raccoon | 6228a057bf70d95e0f6cd3a5639d02e4155c84f7da9fd29bf879e3473d37d86d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
Size

902KB
MD5

e6ae2071837c90e79a7f4c6e8e778f0f
SHA1

b340afd00d6feb4da15b9b10446417e51d3f7082
SHA256

ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396
SHA512

6e1662cc172d0001fb2de054eaff5dc8c9ba041cbec00a42d8311c92958e1b4690454262106ac26d0eed85863e2142dc5d4161a98c7cbabbcb6b083e7d02b59c
SSDEEP

24576:pAT8QE+kEVNpJc7Y/sDZ0239GhjS9knREHXsW02E7zS:pAI+/NpJc7Y60EGhjSmE3sW02E7zS

Score

10^/10

raccoon redline 4 5076357887 76426c3f362f5a47a469f0e9d8bc3eef @tag12312341 afb5c633c4650f69312baef49db9dfa4 nam3 discovery infostealer stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

5076357887

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Extracted

Family

redline

Botnet

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

http://193.56.146.177

Attributes

user_agent
mozzzzzzzzzzz

xor.plain

Extracted

Family

raccoon

Botnet

76426c3f362f5a47a469f0e9d8bc3eef

http://45.95.11.158/

Attributes

user_agent
mozzzzzzzzzzz

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Raccoon family
raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c9b-120.dat	family_redline
behavioral2/memory/5280-156-0x0000000000580000-0x00000000005A0000-memory.dmp	family_redline
behavioral2/files/0x0007000000023c9f-168.dat	family_redline
behavioral2/memory/6060-198-0x0000000000660000-0x0000000000680000-memory.dmp	family_redline
behavioral2/files/0x0007000000023ca0-196.dat	family_redline
behavioral2/memory/5876-186-0x0000000000890000-0x00000000008D4000-memory.dmp	family_redline
behavioral2/files/0x0007000000023c9e-180.dat	family_redline
behavioral2/memory/5968-195-0x0000000000D30000-0x0000000000D50000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe

Executes dropped EXE 9 IoCs

pid	Process
5096	F0geI.exe
5280	namdoitntn.exe
5212	kukurzka9000.exe
5668	nuplat.exe
5828	real.exe
5876	safert44.exe
5968	tag.exe
6060	jshainx.exe
5272	me.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	iplogger.org
11	iplogger.org

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\nuplat.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jshainx.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\me.exe	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1904	5096	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	namdoitntn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	real.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jshainx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F0geI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kukurzka9000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nuplat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	safert44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	me.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2344	msedge.exe
2344	msedge.exe
3936	msedge.exe
3936	msedge.exe
4852	msedge.exe
4852	msedge.exe
1820	msedge.exe
1820	msedge.exe
5536	msedge.exe
5536	msedge.exe
5136	identity_helper.exe
5136	identity_helper.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 3936	4024	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	86
PID 4024 wrote to memory of 3936	4024	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	86
PID 3936 wrote to memory of 2848	3936	msedge.exe	87
PID 3936 wrote to memory of 2848	3936	msedge.exe	87
PID 4024 wrote to memory of 1668	4024	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	88
PID 4024 wrote to memory of 1668	4024	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	88
PID 1668 wrote to memory of 3608	1668	msedge.exe	89
PID 1668 wrote to memory of 3608	1668	msedge.exe	89
PID 4024 wrote to memory of 4028	4024	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	90
PID 4024 wrote to memory of 4028	4024	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	90
PID 4028 wrote to memory of 2412	4028	msedge.exe	91
PID 4028 wrote to memory of 2412	4028	msedge.exe	91
PID 4024 wrote to memory of 3984	4024	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	92
PID 4024 wrote to memory of 3984	4024	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	92
PID 3984 wrote to memory of 2600	3984	msedge.exe	93
PID 3984 wrote to memory of 2600	3984	msedge.exe	93
PID 4024 wrote to memory of 4808	4024	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	94
PID 4024 wrote to memory of 4808	4024	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	94
PID 4808 wrote to memory of 3468	4808	msedge.exe	95
PID 4808 wrote to memory of 3468	4808	msedge.exe	95
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 612	3936	msedge.exe	96
PID 3936 wrote to memory of 2344	3936	msedge.exe	97
PID 3936 wrote to memory of 2344	3936	msedge.exe	97
PID 4024 wrote to memory of 3788	4024	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	98
PID 4024 wrote to memory of 3788	4024	ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe	98

