Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2024 18:03
Static task
static1
Behavioral task
behavioral1
Sample
6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
Resource
win10v2004-20241007-en
General
-
Target
6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe
-
Size
2.6MB
-
MD5
e0118ad4299455683d5d0708772742ef
-
SHA1
c80a27155317c3d08308cf8a55e4790f429bb2dd
-
SHA256
6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115
-
SHA512
c6e9de83cbc63505359fb745f5417977df30445ab87d848081d526c8afe1ecb1ffa075bb80370862cd7d57b50c5dc23e68aac784f8e845a9d7195e6eb1ed99ec
-
SSDEEP
49152:pAI+1NpJc7YrEa2u2hq3PGh0p4EyqaeFEqLh09fqNZesF+AxnMtQSOanD9:pAI+vc8rHJ283PGi4EyduRLh0MNZesFS
Malware Config
Extracted
vidar
53.8
1571
https://t.me/spmhaus
https://c.im/@tiagoa33
-
profile_id
1571
Extracted
redline
5
176.113.115.146:9582
-
auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f
Extracted
redline
5076357887
195.54.170.157:16525
-
auth_value
0dfaff60271d374d0c206d19883e06f3
Extracted
redline
Molecule JK
insttaller.com:40915
-
auth_value
abb046f9600c78fd9272c2e96c3cfe48
Extracted
redline
nam3
103.89.90.61:34589
-
auth_value
64b900120bbceaa6a9c60e9079492895
Extracted
raccoon
afb5c633c4650f69312baef49db9dfa4
http://193.56.146.177
-
user_agent
mozzzzzzzzzzz
Extracted
raccoon
76426c3f362f5a47a469f0e9d8bc3eef
http://45.95.11.158/
-
user_agent
mozzzzzzzzzzz
Extracted
raccoon
f23fda14afd5f9052a211b216bdaaf79
http://77.232.39.101
-
user_agent
mozzzzzzzzzzz
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 8 IoCs
resource yara_rule behavioral2/files/0x0007000000023cc3-173.dat family_redline behavioral2/files/0x0007000000023cc5-217.dat family_redline behavioral2/memory/6208-227-0x00000000004C0000-0x00000000004E0000-memory.dmp family_redline behavioral2/files/0x0007000000023cca-268.dat family_redline behavioral2/files/0x0007000000023cc6-226.dat family_redline behavioral2/memory/6100-219-0x0000000000580000-0x00000000005C4000-memory.dmp family_redline behavioral2/memory/5440-216-0x0000000000010000-0x0000000000030000-memory.dmp family_redline behavioral2/memory/6432-274-0x0000000000FA0000-0x0000000000FC0000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation ordo_sec666.exe -
Executes dropped EXE 13 IoCs
pid Process 5276 F0geI.exe 5592 kukurzka9000.exe 5440 namdoitntn.exe 4460 real.exe 6100 safert44.exe 6208 jshainx.exe 6244 brokerius.exe 6316 captain09876.exe 6388 ordo_sec666.exe 6432 ffnameedit.exe 6572 WW1.exe 6996 SETUP_~1.EXE 7096 DllResource.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" captain09876.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 11 iplogger.org 17 iplogger.org -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Company\NewProduct\F0geI.exe 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\real.exe 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jshainx.exe 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\WW1.exe 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\safert44.exe 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\brokerius.exe 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\captain09876.exe 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2960 5276 WerFault.exe 122 -
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WW1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jshainx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brokerius.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffnameedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllResource.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kukurzka9000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language namdoitntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SETUP_~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F0geI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ordo_sec666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language safert44.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language real.