raccoon | 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
Size

2.6MB
MD5

e0118ad4299455683d5d0708772742ef
SHA1

c80a27155317c3d08308cf8a55e4790f429bb2dd
SHA256

6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115
SHA512

c6e9de83cbc63505359fb745f5417977df30445ab87d848081d526c8afe1ecb1ffa075bb80370862cd7d57b50c5dc23e68aac784f8e845a9d7195e6eb1ed99ec
SSDEEP

49152:pAI+1NpJc7YrEa2u2hq3PGh0p4EyqaeFEqLh09fqNZesF+AxnMtQSOanD9:pAI+vc8rHJ283PGi4EyduRLh0MNZesFS

Score

10^/10

raccoon redline vidar 1571 5 5076357887 76426c3f362f5a47a469f0e9d8bc3eef afb5c633c4650f69312baef49db9dfa4 f23fda14afd5f9052a211b216bdaaf79 molecule jk nam3 discovery infostealer persistence stealer

Malware Config

Extracted

Family

vidar

Version

53.8

Botnet

1571

https://t.me/spmhaus

https://c.im/@tiagoa33

Attributes

profile_id
1571

Extracted

Family

redline

Botnet

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Extracted

Family

redline

Botnet

5076357887

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Extracted

Family

redline

Botnet

Molecule JK

insttaller.com:40915

Attributes

auth_value
abb046f9600c78fd9272c2e96c3cfe48

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

http://193.56.146.177

Attributes

user_agent
mozzzzzzzzzzz

xor.plain

Extracted

Family

raccoon

Botnet

76426c3f362f5a47a469f0e9d8bc3eef

http://45.95.11.158/

Attributes

user_agent
mozzzzzzzzzzz

xor.plain

Extracted

Family

raccoon

Botnet

f23fda14afd5f9052a211b216bdaaf79

http://77.232.39.101

Attributes

user_agent
mozzzzzzzzzzz

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
behavioral2/memory/6208-227-0x00000000004C0000-0x00000000004E0000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
behavioral2/memory/6100-219-0x0000000000580000-0x00000000005C4000-memory.dmp	family_redline
behavioral2/memory/5440-216-0x0000000000010000-0x0000000000030000-memory.dmp	family_redline
behavioral2/memory/6432-274-0x0000000000FA0000-0x0000000000FC0000-memory.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exeordo_sec666.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ordo_sec666.exe

Executes dropped EXE 13 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exereal.exesafert44.exejshainx.exebrokerius.execaptain09876.exeordo_sec666.exeffnameedit.exeWW1.exeSETUP_~1.EXEDllResource.exe

pid	process
5276	F0geI.exe
5592	kukurzka9000.exe
5440	namdoitntn.exe
4460	real.exe
6100	safert44.exe
6208	jshainx.exe
6244	brokerius.exe
6316	captain09876.exe
6388	ordo_sec666.exe
6432	ffnameedit.exe
6572	WW1.exe
6996	SETUP_~1.EXE
7096	DllResource.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

captain09876.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	captain09876.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

11 iplogger.org
17 iplogger.org

flow	ioc
11	iplogger.org
17	iplogger.org

Drops file in Program Files directory 11 IoCs

Processes:

6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jshainx.exe	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\WW1.exe	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\brokerius.exe	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\captain09876.exe	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2960 5276 WerFault.exe F0geI.exe

pid	pid_target	process	target process
2960	5276	WerFault.exe	F0geI.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WW1.execmd.exejshainx.exebrokerius.exeffnameedit.exeDllResource.exePING.EXEkukurzka9000.exenamdoitntn.exeSETUP_~1.EXEschtasks.exechcp.comF0geI.exeordo_sec666.exesafert44.exe6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exereal.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WW1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jshainx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brokerius.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffnameedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllResource.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kukurzka9000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	namdoitntn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SETUP_~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F0geI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ordo_sec666.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	safert44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	real.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEcmd.exe

pid process

6884 PING.EXE
2088 cmd.exe

pid	process
6884	PING.EXE
2088	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