C:\Users\Admin\AppData\Local\Temp\ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe
"C:\Users\Admin\AppData\Local\Temp\ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AbtZ4
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc18fe46f8,0x7ffc18fe4708,0x7ffc18fe4718
    3⤵
    PID:2848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
    3⤵
    PID:612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
    3⤵
    PID:3908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:1800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:1068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
    3⤵
    PID:2988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
    3⤵
    PID:2364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
    3⤵
    PID:4244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
    3⤵
    PID:5252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
    3⤵
    PID:5512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
    3⤵
    PID:5772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
    3⤵
    PID:3576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
    3⤵
    PID:1812
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6884 /prefetch:8
    3⤵
    PID:6000
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6884 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
    3⤵
    PID:4140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
    3⤵
    PID:5144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,6631059206430228148,7148280295711111650,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2288 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc18fe46f8,0x7ffc18fe4708,0x7ffc18fe4718
    3⤵
    PID:3608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,2370692396338586412,13170667527171644865,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc18fe46f8,0x7ffc18fe4708,0x7ffc18fe4718
    3⤵
    PID:2412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,3857693137976683896,10167456254413775958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc18fe46f8,0x7ffc18fe4708,0x7ffc18fe4718
    3⤵
    PID:2600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1512,8984833121150119288,14102098406293427139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1naEL4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc18fe46f8,0x7ffc18fe4708,0x7ffc18fe4718
    3⤵
    PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
  2⤵
  PID:3788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc18fe46f8,0x7ffc18fe4708,0x7ffc18fe4718
    3⤵
    PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nhGL4
  2⤵
  PID:4372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc18fe46f8,0x7ffc18fe4708,0x7ffc18fe4718
    3⤵
    PID:3196
- C:\Program Files (x86)\Company\NewProduct\F0geI.exe
  "C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 704
    3⤵
    - Program crash
    PID:1904
- C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
  "C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5212
- C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
  "C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5280
- C:\Program Files (x86)\Company\NewProduct\nuplat.exe
  "C:\Program Files (x86)\Company\NewProduct\nuplat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5668
- C:\Program Files (x86)\Company\NewProduct\real.exe
  "C:\Program Files (x86)\Company\NewProduct\real.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5828
- C:\Program Files (x86)\Company\NewProduct\safert44.exe
  "C:\Program Files (x86)\Company\NewProduct\safert44.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5876
- C:\Program Files (x86)\Company\NewProduct\tag.exe
  "C:\Program Files (x86)\Company\NewProduct\tag.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5968
- C:\Program Files (x86)\Company\NewProduct\jshainx.exe
  "C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6060
- C:\Program Files (x86)\Company\NewProduct\me.exe
  "C:\Program Files (x86)\Company\NewProduct\me.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5096 -ip 5096
1⤵
PID:5864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\F0geI.exe

Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe

Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe

Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
C:\Program Files (x86)\Company\NewProduct\me.exe

Filesize
286KB

MD5
29f986a025ca64b6e5fbc50fcefc8743

SHA1
4930311ffe1eac17a468c454d2ac37532b79c454

SHA256
766033bd59297068c74324bfffca88887a4f02588bac347e277644011fb6b090

SHA512
7af798f1480c18952597699189eff78d2ac638b40bffbc651954807b81d667207dd6d4ad073a787d40a423a15361d625f49b556109f998d2c56fa66d71c7268a

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe

Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\nuplat.exe

Filesize
287KB

MD5
17c42a0dad379448ee1e6b21c85e5ac9

SHA1
2fec7fbb4a47092f9c17cd5ebb509a6403cb6d69

SHA256
e080161f57d4eaaad9173b63219ba5a9c2c595324a6b3ffe96783db40839807b

SHA512
5ddfe9af625c54e417452fe582041cdd373b52d4ededbcba71a88050fd834bc8af822257f7ad606e89db3fde15be98f58c1d8ff139dac71d81a23f669617a189

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe

Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe

Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe

Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\86b77f51-bfd8-46f9-a10f-07c6b4941a96.tmp

