raccoon | 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe
Size

916KB
MD5

c980f514625b05414eb98e9430c5989b
SHA1

ab83c9ff1a8216bf3f4bbec203740b43a9be5658
SHA256

36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a
SHA512

b39863ac1fd9c0da7bcac00952ca006bdcc4c17b05118698a57910f7f39438812d5264a3e74e2cd8570540531dd220d63c9a5ca9aeb394e052809891dd6c9da5
SSDEEP

24576:pAT8QE+kLVNpJc7Ycw4Th7k16ThM5dJ5OS6tT7oA5i69t:pAI+UNpJc7Yc7dXUxOSAXo07

Score

10^/10

raccoon redline vidar 1521 5 5076357887 76426c3f362f5a47a469f0e9d8bc3eef afb5c633c4650f69312baef49db9dfa4 nam3 discovery infostealer stealer

Malware Config

Extracted

Family

redline

Botnet

5076357887

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Extracted

Family

vidar

Version

53.8

Botnet

1521

http://62.204.41.126:80

Attributes

profile_id
1521

Extracted

Family

redline

Botnet

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

http://193.56.146.177

Attributes

user_agent
mozzzzzzzzzzz

xor.plain

Extracted

Family

raccoon

Botnet

76426c3f362f5a47a469f0e9d8bc3eef

http://45.95.11.158/

Attributes

user_agent
mozzzzzzzzzzz

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cd0-61.dat	family_redline
behavioral2/files/0x0007000000023cd2-80.dat	family_redline
behavioral2/files/0x0007000000023cd3-120.dat	family_redline
behavioral2/memory/2040-127-0x0000000000780000-0x00000000007A0000-memory.dmp	family_redline
behavioral2/memory/2444-126-0x0000000000E70000-0x0000000000EB4000-memory.dmp	family_redline
behavioral2/memory/2416-109-0x0000000000C40000-0x0000000000C60000-memory.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe

Executes dropped EXE 7 IoCs

pid	Process
5028	F0geI.exe
3748	kukurzka9000.exe
2416	namdoitntn.exe
4076	real.exe
2444	safert44.exe
2040	jshainx.exe
1608	WW1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	iplogger.org
14	iplogger.org

