exe
                                                                    "C:\Program Files (x86)\Company\NewProduct\WW1.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:6572
                                                                • C:\Windows\System32\CompPkgSrv.exe
                                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                  1⤵
                                                                    PID:4520
                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                    1⤵
                                                                      PID:5300
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5276 -ip 5276
                                                                      1⤵
                                                                        PID:4880

                                                                      Network

                                                                      MITRE ATT&CK Enterprise v15

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • C:\Program Files (x86)\Company\NewProduct\F0geI.exe

                                                                        Filesize

                                                                        339KB

                                                                        MD5

                                                                        501e0f6fa90340e3d7ff26f276cd582e

                                                                        SHA1

                                                                        1bce4a6153f71719e786f8f612fbfcd23d3e130a

                                                                        SHA256

                                                                        f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

                                                                        SHA512

                                                                        dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

                                                                      • C:\Program Files (x86)\Company\NewProduct\WW1.exe

                                                                        Filesize

                                                                        283KB

                                                                        MD5

                                                                        86c2f03bbb61bdcaf1ae4bfb22cc2d31

                                                                        SHA1

                                                                        bd4d43346fda88073a2832aa68a832da7fba92d2

                                                                        SHA256

                                                                        68e686f07eab2a6d3da3e045e5a27614b6225aecd5e373d3e788281207f7ee3c

                                                                        SHA512

                                                                        4d9f01819d8d8536a0b0e17da8742cc2d01240a899e00f5338db8fc0a37536a16c4f1a112475c5f6a017db534144819ce8d6a22f1c346d38363854208c6a01d1

                                                                      • C:\Program Files (x86)\Company\NewProduct\brokerius.exe

                                                                        Filesize

                                                                        283KB

                                                                        MD5

                                                                        f5d13e361f8b9aca7103cb46b441034b

                                                                        SHA1

                                                                        090dcc68f4ce59d1c5b8b7424508c4033ee418dd

                                                                        SHA256

                                                                        a5ad514ed54f1f8f0a8e054b0dc3a39d13d70e388711ddb9d44095a5a89317bf

                                                                        SHA512

                                                                        db8f615405c3dcbb2e525903a572e13565f184bc8c1a2674138a84774dd06041a9899006b8599a25f06ce4fba92c12d102772e74be62ac6d02b5bc0ac4ee124a

                                                                      • C:\Program Files (x86)\Company\NewProduct\captain09876.exe

                                                                        Filesize

                                                                        704KB

                                                                        MD5

                                                                        ce94ce7de8279ecf9519b12f124543c3

                                                                        SHA1

                                                                        be2563e381439ed33869a052391eec1ddd40faa0

                                                                        SHA256

                                                                        f88d6fc5fd36ef3a9c54cf7101728a39a2a2694a0a64f6af1e1befacfbc03f20

                                                                        SHA512

                                                                        9697cfc31b3344a2929b02ecdf9235756f4641dbb0910e9f6099382916447e2d06e41c153fad50890823f068ae412fb9a55fd274b3b9c7929f2ca972112cc5b7

                                                                      • C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe

                                                                        Filesize

                                                                        107KB

                                                                        MD5

                                                                        3243054d3acd513abcc72ee1d1b65c97

                                                                        SHA1

                                                                        d23afd7ef0f4cc3cf5a492b7d46b557c7bc11cb3

                                                                        SHA256

                                                                        5bc24a5dea878774ce9c928a13f007e6ac604474349f33ce4f946aa4b7189ccc

                                                                        SHA512

                                                                        931c3735474a70ebdfc3b849448532b782062c1228079ca9a9367cd6e4d5cf181ae794427becc85d7921703d0288d6639682a858f3a43338b679258d7d29e6e3

                                                                      • C:\Program Files (x86)\Company\NewProduct\jshainx.exe

                                                                        Filesize

                                                                        107KB

                                                                        MD5

                                                                        2647a5be31a41a39bf2497125018dbce

                                                                        SHA1

                                                                        a1ac856b9d6556f5bb3370f0342914eb7cbb8840

                                                                        SHA256

                                                                        84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

                                                                        SHA512

                                                                        68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

                                                                      • C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe

                                                                        Filesize

                                                                        757KB

                                                                        MD5

                                                                        3ec059bd19d6655ba83ae1e644b80510

                                                                        SHA1

                                                                        61fa49d4473e91509b32a3b675a236b1eab74d08

                                                                        SHA256

                                                                        7dc81dc72cb4f89ad022bb15419e1b6170cf77942b8ec29839924b7b4fe7896c

                                                                        SHA512

                                                                        5324c3a902b96d5782e01dd0bfb177055a6908112c60c85af49c7e863b62f0947d6e18d5ac370652008c5983b0c8bd762ab4444822d0ad547a88883970adabe9

