Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-10-2024 18:11

General

  • Target

    36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe

  • Size

    916KB

  • MD5

    c980f514625b05414eb98e9430c5989b

  • SHA1

    ab83c9ff1a8216bf3f4bbec203740b43a9be5658

  • SHA256

    36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a

  • SHA512

    b39863ac1fd9c0da7bcac00952ca006bdcc4c17b05118698a57910f7f39438812d5264a3e74e2cd8570540531dd220d63c9a5ca9aeb394e052809891dd6c9da5

  • SSDEEP

    24576:pAT8QE+kLVNpJc7Ycw4Th7k16ThM5dJ5OS6tT7oA5i69t:pAI+UNpJc7Yc7dXUxOSAXo07

Malware Config

Extracted

Family

redline

Botnet

5076357887

C2

195.54.170.157:16525

Attributes
  • auth_value

    0dfaff60271d374d0c206d19883e06f3

Extracted

Family

vidar

Version

53.8

Botnet

1521

C2

http://62.204.41.126:80

Attributes
  • profile_id

    1521

Extracted

Family

redline

Botnet

5

C2

176.113.115.146:9582

Attributes
  • auth_value

    d38b30c1ccd6c1e5088d9e5bd9e51b0f

Extracted

Family

redline

Botnet

nam3

C2

103.89.90.61:34589

Attributes
  • auth_value

    64b900120bbceaa6a9c60e9079492895

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

C2

http://193.56.146.177

Attributes
  • user_agent

    mozzzzzzzzzzz

xor.plain

Extracted

Family

raccoon

Botnet

76426c3f362f5a47a469f0e9d8bc3eef

C2

http://45.95.11.158/

Attributes
  • user_agent

    mozzzzzzzzzzz

xor.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 6 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe
    "C:\Users\Admin\AppData\Local\Temp\36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4072
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4504
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd769c46f8,0x7ffd769c4708,0x7ffd769c4718
        3⤵
          PID:976
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
          3⤵
            PID:4996
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1600
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
            3⤵
              PID:1884
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
              3⤵
                PID:4084
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
                3⤵
                  PID:2848
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
                  3⤵
                    PID:2692
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
                    3⤵
                      PID:5240
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
                      3⤵
                        PID:5512
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
                        3⤵
                          PID:5740
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
                          3⤵
                            PID:5508
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4336
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
                            3⤵
                              PID:6016
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
                              3⤵
                                PID:5480
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:1
                                3⤵
                                  PID:4960
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
                                  3⤵
                                    PID:1588
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2320 /prefetch:2
                                    3⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5548
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
                                  2⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:1676
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd769c46f8,0x7ffd769c4708,0x7ffd769c4718
                                    3⤵
                                      PID:116
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,9468344723019365520,15275979912446879624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
                                      3⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:3020
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
                                    2⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:1788
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd769c46f8,0x7ffd769c4708,0x7ffd769c4718
                                      3⤵
                                        PID:1144
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,15066755397380843496,12676651319726238202,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
                                        3⤵
                                          PID:4244
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,15066755397380843496,12676651319726238202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
                                          3⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:4116
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
                                        2⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:3404
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd769c46f8,0x7ffd769c4708,0x7ffd769c4718
                                          3⤵
                                            PID:368
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,16572939092700625471,12447531107561639958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:3
                                            3⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:5456
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nN6Z4
                                          2⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:2812
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd769c46f8,0x7ffd769c4708,0x7ffd769c4718
                                            3⤵
                                              PID:1856
                                          • C:\Program Files (x86)\Company\NewProduct\F0geI.exe
                                            "C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:5028
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1052
                                              3⤵
                                              • Program crash
                                              PID:4456
                                          • C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
                                            "C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:3748
                                          • C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
                                            "C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:2416
                                          • C:\Program Files (x86)\Company\NewProduct\real.exe
                                            "C:\Program Files (x86)\Company\NewProduct\real.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:4076
                                          • C:\Program Files (x86)\Company\NewProduct\safert44.exe
                                            "C:\Program Files (x86)\Company\NewProduct\safert44.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:2444
                                          • C:\Program Files (x86)\Company\NewProduct\jshainx.exe
                                            "C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:2040
                                          • C:\Program Files (x86)\Company\NewProduct\WW1.exe
                                            "C:\Program Files (x86)\Company\NewProduct\WW1.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:1608
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:1836
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:2616
                                            • C:\Windows\System32\CompPkgSrv.exe
                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                              1⤵
                                                PID:5448
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:5812
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5028 -ip 5028
                                                  1⤵
                                                    PID:5196

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Program Files (x86)\Company\NewProduct\F0geI.exe