6884 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

6908 schtasks.exe

pid	process
6884	PING.EXE

pid	process
6908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeordo_sec666.exeidentity_helper.exeDllResource.exemsedge.exe

pid	process
984	msedge.exe
984	msedge.exe
2084	msedge.exe
2084	msedge.exe
3372	msedge.exe
3372	msedge.exe
912	msedge.exe
912	msedge.exe
5348	msedge.exe
5348	msedge.exe
5660	msedge.exe
5660	msedge.exe
6388	ordo_sec666.exe
6388	ordo_sec666.exe
6388	ordo_sec666.exe
6388	ordo_sec666.exe
6388	ordo_sec666.exe
6388	ordo_sec666.exe
6388	ordo_sec666.exe
6388	ordo_sec666.exe
6388	ordo_sec666.exe
6388	ordo_sec666.exe
6416	identity_helper.exe
6416	identity_helper.exe
7096	DllResource.exe
7096	DllResource.exe
7096	DllResource.exe
7096	DllResource.exe
7096	DllResource.exe
7096	DllResource.exe
7096	DllResource.exe
7096	DllResource.exe
7096	DllResource.exe
7096	DllResource.exe
6804	msedge.exe
6804	msedge.exe
6804	msedge.exe
6804	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	process
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SETUP_~1.EXE

description pid process

Token: SeDebugPrivilege 6996 SETUP_~1.EXE

description	pid	process
Token: SeDebugPrivilege	6996	SETUP_~1.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 1928 wrote to memory of 3372	1928	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe	msedge.exe
PID 1928 wrote to memory of 3372	1928	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe	msedge.exe
PID 3372 wrote to memory of 4760	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 4760	3372	msedge.exe	msedge.exe
PID 1928 wrote to memory of 2268	1928	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe	msedge.exe
PID 1928 wrote to memory of 2268	1928	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe	msedge.exe
PID 2268 wrote to memory of 2136	2268	msedge.exe	msedge.exe
PID 2268 wrote to memory of 2136	2268	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe	msedge.exe
PID 1128 wrote to memory of 1112	1128	msedge.exe	msedge.exe
PID 1128 wrote to memory of 1112	1128	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4792	1928	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe	msedge.exe
PID 1928 wrote to memory of 4792	1928	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe	msedge.exe
PID 4792 wrote to memory of 1972	4792	msedge.exe	msedge.exe
PID 4792 wrote to memory of 1972	4792	msedge.exe	msedge.exe
PID 1928 wrote to memory of 3440	1928	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe	msedge.exe
PID 1928 wrote to memory of 3440	1928	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe	msedge.exe
PID 3440 wrote to memory of 4988	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 4988	3440	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4388	1928	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe	msedge.exe
PID 1928 wrote to memory of 4388	1928	6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 2452	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 984	3372	msedge.exe	msedge.exe
PID 3372 wrote to memory of 984	3372	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
"C:\Users\Admin\AppData\Local\Temp\6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AEmX4
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
    3⤵
    PID:4760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
    3⤵
    PID:2452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
    3⤵
    PID:4824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:4072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
    3⤵
    PID:3496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
    3⤵
    PID:4068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
    3⤵
    PID:5244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
    3⤵
    PID:5388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
    3⤵
    PID:5692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
    3⤵
    PID:5876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
    3⤵
    PID:5980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
    3⤵
    PID:6076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
    3⤵
    PID:4604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
    3⤵
    PID:6756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
    3⤵
    PID:6764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
    3⤵
    PID:7108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
    3⤵
    PID:7116
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7724 /prefetch:8
    3⤵
    PID:5332
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7724 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3124 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1ARmX4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
    3⤵
    PID:2136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,11997392329957829821,193241046500353937,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
    3⤵
    PID:5028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,11997392329957829821,193241046500353937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AAmX4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
    3⤵
    PID:1112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,12857327135548108962,10946386260547312420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AFmX4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
    3⤵
    PID:1972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,13804647263910924688,265436008021893973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AGmX4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
    3⤵
    PID:4988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,7889946825374594600,12289223455966820718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AJmX4
  2⤵
  PID:4388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
    3⤵
    PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AKmX4
  2⤵
  PID:2036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
    3⤵
    PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AZmX4
  2⤵
  PID:5744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
    3⤵
    PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AVmX4
  2⤵
  PID:6068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff14718
    3⤵
    PID:6120
- C:\Program Files (x86)\Company\NewProduct\F0geI.exe
  "C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1032
    3⤵
    - Program crash
    PID:2960
- C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
  "C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5592
- C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
  "C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5440
- C:\Program Files (x86)\Company\NewProduct\real.exe
  "C:\Program Files (x86)\Company\NewProduct\real.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4460
- C:\Program Files (x86)\Company\NewProduct\safert44.exe
  "C:\Program Files (x86)\Company\NewProduct\safert44.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6100
- C:\Program Files (x86)\Company\NewProduct\jshainx.exe
  "C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6208
- C:\Program Files (x86)\Company\NewProduct\brokerius.exe
  "C:\Program Files (x86)\Company\NewProduct\brokerius.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6244
- C:\Program Files (x86)\Company\NewProduct\captain09876.exe
  "C:\Program Files (x86)\Company\NewProduct\captain09876.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6316
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6996
- C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe
  "C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:6388
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\TypeRes\DllResource.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:6908
- - C:\Users\Admin\TypeRes\DllResource.exe
    "C:\Users\Admin\TypeRes\DllResource.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:7096
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2088
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:5568
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:6884
- C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
  "C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6432
- C:\Program Files (x86)\Company\NewProduct\WW1.exe
  "C:\Program Files (x86)\Company\NewProduct\WW1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5276 -ip 5276
1⤵
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\F0geI.exe

Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\WW1.exe

Filesize
283KB

MD5
86c2f03bbb61bdcaf1ae4bfb22cc2d31

SHA1
bd4d43346fda88073a2832aa68a832da7fba92d2

SHA256
68e686f07eab2a6d3da3e045e5a27614b6225aecd5e373d3e788281207f7ee3c

SHA512
4d9f01819d8d8536a0b0e17da8742cc2d01240a899e00f5338db8fc0a37536a16c4f1a112475c5f6a017db534144819ce8d6a22f1c346d38363854208c6a01d1

Download Submit
C:\Program Files (x86)\Company\NewProduct\brokerius.exe

Filesize
283KB

MD5
f5d13e361f8b9aca7103cb46b441034b

SHA1
090dcc68f4ce59d1c5b8b7424508c4033ee418dd

SHA256
a5ad514ed54f1f8f0a8e054b0dc3a39d13d70e388711ddb9d44095a5a89317bf

SHA512
db8f615405c3dcbb2e525903a572e13565f184bc8c1a2674138a84774dd06041a9899006b8599a25f06ce4fba92c12d102772e74be62ac6d02b5bc0ac4ee124a

Download Submit
C:\Program Files (x86)\Company\NewProduct\captain09876.exe

Filesize
704KB

MD5
ce94ce7de8279ecf9519b12f124543c3

SHA1
be2563e381439ed33869a052391eec1ddd40faa0

SHA256
f88d6fc5fd36ef3a9c54cf7101728a39a2a2694a0a64f6af1e1befacfbc03f20

SHA512
9697cfc31b3344a2929b02ecdf9235756f4641dbb0910e9f6099382916447e2d06e41c153fad50890823f068ae412fb9a55fd274b3b9c7929f2ca972112cc5b7

Download Submit
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe

Filesize
107KB

MD5
3243054d3acd513abcc72ee1d1b65c97

SHA1
d23afd7ef0f4cc3cf5a492b7d46b557c7bc11cb3

SHA256
5bc24a5dea878774ce9c928a13f007e6ac604474349f33ce4f946aa4b7189ccc

SHA512
931c3735474a70ebdfc3b849448532b782062c1228079ca9a9367cd6e4d5cf181ae794427becc85d7921703d0288d6639682a858f3a43338b679258d7d29e6e3

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe

Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe

Filesize
757KB

MD5
3ec059bd19d6655ba83ae1e644b80510

SHA1
61fa49d4473e91509b32a3b675a236b1eab74d08

SHA256
7dc81dc72cb4f89ad022bb15419e1b6170cf77942b8ec29839924b7b4fe7896c

SHA512
5324c3a902b96d5782e01dd0bfb177055a6908112c60c85af49c7e863b62f0947d6e18d5ac370652008c5983b0c8bd762ab4444822d0ad547a88883970adabe9

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe

Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe

Filesize
1.7MB

MD5
63fd052610279f9eb9f1fee8e262f2a4

SHA1
aac344ed6f54c367be51effbf6e84128ee8c6992

SHA256
955c265a378008efee8f0d19c2880d1026f32f7cd6325e0ab1a24c833905bbba

SHA512
234bc89538336452938fbe1e6774f5f7ca47c735f871ac3ba54a3ea6b68c48970fc53239ea72d5ca176f3acc00932e479020c38cad66a0f70a3acda5b5aff9b9

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe

Filesize
275KB

MD5
a2414bb5522d3844b6c9a84537d7ce43

SHA1
56c91fc4fe09ce07320c03f186f3d5d293a6089d

SHA256
31f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173

SHA512
408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe

Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
4bc8a3540a546cfe044e0ed1a0a22a95

SHA1
5387f78f1816dee5393bfca1fffe49cede5f59c1

SHA256
f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca

SHA512
e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c0659c608cee2326ee1d194143e4d044