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 6884 PING.EXE 2088 cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 6884 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6908 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 984 msedge.exe 984 msedge.exe 2084 msedge.exe 2084 msedge.exe 3372 msedge.exe 3372 msedge.exe 912 msedge.exe 912 msedge.exe 5348 msedge.exe 5348 msedge.exe 5660 msedge.exe 5660 msedge.exe 6388 ordo_sec666.exe 6388 ordo_sec666.exe 6388 ordo_sec666.exe 6388 ordo_sec666.exe 6388 ordo_sec666.exe 6388 ordo_sec666.exe 6388 ordo_sec666.exe 6388 ordo_sec666.exe 6388 ordo_sec666.exe 6388 ordo_sec666.exe 6416 identity_helper.exe 6416 identity_helper.exe 7096 DllResource.exe 7096 DllResource.exe 7096 DllResource.exe 7096 DllResource.exe 7096 DllResource.exe 7096 DllResource.exe 7096 DllResource.exe 7096 DllResource.exe 7096 DllResource.exe 7096 DllResource.exe 6804 msedge.exe 6804 msedge.exe 6804 msedge.exe 6804 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 6996 SETUP_~1.EXE -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1928 wrote to memory of 3372 1928 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe 85 PID 1928 wrote to memory of 3372 1928 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe 85 PID 3372 wrote to memory of 4760 3372 msedge.exe 86 PID 3372 wrote to memory of 4760 3372 msedge.exe 86 PID 1928 wrote to memory of 2268 1928 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe 87 PID 1928 wrote to memory of 2268 1928 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe 87 PID 2268 wrote to memory of 2136 2268 msedge.exe 88 PID 2268 wrote to memory of 2136 2268 msedge.exe 88 PID 1928 wrote to memory of 1128 1928 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe 89 PID 1928 wrote to memory of 1128 1928 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe 89 PID 1128 wrote to memory of 1112 1128 msedge.exe 90 PID 1128 wrote to memory of 1112 1128 msedge.exe 90 PID 1928 wrote to memory of 4792 1928 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe 91 PID 1928 wrote to memory of 4792 1928 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe 91 PID 4792 wrote to memory of 1972 4792 msedge.exe 92 PID 4792 wrote to memory of 1972 4792 msedge.exe 92 PID 1928 wrote to memory of 3440 1928 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe 93 PID 1928 wrote to memory of 3440 1928 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe 93 PID 3440 wrote to memory of 4988 3440 msedge.exe 94 PID 3440 wrote to memory of 4988 3440 msedge.exe 94 PID 1928 wrote to memory of 4388 1928 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe 95 PID 1928 wrote to memory of 4388 1928 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe 95 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 2452 3372 msedge.exe 96 PID 3372 wrote to memory of 984 3372 msedge.exe 97 PID 3372 wrote to memory of 984 3372 msedge.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe"C:\Users\Admin\AppData\Local\Temp\6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AEmX42⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff147183⤵PID:4760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:23⤵PID:2452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:83⤵PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:13⤵PID:4072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:13⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:13⤵PID:4068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:13⤵PID:5244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:13⤵PID:5388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:13⤵PID:5692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:13⤵PID:5876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:13⤵PID:5980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:13⤵PID:6076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:13⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:13⤵PID:6756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:13⤵PID:6764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:13⤵PID:7108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:13⤵PID:7116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7724 /prefetch:83⤵PID:5332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7724 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:6416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17018526922464573386,3265520379597102669,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3124 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:6804
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1ARmX42⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff147183⤵PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,11997392329957829821,193241046500353937,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:23⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,11997392329957829821,193241046500353937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2084
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AAmX42⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff147183⤵PID:1112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,12857327135548108962,10946386260547312420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:912