                                                                      • C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe

                                                                        Filesize

                                                                        107KB

                                                                        MD5

                                                                        bbd8ea73b7626e0ca5b91d355df39b7f

                                                                        SHA1

                                                                        66e298653beb7f652eb44922010910ced6242879

                                                                        SHA256

                                                                        1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

                                                                        SHA512

                                                                        625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

                                                                      • C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe

                                                                        Filesize

                                                                        1.7MB

                                                                        MD5

                                                                        63fd052610279f9eb9f1fee8e262f2a4

                                                                        SHA1

                                                                        aac344ed6f54c367be51effbf6e84128ee8c6992

                                                                        SHA256

                                                                        955c265a378008efee8f0d19c2880d1026f32f7cd6325e0ab1a24c833905bbba

                                                                        SHA512

                                                                        234bc89538336452938fbe1e6774f5f7ca47c735f871ac3ba54a3ea6b68c48970fc53239ea72d5ca176f3acc00932e479020c38cad66a0f70a3acda5b5aff9b9

                                                                      • C:\Program Files (x86)\Company\NewProduct\real.exe

                                                                        Filesize

                                                                        275KB

                                                                        MD5

                                                                        a2414bb5522d3844b6c9a84537d7ce43

                                                                        SHA1

                                                                        56c91fc4fe09ce07320c03f186f3d5d293a6089d

                                                                        SHA256

                                                                        31f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173

                                                                        SHA512

                                                                        408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60

                                                                      • C:\Program Files (x86)\Company\NewProduct\safert44.exe

                                                                        Filesize

                                                                        246KB

                                                                        MD5

                                                                        414ffd7094c0f50662ffa508ca43b7d0

                                                                        SHA1

                                                                        6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

                                                                        SHA256

                                                                        d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

                                                                        SHA512

                                                                        c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                        Filesize

                                                                        152B

                                                                        MD5

                                                                        c2d9eeb3fdd75834f0ac3f9767de8d6f

                                                                        SHA1

                                                                        4d16a7e82190f8490a00008bd53d85fb92e379b0

                                                                        SHA256

                                                                        1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

                                                                        SHA512

                                                                        d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                        Filesize

                                                                        152B

                                                                        MD5

                                                                        e55832d7cd7e868a2c087c4c73678018

                                                                        SHA1

                                                                        ed7a2f6d6437e907218ffba9128802eaf414a0eb

                                                                        SHA256

                                                                        a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

                                                                        SHA512

                                                                        897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                        Filesize

                                                                        180B

                                                                        MD5

                                                                        4bc8a3540a546cfe044e0ed1a0a22a95

                                                                        SHA1

                                                                        5387f78f1816dee5393bfca1fffe49cede5f59c1

                                                                        SHA256

                                                                        f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca

                                                                        SHA512

                                                                        e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                        Filesize

                                                                        6KB

                                                                        MD5

                                                                        c0659c608cee2326ee1d194143e4d044

                                                                        SHA1

                                                                        2de1b80864a619493a0c2f99276ec2a6d957a532

                                                                        SHA256

                                                                        777d3f040d5e4fe65f602cad6ef36ac58dccedba95c27503fe95869340a7d66f

                                                                        SHA512

                                                                        afa751f8940fb6f4209bea2abe789efd464e1e350ebc05621aaa1aa064e88bb6ee7cab982e6f23452fe21e00cb577e9a5fd4bceb69a42b619e17c4f1c2f7b56c

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                        Filesize

                                                                        6KB

                                                                        MD5

                                                                        09f0084938d83944ec6ca15cff5cf79f

                                                                        SHA1

                                                                        664d2f9501456d94265d46ede9c22dbabbbe287a

                                                                        SHA256

                                                                        fced5c084f6f6e5c659a647995afb98a7a418929c8a84af2c63fcfa8c00b6966

                                                                        SHA512

                                                                        71d5c5f60b564f650c243d4fff4bbd6f92b6768c6af7af3b96506d702d59d568d6e36f787ce348233c8ff151d1c64e2b1955fa13097eac3a994532e123811ac8

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                        Filesize

                                                                        16B

                                                                        MD5

                                                                        6752a1d65b201c13b62ea44016eb221f

                                                                        SHA1

                                                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                        SHA256

                                                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                        SHA512

                                                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                        Filesize

                                                                        8KB

                                                                        MD5

                                                                        627a928d2ec7c1b26a88741a39a5045f

                                                                        SHA1

                                                                        bb3660be562b28aab6105701d11fb6b1d9fc2696

                                                                        SHA256

                                                                        a8a4e3352f0fb63baa084bdd99744a134980a5b997d0be5ad8840d41a42b9f46

                                                                        SHA512

                                                                        be1eb74e7ef1f456c676eb0ccdf02c7a6ef5f45a3f20a44a32540f104f557808ad0d0655e57024f1948537022ace8e84b92d9460fce6d0f00383a43e68e2b725

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                        Filesize