                                                    Filesize

                                                    339KB

                                                    MD5

                                                    501e0f6fa90340e3d7ff26f276cd582e

                                                    SHA1

                                                    1bce4a6153f71719e786f8f612fbfcd23d3e130a

                                                    SHA256

                                                    f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

                                                    SHA512

                                                    dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

                                                  • C:\Program Files (x86)\Company\NewProduct\WW1.exe

                                                    Filesize

                                                    274KB

                                                    MD5

                                                    a62d25b9a70fe5e4be932036814e6832

                                                    SHA1

                                                    e1571597ff7648d6c7e8eb013d04d00b129343c7

                                                    SHA256

                                                    904b8d3d5fe952b833e0815e1b90ac21f86ff16749be122e7632824348d29f62

                                                    SHA512

                                                    0a6a97b2cd9a60393eef4006d78b676cf199244ef4369321b6d0de145b3e067393dde68ec5550215cd77f5ae0553ffaacf24f862fddefbc87f78ca86c82235e6

                                                  • C:\Program Files (x86)\Company\NewProduct\jshainx.exe

                                                    Filesize

                                                    107KB

                                                    MD5

                                                    2647a5be31a41a39bf2497125018dbce

                                                    SHA1

                                                    a1ac856b9d6556f5bb3370f0342914eb7cbb8840

                                                    SHA256

                                                    84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

                                                    SHA512

                                                    68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

                                                  • C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe

                                                    Filesize

                                                    669KB

                                                    MD5

                                                    b5942a0be0b72e121dadb762044f38cc

                                                    SHA1

                                                    885909607a9747c11eac6cc47b775ad947980c5e

                                                    SHA256

                                                    c565dd409f6d17997285f6fcecf851c56ddc3129c2a777529e8470290565ace1

                                                    SHA512

                                                    d2a916738fca01b6b5a27639fbefcc7406e79f8493d8f69015c60d07d0341ab8aa8e4e3ab50208161b7398bef62b9837e11524ffefc502b9f09efc011974e3e7

                                                  • C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe

                                                    Filesize

                                                    107KB

                                                    MD5

                                                    bbd8ea73b7626e0ca5b91d355df39b7f

                                                    SHA1

                                                    66e298653beb7f652eb44922010910ced6242879

                                                    SHA256

                                                    1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

                                                    SHA512

                                                    625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

                                                  • C:\Program Files (x86)\Company\NewProduct\real.exe

                                                    Filesize

                                                    274KB

                                                    MD5

                                                    6f6b64ee71021439e50f32cfea2c19a9

                                                    SHA1

                                                    a7d0b57904e9572ff9994f656c50daf55068cd75

                                                    SHA256

                                                    3bd07a00c9e492bdd65b36dbe6fd91c30bfa2c8ced7e627f35011e5356c7e1d2

                                                    SHA512

                                                    0ab19e6bcedd6eef3347133208fcb275ffbf534176fe09f6c5d9e715ef3db4704abb0491d974be8858eda129e3706982999626a649780666a1a24972c6084ae0

                                                  • C:\Program Files (x86)\Company\NewProduct\safert44.exe

                                                    Filesize

                                                    246KB

                                                    MD5

                                                    414ffd7094c0f50662ffa508ca43b7d0

                                                    SHA1

                                                    6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

                                                    SHA256

                                                    d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

                                                    SHA512

                                                    c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                    Filesize

                                                    152B

                                                    MD5

                                                    b8880802fc2bb880a7a869faa01315b0

                                                    SHA1

                                                    51d1a3fa2c272f094515675d82150bfce08ee8d3

                                                    SHA256

                                                    467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

                                                    SHA512

                                                    e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                    Filesize

                                                    152B

                                                    MD5

                                                    ba6ef346187b40694d493da98d5da979

                                                    SHA1

                                                    643c15bec043f8673943885199bb06cd1652ee37

                                                    SHA256

                                                    d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

                                                    SHA512

                                                    2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                    Filesize

                                                    180B

                                                    MD5

                                                    4bc8a3540a546cfe044e0ed1a0a22a95

                                                    SHA1

                                                    5387f78f1816dee5393bfca1fffe49cede5f59c1

                                                    SHA256

                                                    f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca

                                                    SHA512

                                                    e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                    Filesize

                                                    6KB

                                                    MD5

                                                    ebc2ad9b363246f657597a910db90ea1

                                                    SHA1

                                                    3141685f1b8a71ccb6f31bb03bddf02dc96e934a

                                                    SHA256

                                                    bd84e714dda99a6dd15843a6fc9058c5c9e46224699172e6c825633a8106e085

                                                    SHA512

                                                    d30cae8c636f88af3bcffb6bfa6d488a301a108177cea5a917e0c01dc530aaac05d6b601832fb861af8caca550edeb951d262a13cda5b440a74fae23bb57d7ed

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                    Filesize