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AFmX42⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff147183⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,13804647263910924688,265436008021893973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:5348
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AGmX42⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff147183⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,7889946825374594600,12289223455966820718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:5660
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AJmX42⤵PID:4388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffabff146f8,0x7ffabff14708,0x7ffabff147183⤵PID:4796
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AKmX42⤵PID:2036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff147183⤵PID:2016
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AZmX42⤵PID:5744
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff147183⤵PID:5860
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AVmX42⤵PID:6068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabff146f8,0x7ffabff14708,0x7ffabff147183⤵PID:6120
-
-
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exe"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5276 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 10323⤵
- Program crash
PID:2960
-
-
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5592
-
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5440
-
-
C:\Program Files (x86)\Company\NewProduct\real.exe"C:\Program Files (x86)\Company\NewProduct\real.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4460
-
-
C:\Program Files (x86)\Company\NewProduct\safert44.exe"C:\Program Files (x86)\Company\NewProduct\safert44.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6100
-
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exe"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6208
-
-
C:\Program Files (x86)\Company\NewProduct\brokerius.exe"C:\Program Files (x86)\Company\NewProduct\brokerius.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6244
-
-
C:\Program Files (x86)\Company\NewProduct\captain09876.exe"C:\Program Files (x86)\Company\NewProduct\captain09876.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6316 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6996
-
-
-
C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe"C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6388 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\TypeRes\DllResource.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:6908
-
-
C:\Users\Admin\TypeRes\DllResource.exe"C:\Users\Admin\TypeRes\DllResource.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7096
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Program Files (x86)\Company\NewProduct\ordo_sec666.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2088 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:5568
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6884
-
-
-
-
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6432
-
-
C:\Program Files (x86)\Company\NewProduct\WW1.exe"C:\Program Files (x86)\Company\NewProduct\WW1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6572
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4520
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5276 -ip 52761⤵PID:4880
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
339KB
MD5501e0f6fa90340e3d7ff26f276cd582e
SHA11bce4a6153f71719e786f8f612fbfcd23d3e130a
SHA256f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b
SHA512dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69
-
Filesize
283KB
MD586c2f03bbb61bdcaf1ae4bfb22cc2d31
SHA1bd4d43346fda88073a2832aa68a832da7fba92d2
SHA25668e686f07eab2a6d3da3e045e5a27614b6225aecd5e373d3e788281207f7ee3c
SHA5124d9f01819d8d8536a0b0e17da8742cc2d01240a899e00f5338db8fc0a37536a16c4f1a112475c5f6a017db534144819ce8d6a22f1c346d38363854208c6a01d1
-
Filesize
283KB
MD5f5d13e361f8b9aca7103cb46b441034b
SHA1090dcc68f4ce59d1c5b8b7424508c4033ee418dd
SHA256a5ad514ed54f1f8f0a8e054b0dc3a39d13d70e388711ddb9d44095a5a89317bf
SHA512db8f615405c3dcbb2e525903a572e13565f184bc8c1a2674138a84774dd06041a9899006b8599a25f06ce4fba92c12d102772e74be62ac6d02b5bc0ac4ee124a
-
Filesize
704KB
MD5ce94ce7de8279ecf9519b12f124543c3
SHA1be2563e381439ed33869a052391eec1ddd40faa0
SHA256f88d6fc5fd36ef3a9c54cf7101728a39a2a2694a0a64f6af1e1befacfbc03f20