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jshainx.exe	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\WW1.exe	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4456	5028	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WW1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jshainx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F0geI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kukurzka9000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	real.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	namdoitntn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	safert44.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1600	msedge.exe
1600	msedge.exe
4504	msedge.exe
4504	msedge.exe
3020	msedge.exe
3020	msedge.exe
4116	msedge.exe
4116	msedge.exe
5456	msedge.exe
5456	msedge.exe
4336	identity_helper.exe
4336	identity_helper.exe
5548	msedge.exe
5548	msedge.exe
5548	msedge.exe
5548	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 4504	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	87
PID 4072 wrote to memory of 4504	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	87
PID 4504 wrote to memory of 976	4504	msedge.exe	88
PID 4504 wrote to memory of 976	4504	msedge.exe	88
PID 4072 wrote to memory of 1676	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	89
PID 4072 wrote to memory of 1676	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	89
PID 1676 wrote to memory of 116	1676	msedge.exe	90
PID 1676 wrote to memory of 116	1676	msedge.exe	90
PID 4072 wrote to memory of 1788	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	91
PID 4072 wrote to memory of 1788	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	91
PID 1788 wrote to memory of 1144	1788	msedge.exe	92
PID 1788 wrote to memory of 1144	1788	msedge.exe	92
PID 4072 wrote to memory of 3404	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	93
PID 4072 wrote to memory of 3404	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	93
PID 3404 wrote to memory of 368	3404	msedge.exe	94
PID 3404 wrote to memory of 368	3404	msedge.exe	94
PID 4072 wrote to memory of 2812	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	95
PID 4072 wrote to memory of 2812	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	95
PID 2812 wrote to memory of 1856	2812	msedge.exe	96
PID 2812 wrote to memory of 1856	2812	msedge.exe	96
PID 4072 wrote to memory of 5028	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	97
PID 4072 wrote to memory of 5028	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	97
PID 4072 wrote to memory of 5028	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	97
PID 4072 wrote to memory of 3748	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	98
PID 4072 wrote to memory of 3748	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	98
PID 4072 wrote to memory of 3748	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	98
PID 4072 wrote to memory of 2416	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	99
PID 4072 wrote to memory of 2416	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	99
PID 4072 wrote to memory of 2416	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	99
PID 4072 wrote to memory of 4076	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	100
PID 4072 wrote to memory of 4076	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	100
PID 4072 wrote to memory of 4076	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	100
PID 4072 wrote to memory of 2444	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	101
PID 4072 wrote to memory of 2444	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	101
PID 4072 wrote to memory of 2444	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	101
PID 4072 wrote to memory of 2040	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	102
PID 4072 wrote to memory of 2040	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	102
PID 4072 wrote to memory of 2040	4072	36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe	102
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103
PID 4504 wrote to memory of 4996	4504	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe
"C:\Users\Admin\AppData\Local\Temp\36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd769c46f8,0x7ffd769c4708,0x7ffd769c4718
    3⤵
    PID:976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
    3⤵
    PID:4996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
    3⤵
    PID:1884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    PID:4084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
    3⤵
    PID:2848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
    3⤵
    PID:2692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
    3⤵
    PID:5240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
    3⤵
    PID:5512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
    3⤵
    PID:5740
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
    3⤵
    PID:5508
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
    3⤵
    PID:6016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
    3⤵
    PID:5480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:1
    3⤵
    PID:4960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
    3⤵
    PID:1588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2320 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd769c46f8,0x7ffd769c4708,0x7ffd769c4718
    3⤵
    PID:116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,9468344723019365520,15275979912446879624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd769c46f8,0x7ffd769c4708,0x7ffd769c4718
    3⤵
    PID:1144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,15066755397380843496,12676651319726238202,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
    3⤵
    PID:4244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,15066755397380843496,12676651319726238202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd769c46f8,0x7ffd769c4708,0x7ffd769c4718
    3⤵
    PID:368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,16572939092700625471,12447531107561639958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nN6Z4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd769c46f8,0x7ffd769c4708,0x7ffd769c4718
    3⤵
    PID:1856
- C:\Program Files (x86)\Company\NewProduct\F0geI.exe
  "C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1052
    3⤵
    - Program crash
    PID:4456
- C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
  "C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3748
- C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
  "C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2416
- C:\Program Files (x86)\Company\NewProduct\real.exe
  "C:\Program Files (x86)\Company\NewProduct\real.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4076
- C:\Program Files (x86)\Company\NewProduct\safert44.exe
  "C:\Program Files (x86)\Company\NewProduct\safert44.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2444
- C:\Program Files (x86)\Company\NewProduct\jshainx.exe
  "C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2040
- C:\Program Files (x86)\Company\NewProduct\WW1.exe
  "C:\Program Files (x86)\Company\NewProduct\WW1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5028 -ip 5028
1⤵
PID:5196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\F0geI.exe

Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\WW1.exe

Filesize
274KB

MD5
a62d25b9a70fe5e4be932036814e6832

SHA1
e1571597ff7648d6c7e8eb013d04d00b129343c7

SHA256
904b8d3d5fe952b833e0815e1b90ac21f86ff16749be122e7632824348d29f62

SHA512
0a6a97b2cd9a60393eef4006d78b676cf199244ef4369321b6d0de145b3e067393dde68ec5550215cd77f5ae0553ffaacf24f862fddefbc87f78ca86c82235e6

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe

Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe

Filesize
669KB

MD5
b5942a0be0b72e121dadb762044f38cc

SHA1
885909607a9747c11eac6cc47b775ad947980c5e

SHA256
c565dd409f6d17997285f6fcecf851c56ddc3129c2a777529e8470290565ace1

SHA512
d2a916738fca01b6b5a27639fbefcc7406e79f8493d8f69015c60d07d0341ab8aa8e4e3ab50208161b7398bef62b9837e11524ffefc502b9f09efc011974e3e7

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe

Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe

Filesize
274KB

MD5
6f6b64ee71021439e50f32cfea2c19a9

SHA1
a7d0b57904e9572ff9994f656c50daf55068cd75

SHA256
3bd07a00c9e492bdd65b36dbe6fd91c30bfa2c8ced7e627f35011e5356c7e1d2

SHA512
0ab19e6bcedd6eef3347133208fcb275ffbf534176fe09f6c5d9e715ef3db4704abb0491d974be8858eda129e3706982999626a649780666a1a24972c6084ae0