Filesize
11KB

MD5
0e67080ea3f94e505ba47ead7d854fc6

SHA1
6b59895e645222c0a76a5a32d5208de179be3964

SHA256
88c0bfc44f56178a52826e1341b0760242f591cbf4a2f7c9e4bcd493d70ae669

SHA512
6b358f88424f58f316c43d9b581a810529abc9d42d5d6559784d4f621287d3440e321320b6f134e9265cc9d93f94f5000dc9bf5febda57b2ff0c794a245a094c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
4bc8a3540a546cfe044e0ed1a0a22a95

SHA1
5387f78f1816dee5393bfca1fffe49cede5f59c1

SHA256
f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca

SHA512
e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c107fddedff310f945de803cd605a88e

SHA1
1326a5ca980f0aa4025ad8fcaed3bd8a2748bbe9

SHA256
7a45cd99909cdee9daf6ca84dab1f5561f18de6525b149726d7f2459833de74f

SHA512
3d37dc4bd7dbe9b972505fce025c2e67178ccc50d9f3b7c24db1d502a7d1baf4f0483a6e58423f4f22fee92b31be90b982fe5b85bdc6685e4a02f733883ce923

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af8ee6126e101aaef38fdf23262bccc8

SHA1
a101e75e8d1bf39198171a5ecb7edd10202c9fdd

SHA256
d5f0ba3300630744dc195bbc37154b4cedea6d0de44603ba713e39d7382b02a1

SHA512
21bc599f7275be1355a4e781fcac1bee63dda4beb636013b8feb3c48512be1edf209b73f537ab7be37c61e205081c1be65cdaa82434365a54099976a70676062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
de78cb604c090fc3475804913983a48a

SHA1
bdb08101dbb34081e90da32b4420a6db1fe43528

SHA256
48d1842b7bab65a3b9bf35c2e44c463e8de200b0bbf47a59887e2809b9c1da42

SHA512
ff1824d6402d29bd813cd4ddc34235d320c35d56aa1fda596f21d6b322a9216b8ca74267bd789f194042fea6d4f0018046a06307ece04f45ff184cc13a010911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
35b66a0eedb0134038694f9756b748ad

SHA1
f93a35a0b145f0190235f7374043563322c6272d

SHA256
0d99a242ebeed22b828b1154f5cc074c7e40acf914d8a476a700bfedd199bfc0

SHA512
bfd445cdbd53db944918b62742d4bfd47993014a753eb2c94e11e7972cbcf2593deb59a4df43536fd6b171264e66f74c6849698520f9426dd32461ccd943be84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\df26a8df-d367-4064-ab48-938119531793.tmp

Filesize
8KB

MD5
ec709f62a9e1c54e2767831adf5d2f28

SHA1
173efb3a8c91494501d78ace651533ff310336f2

SHA256
35295b1cf5adb90d7c1d0fb587d0329318b47596c7b5493aeeec115447d549f5

SHA512
432275e65bf229283c760d91f4e296fbdc4f564cf3ce0543a6702764b0f8205b46ae4db164b4eb000c57f8d01493620a13aedad47d423b2364d2ea1a489ede6c

Download Submit
memory/4024-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-267-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5212-229-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5280-156-0x0000000000580000-0x00000000005A0000-memory.dmp

Filesize
128KB

Download
memory/5280-207-0x0000000007360000-0x000000000739C000-memory.dmp

Filesize
240KB

Download
memory/5280-209-0x0000000007540000-0x000000000758C000-memory.dmp

Filesize
304KB

Download
memory/5280-199-0x0000000005990000-0x0000000005FA8000-memory.dmp

Filesize
6.1MB

Download
memory/5876-201-0x0000000001180000-0x0000000001186000-memory.dmp

Filesize
24KB

Download
memory/5876-186-0x0000000000890000-0x00000000008D4000-memory.dmp

Filesize
272KB

Download
memory/5968-202-0x00000000056F0000-0x00000000057FA000-memory.dmp

Filesize
1.0MB

Download
memory/5968-195-0x0000000000D30000-0x0000000000D50000-memory.dmp

Filesize
128KB

Download
memory/5968-200-0x00000000055C0000-0x00000000055D2000-memory.dmp

Filesize
72KB

Download
memory/6060-198-0x0000000000660000-0x0000000000680000-memory.dmp

Filesize
128KB

Download