                                                    6KB

                                                    MD5

                                                    a6723b587e9aa1e8cf436de063cf1313

                                                    SHA1

                                                    c16969503ceddf7936a31804acfaef9ae43660df

                                                    SHA256

                                                    b5f445201271ab289306011c6e691088b743053bf3e9eb8edc1fced86aba20d9

                                                    SHA512

                                                    c49a5ae019564d22f1d1f0b735657be610dc0ee1ee0369700e0df87126aae85a1835bffca92c5c301e9db075672f3e7c18f0239206f5f70327bd13a1572772d9

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                    Filesize

                                                    16B

                                                    MD5

                                                    6752a1d65b201c13b62ea44016eb221f

                                                    SHA1

                                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                    SHA256

                                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                    SHA512

                                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                    Filesize

                                                    8KB

                                                    MD5

                                                    bbec8b8e7f07e0f154eaaca6ec06d185

                                                    SHA1

                                                    32bb658fa3a1bfdd2b93414757ed3658e9114ef2

                                                    SHA256

                                                    30fd4591aa5600a66a2703102f6524b5a795dd0383367081067b730d28104ec9

                                                    SHA512

                                                    118151a5fd6cbb9622eaed43b7d62320624d5368b18cf24d48eb6eade0a8bb67a74574300feaa160e6a7b5cdd0f3d2ae52b67f8b97053a6ea2e2bb9f2feb0a62

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                    Filesize

                                                    8KB

                                                    MD5

                                                    8a30d2eaa3946ecd30816899e9dfe76d

                                                    SHA1

                                                    88b5600301430c00643705d484db805e0d69106f

                                                    SHA256

                                                    1470a1b431e15ebdeba1c8553526c69c4feb02f314d03236eb3a3d860f9afdba

                                                    SHA512

                                                    d5eff5ca49e909d6545115de1a989ac851fb3f806984d1f24b631fea07d176365b10fdfadf1ef249a998b58fe3cb9c245887cfd0781ef8c9061d0dacf99761e6

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                    Filesize

                                                    8KB

                                                    MD5

                                                    19fa2c7b730740819bce3e8bed55d30e

                                                    SHA1

                                                    9364a6a0fb470c7debbfb4af3fa9fffe5d4093fc

                                                    SHA256

                                                    4acaa77ac43f333c28bcaba3201763a262cf5d51a260b7a781823bf532f340f8

                                                    SHA512

                                                    57ad96d5ecb1daf828b6dd3006182be2c4133e88ed2cc2320a9010212512e0fb17e1ea053397dd584e259ecb878cf045ade8d301142d2ab736f4634e05091515

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                    Filesize

                                                    11KB

                                                    MD5

                                                    81a4355e6e8b6958f17b5d08b227f20d

                                                    SHA1

                                                    4c25e310760c1011cc05f868068613fdc76abcf8

                                                    SHA256

                                                    a67958ad3af018e130e79ff00c9f2bb7d9fd6ca606207e4dd519b2b874aa44a1

                                                    SHA512

                                                    40b675c503bb2826a2bb5ac9475573b44959115700d3a5dca6253cb1b39258e59deedcada61aef1a67bf4c479bfaa159ec6977c43e19f97e4f7a7a927c2e29ad

                                                  • memory/2040-127-0x0000000000780000-0x00000000007A0000-memory.dmp

                                                    Filesize

                                                    128KB

                                                  • memory/2040-138-0x00000000050B0000-0x00000000050FC000-memory.dmp

                                                    Filesize

                                                    304KB

                                                  • memory/2040-134-0x0000000005010000-0x0000000005022000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2040-135-0x0000000005140000-0x000000000524A000-memory.dmp

                                                    Filesize

                                                    1.0MB

                                                  • memory/2040-137-0x0000000005070000-0x00000000050AC000-memory.dmp

                                                    Filesize

                                                    240KB

                                                  • memory/2040-133-0x0000000005580000-0x0000000005B98000-memory.dmp

                                                    Filesize

                                                    6.1MB

                                                  • memory/2416-109-0x0000000000C40000-0x0000000000C60000-memory.dmp

                                                    Filesize

                                                    128KB

                                                  • memory/2444-136-0x0000000002F80000-0x0000000002F86000-memory.dmp

                                                    Filesize

                                                    24KB

                                                  • memory/2444-126-0x0000000000E70000-0x0000000000EB4000-memory.dmp

                                                    Filesize

                                                    272KB

                                                  • memory/3748-199-0x0000000000400000-0x00000000004AE000-memory.dmp

                                                    Filesize

                                                    696KB

                                                  • memory/4072-112-0x0000000000400000-0x0000000000433000-memory.dmp

                                                    Filesize

                                                    204KB

                                                  • memory/5028-240-0x0000000000400000-0x000000000046E000-memory.dmp

                                                    Filesize

                                                    440KB