SHA1
2de1b80864a619493a0c2f99276ec2a6d957a532

SHA256
777d3f040d5e4fe65f602cad6ef36ac58dccedba95c27503fe95869340a7d66f

SHA512
afa751f8940fb6f4209bea2abe789efd464e1e350ebc05621aaa1aa064e88bb6ee7cab982e6f23452fe21e00cb577e9a5fd4bceb69a42b619e17c4f1c2f7b56c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
09f0084938d83944ec6ca15cff5cf79f

SHA1
664d2f9501456d94265d46ede9c22dbabbbe287a

SHA256
fced5c084f6f6e5c659a647995afb98a7a418929c8a84af2c63fcfa8c00b6966

SHA512
71d5c5f60b564f650c243d4fff4bbd6f92b6768c6af7af3b96506d702d59d568d6e36f787ce348233c8ff151d1c64e2b1955fa13097eac3a994532e123811ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
627a928d2ec7c1b26a88741a39a5045f

SHA1
bb3660be562b28aab6105701d11fb6b1d9fc2696

SHA256
a8a4e3352f0fb63baa084bdd99744a134980a5b997d0be5ad8840d41a42b9f46

SHA512
be1eb74e7ef1f456c676eb0ccdf02c7a6ef5f45a3f20a44a32540f104f557808ad0d0655e57024f1948537022ace8e84b92d9460fce6d0f00383a43e68e2b725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
c820e243b869357f4e6b9181b02d5b44

SHA1
0af769193689daff6f9aee5ac0fd6b819a292c8d

SHA256
0befb7fc03d32e795bd0a115ff812c54e3292d4df984cdf5dcf2fdc088cd417f

SHA512
50f6ae8dd7fd77877bee93497f965f92f6924281596234b5511829c5850a171c0759eb7285e113fd0198b5917510ea78a5285c31026997c4dab667a08704f0a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
5ff0072a56024957809da8010d556aeb

SHA1
01936f5769a0b929bc6056a5d95cd6740ba1ff26

SHA256
58aa5fe1cd74408306dc02843b6cf3de6e3026b570225f08af1c61ed799612cf

SHA512
80f6a27e34c958138375340ab1dafa63f7bb2c029343940bcc8922082f31dfd2c4066e6abb4cae22c6d5b7cc1b507d4ea95703837567da7e278f0fcb17fd4abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
780f3041cc7613d6f850c42185e7be2c

SHA1
4417749a9091bd7ae55180429ec5280ae9c31886

SHA256
55c830d0d7c4d6ba7738de048afa42e2a383a62d97ed6a7375d3a9f39ce47450

SHA512
4d10ed53641b9bef311c45e14931337ed1125d05e115e08b5f31eb6951835d04c29ad95d6227d058cef54d5c99fecb165b5ac6d95deac138d96ad15c653bbb05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
aeaee4d2f631be0971ad03e524b80361

SHA1
b2a33174aa2ebf0774c9a2d25bd5982f687e35bf

SHA256
aa1f8c061a3767ec7a2a5205262da8d37a07b5fe327159f6b7656bd7b50f30f4

SHA512
c0a718a0ceb0519999ce488ac9e5ee77347c1721416db8ac6e4032b0fd9cc8703e77dc177495871fee85589203bbced024cf3662f1e2c1b4d967e0fe357427d3

Download Submit
\??\pipe\LOCAL\crashpad_3372_UVHQRCDRWVYZIXEI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1928-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5276-340-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5440-280-0x00000000053D0000-0x000000000541C000-memory.dmp

Filesize
304KB

Download
memory/5440-216-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/5440-277-0x0000000004DE0000-0x0000000004E1C000-memory.dmp

Filesize
240KB

Download
memory/5592-286-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/6100-219-0x0000000000580000-0x00000000005C4000-memory.dmp

Filesize
272KB

Download
memory/6100-249-0x0000000000DC0000-0x0000000000DC6000-memory.dmp

Filesize
24KB

Download
memory/6208-273-0x0000000004E80000-0x0000000004F8A000-memory.dmp

Filesize
1.0MB

Download
memory/6208-266-0x00000000052C0000-0x00000000058D8000-memory.dmp

Filesize
6.1MB

Download
memory/6208-267-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/6208-227-0x00000000004C0000-0x00000000004E0000-memory.dmp

Filesize
128KB

Download
memory/6432-274-0x0000000000FA0000-0x0000000000FC0000-memory.dmp

Filesize
128KB

Download
memory/6996-307-0x0000000000FE0000-0x0000000001030000-memory.dmp

Filesize
320KB

Download
memory/7096-426-0x000000000EA00000-0x000000000EB0C000-memory.dmp

Filesize
1.0MB

Download
memory/7096-427-0x000000000E9B0000-0x000000000E9C2000-memory.dmp

Filesize
72KB

Download