SHA5129697cfc31b3344a2929b02ecdf9235756f4641dbb0910e9f6099382916447e2d06e41c153fad50890823f068ae412fb9a55fd274b3b9c7929f2ca972112cc5b7
-
Filesize
107KB
MD53243054d3acd513abcc72ee1d1b65c97
SHA1d23afd7ef0f4cc3cf5a492b7d46b557c7bc11cb3
SHA2565bc24a5dea878774ce9c928a13f007e6ac604474349f33ce4f946aa4b7189ccc
SHA512931c3735474a70ebdfc3b849448532b782062c1228079ca9a9367cd6e4d5cf181ae794427becc85d7921703d0288d6639682a858f3a43338b679258d7d29e6e3
-
Filesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
Filesize
757KB
MD53ec059bd19d6655ba83ae1e644b80510
SHA161fa49d4473e91509b32a3b675a236b1eab74d08
SHA2567dc81dc72cb4f89ad022bb15419e1b6170cf77942b8ec29839924b7b4fe7896c
SHA5125324c3a902b96d5782e01dd0bfb177055a6908112c60c85af49c7e863b62f0947d6e18d5ac370652008c5983b0c8bd762ab4444822d0ad547a88883970adabe9
-
Filesize
107KB
MD5bbd8ea73b7626e0ca5b91d355df39b7f
SHA166e298653beb7f652eb44922010910ced6242879
SHA2561aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e
SHA512625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f
-
Filesize
1.7MB
MD563fd052610279f9eb9f1fee8e262f2a4
SHA1aac344ed6f54c367be51effbf6e84128ee8c6992
SHA256955c265a378008efee8f0d19c2880d1026f32f7cd6325e0ab1a24c833905bbba
SHA512234bc89538336452938fbe1e6774f5f7ca47c735f871ac3ba54a3ea6b68c48970fc53239ea72d5ca176f3acc00932e479020c38cad66a0f70a3acda5b5aff9b9
-
Filesize
275KB
MD5a2414bb5522d3844b6c9a84537d7ce43
SHA156c91fc4fe09ce07320c03f186f3d5d293a6089d
SHA25631f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173
SHA512408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60
-
Filesize
246KB
MD5414ffd7094c0f50662ffa508ca43b7d0
SHA16ec67bd53da2ff3d5538a3afcc6797af1e5a53fb
SHA256d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee
SHA512c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399
-
Filesize
152B
MD5c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA14d16a7e82190f8490a00008bd53d85fb92e379b0
SHA2561e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd
-
Filesize
152B
MD5e55832d7cd7e868a2c087c4c73678018
SHA1ed7a2f6d6437e907218ffba9128802eaf414a0eb
SHA256a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574
SHA512897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f
-
Filesize
180B
MD54bc8a3540a546cfe044e0ed1a0a22a95
SHA15387f78f1816dee5393bfca1fffe49cede5f59c1
SHA256f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca
SHA512e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf
-
Filesize
6KB
MD5c0659c608cee2326ee1d194143e4d044
SHA12de1b80864a619493a0c2f99276ec2a6d957a532
SHA256777d3f040d5e4fe65f602cad6ef36ac58dccedba95c27503fe95869340a7d66f
SHA512afa751f8940fb6f4209bea2abe789efd464e1e350ebc05621aaa1aa064e88bb6ee7cab982e6f23452fe21e00cb577e9a5fd4bceb69a42b619e17c4f1c2f7b56c
-
Filesize
6KB
MD509f0084938d83944ec6ca15cff5cf79f
SHA1664d2f9501456d94265d46ede9c22dbabbbe287a
SHA256fced5c084f6f6e5c659a647995afb98a7a418929c8a84af2c63fcfa8c00b6966
SHA51271d5c5f60b564f650c243d4fff4bbd6f92b6768c6af7af3b96506d702d59d568d6e36f787ce348233c8ff151d1c64e2b1955fa13097eac3a994532e123811ac8
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5627a928d2ec7c1b26a88741a39a5045f
SHA1bb3660be562b28aab6105701d11fb6b1d9fc2696
SHA256a8a4e3352f0fb63baa084bdd99744a134980a5b997d0be5ad8840d41a42b9f46
SHA512be1eb74e7ef1f456c676eb0ccdf02c7a6ef5f45a3f20a44a32540f104f557808ad0d0655e57024f1948537022ace8e84b92d9460fce6d0f00383a43e68e2b725
-
Filesize
8KB
MD5c820e243b869357f4e6b9181b02d5b44
SHA10af769193689daff6f9aee5ac0fd6b819a292c8d
SHA2560befb7fc03d32e795bd0a115ff812c54e3292d4df984cdf5dcf2fdc088cd417f
SHA51250f6ae8dd7fd77877bee93497f965f92f6924281596234b5511829c5850a171c0759eb7285e113fd0198b5917510ea78a5285c31026997c4dab667a08704f0a6
-
Filesize
8KB
MD55ff0072a56024957809da8010d556aeb
SHA101936f5769a0b929bc6056a5d95cd6740ba1ff26
SHA25658aa5fe1cd74408306dc02843b6cf3de6e3026b570225f08af1c61ed799612cf
SHA51280f6a27e34c958138375340ab1dafa63f7bb2c029343940bcc8922082f31dfd2c4066e6abb4cae22c6d5b7cc1b507d4ea95703837567da7e278f0fcb17fd4abe
-
Filesize
10KB
MD5780f3041cc7613d6f850c42185e7be2c
SHA14417749a9091bd7ae55180429ec5280ae9c31886
SHA25655c830d0d7c4d6ba7738de048afa42e2a383a62d97ed6a7375d3a9f39ce47450
SHA5124d10ed53641b9bef311c45e14931337ed1125d05e115e08b5f31eb6951835d04c29ad95d6227d058cef54d5c99fecb165b5ac6d95deac138d96ad15c653bbb05
-
Filesize
8KB
MD5aeaee4d2f631be0971ad03e524b80361
SHA1b2a33174aa2ebf0774c9a2d25bd5982f687e35bf
SHA256aa1f8c061a3767ec7a2a5205262da8d37a07b5fe327159f6b7656bd7b50f30f4
SHA512c0a718a0ceb0519999ce488ac9e5ee77347c1721416db8ac6e4032b0fd9cc8703e77dc177495871fee85589203bbced024cf3662f1e2c1b4d967e0fe357427d3