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe

Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
4bc8a3540a546cfe044e0ed1a0a22a95

SHA1
5387f78f1816dee5393bfca1fffe49cede5f59c1

SHA256
f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca

SHA512
e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ebc2ad9b363246f657597a910db90ea1

SHA1
3141685f1b8a71ccb6f31bb03bddf02dc96e934a

SHA256
bd84e714dda99a6dd15843a6fc9058c5c9e46224699172e6c825633a8106e085

SHA512
d30cae8c636f88af3bcffb6bfa6d488a301a108177cea5a917e0c01dc530aaac05d6b601832fb861af8caca550edeb951d262a13cda5b440a74fae23bb57d7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a6723b587e9aa1e8cf436de063cf1313

SHA1
c16969503ceddf7936a31804acfaef9ae43660df

SHA256
b5f445201271ab289306011c6e691088b743053bf3e9eb8edc1fced86aba20d9

SHA512
c49a5ae019564d22f1d1f0b735657be610dc0ee1ee0369700e0df87126aae85a1835bffca92c5c301e9db075672f3e7c18f0239206f5f70327bd13a1572772d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
bbec8b8e7f07e0f154eaaca6ec06d185

SHA1
32bb658fa3a1bfdd2b93414757ed3658e9114ef2

SHA256
30fd4591aa5600a66a2703102f6524b5a795dd0383367081067b730d28104ec9

SHA512
118151a5fd6cbb9622eaed43b7d62320624d5368b18cf24d48eb6eade0a8bb67a74574300feaa160e6a7b5cdd0f3d2ae52b67f8b97053a6ea2e2bb9f2feb0a62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
8a30d2eaa3946ecd30816899e9dfe76d

SHA1
88b5600301430c00643705d484db805e0d69106f

SHA256
1470a1b431e15ebdeba1c8553526c69c4feb02f314d03236eb3a3d860f9afdba

SHA512
d5eff5ca49e909d6545115de1a989ac851fb3f806984d1f24b631fea07d176365b10fdfadf1ef249a998b58fe3cb9c245887cfd0781ef8c9061d0dacf99761e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
19fa2c7b730740819bce3e8bed55d30e

SHA1
9364a6a0fb470c7debbfb4af3fa9fffe5d4093fc

SHA256
4acaa77ac43f333c28bcaba3201763a262cf5d51a260b7a781823bf532f340f8

SHA512
57ad96d5ecb1daf828b6dd3006182be2c4133e88ed2cc2320a9010212512e0fb17e1ea053397dd584e259ecb878cf045ade8d301142d2ab736f4634e05091515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
81a4355e6e8b6958f17b5d08b227f20d

SHA1
4c25e310760c1011cc05f868068613fdc76abcf8

SHA256
a67958ad3af018e130e79ff00c9f2bb7d9fd6ca606207e4dd519b2b874aa44a1

SHA512
40b675c503bb2826a2bb5ac9475573b44959115700d3a5dca6253cb1b39258e59deedcada61aef1a67bf4c479bfaa159ec6977c43e19f97e4f7a7a927c2e29ad

Download Submit
memory/2040-127-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/2040-138-0x00000000050B0000-0x00000000050FC000-memory.dmp

Filesize
304KB

Download
memory/2040-134-0x0000000005010000-0x0000000005022000-memory.dmp

Filesize
72KB

Download
memory/2040-135-0x0000000005140000-0x000000000524A000-memory.dmp

Filesize
1.0MB

Download
memory/2040-137-0x0000000005070000-0x00000000050AC000-memory.dmp

Filesize
240KB

Download
memory/2040-133-0x0000000005580000-0x0000000005B98000-memory.dmp

Filesize
6.1MB

Download
memory/2416-109-0x0000000000C40000-0x0000000000C60000-memory.dmp

Filesize
128KB

Download
memory/2444-136-0x0000000002F80000-0x0000000002F86000-memory.dmp

Filesize
24KB

Download
memory/2444-126-0x0000000000E70000-0x0000000000EB4000-memory.dmp

Filesize
272KB

Download
memory/3748-199-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4072-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-240-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download