                                                                        8KB

                                                                        MD5

                                                                        c820e243b869357f4e6b9181b02d5b44

                                                                        SHA1

                                                                        0af769193689daff6f9aee5ac0fd6b819a292c8d

                                                                        SHA256

                                                                        0befb7fc03d32e795bd0a115ff812c54e3292d4df984cdf5dcf2fdc088cd417f

                                                                        SHA512

                                                                        50f6ae8dd7fd77877bee93497f965f92f6924281596234b5511829c5850a171c0759eb7285e113fd0198b5917510ea78a5285c31026997c4dab667a08704f0a6

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                        Filesize

                                                                        8KB

                                                                        MD5

                                                                        5ff0072a56024957809da8010d556aeb

                                                                        SHA1

                                                                        01936f5769a0b929bc6056a5d95cd6740ba1ff26

                                                                        SHA256

                                                                        58aa5fe1cd74408306dc02843b6cf3de6e3026b570225f08af1c61ed799612cf

                                                                        SHA512

                                                                        80f6a27e34c958138375340ab1dafa63f7bb2c029343940bcc8922082f31dfd2c4066e6abb4cae22c6d5b7cc1b507d4ea95703837567da7e278f0fcb17fd4abe

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                        Filesize

                                                                        10KB

                                                                        MD5

                                                                        780f3041cc7613d6f850c42185e7be2c

                                                                        SHA1

                                                                        4417749a9091bd7ae55180429ec5280ae9c31886

                                                                        SHA256

                                                                        55c830d0d7c4d6ba7738de048afa42e2a383a62d97ed6a7375d3a9f39ce47450

                                                                        SHA512

                                                                        4d10ed53641b9bef311c45e14931337ed1125d05e115e08b5f31eb6951835d04c29ad95d6227d058cef54d5c99fecb165b5ac6d95deac138d96ad15c653bbb05

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                        Filesize

                                                                        8KB

                                                                        MD5

                                                                        aeaee4d2f631be0971ad03e524b80361

                                                                        SHA1

                                                                        b2a33174aa2ebf0774c9a2d25bd5982f687e35bf

                                                                        SHA256

                                                                        aa1f8c061a3767ec7a2a5205262da8d37a07b5fe327159f6b7656bd7b50f30f4

                                                                        SHA512

                                                                        c0a718a0ceb0519999ce488ac9e5ee77347c1721416db8ac6e4032b0fd9cc8703e77dc177495871fee85589203bbced024cf3662f1e2c1b4d967e0fe357427d3

                                                                      • memory/1928-276-0x0000000000400000-0x0000000000433000-memory.dmp

                                                                        Filesize

                                                                        204KB

                                                                      • memory/5276-340-0x0000000000400000-0x000000000046E000-memory.dmp

                                                                        Filesize

                                                                        440KB

                                                                      • memory/5440-280-0x00000000053D0000-0x000000000541C000-memory.dmp

                                                                        Filesize

                                                                        304KB

                                                                      • memory/5440-216-0x0000000000010000-0x0000000000030000-memory.dmp

                                                                        Filesize

                                                                        128KB

                                                                      • memory/5440-277-0x0000000004DE0000-0x0000000004E1C000-memory.dmp

                                                                        Filesize

                                                                        240KB

                                                                      • memory/5592-286-0x0000000000400000-0x00000000004C5000-memory.dmp

                                                                        Filesize

                                                                        788KB

                                                                      • memory/6100-219-0x0000000000580000-0x00000000005C4000-memory.dmp

                                                                        Filesize

                                                                        272KB

                                                                      • memory/6100-249-0x0000000000DC0000-0x0000000000DC6000-memory.dmp

                                                                        Filesize

                                                                        24KB

                                                                      • memory/6208-273-0x0000000004E80000-0x0000000004F8A000-memory.dmp

                                                                        Filesize

                                                                        1.0MB

                                                                      • memory/6208-266-0x00000000052C0000-0x00000000058D8000-memory.dmp

                                                                        Filesize

                                                                        6.1MB

                                                                      • memory/6208-267-0x0000000004D50000-0x0000000004D62000-memory.dmp

                                                                        Filesize

                                                                        72KB

                                                                      • memory/6208-227-0x00000000004C0000-0x00000000004E0000-memory.dmp

                                                                        Filesize

                                                                        128KB

                                                                      • memory/6432-274-0x0000000000FA0000-0x0000000000FC0000-memory.dmp

                                                                        Filesize

                                                                        128KB

                                                                      • memory/6996-307-0x0000000000FE0000-0x0000000001030000-memory.dmp

                                                                        Filesize

                                                                        320KB

                                                                      • memory/7096-426-0x000000000EA00000-0x000000000EB0C000-memory.dmp

                                                                        Filesize

                                                                        1.0MB

                                                                      • memory/7096-427-0x000000000E9B0000-0x000000000E9C2000-memory.dmp

                                                                        Filesize

                                                                        72KB