Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2024 18:11
Static task
static1
Behavioral task
behavioral1
Sample
36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe
Resource
win10v2004-20241007-en
General
-
Target
36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe
-
Size
916KB
-
MD5
c980f514625b05414eb98e9430c5989b
-
SHA1
ab83c9ff1a8216bf3f4bbec203740b43a9be5658
-
SHA256
36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a
-
SHA512
b39863ac1fd9c0da7bcac00952ca006bdcc4c17b05118698a57910f7f39438812d5264a3e74e2cd8570540531dd220d63c9a5ca9aeb394e052809891dd6c9da5
-
SSDEEP
24576:pAT8QE+kLVNpJc7Ycw4Th7k16ThM5dJ5OS6tT7oA5i69t:pAI+UNpJc7Yc7dXUxOSAXo07
Malware Config
Extracted
redline
5076357887
195.54.170.157:16525
-
auth_value
0dfaff60271d374d0c206d19883e06f3
Extracted
vidar
53.8
1521
http://62.204.41.126:80
-
profile_id
1521
Extracted
redline
5
176.113.115.146:9582
-
auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f
Extracted
redline
nam3
103.89.90.61:34589
-
auth_value
64b900120bbceaa6a9c60e9079492895
Extracted
raccoon
afb5c633c4650f69312baef49db9dfa4
http://193.56.146.177
-
user_agent
mozzzzzzzzzzz
Extracted
raccoon
76426c3f362f5a47a469f0e9d8bc3eef
http://45.95.11.158/
-
user_agent
mozzzzzzzzzzz
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
resource yara_rule behavioral2/files/0x0007000000023cd0-61.dat family_redline behavioral2/files/0x0007000000023cd2-80.dat family_redline behavioral2/files/0x0007000000023cd3-120.dat family_redline behavioral2/memory/2040-127-0x0000000000780000-0x00000000007A0000-memory.dmp family_redline behavioral2/memory/2444-126-0x0000000000E70000-0x0000000000EB4000-memory.dmp family_redline behavioral2/memory/2416-109-0x0000000000C40000-0x0000000000C60000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe -
Executes dropped EXE 7 IoCs
pid Process 5028 F0geI.exe 3748 kukurzka9000.exe 2416 namdoitntn.exe 4076 real.exe 2444 safert44.exe 2040 jshainx.exe 1608 WW1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 9 iplogger.org 14 iplogger.org -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Company\NewProduct\F0geI.exe 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\real.exe 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\safert44.exe 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jshainx.exe 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\WW1.exe 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4456 5028 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WW1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jshainx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F0geI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kukurzka9000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language real.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language namdoitntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language safert44.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1600 msedge.exe 1600 msedge.exe 4504 msedge.exe 4504 msedge.exe 3020 msedge.exe 3020 msedge.exe 4116 msedge.exe 4116 msedge.exe 5456 msedge.exe 5456 msedge.exe 4336 identity_helper.exe 4336 identity_helper.exe 5548 msedge.exe 5548 msedge.exe 5548 msedge.exe 5548 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4072 wrote to memory of 4504 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 87 PID 4072 wrote to memory of 4504 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 87 PID 4504 wrote to memory of 976 4504 msedge.exe 88 PID 4504 wrote to memory of 976 4504 msedge.exe 88 PID 4072 wrote to memory of 1676 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 89 PID 4072 wrote to memory of 1676 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 89 PID 1676 wrote to memory of 116 1676 msedge.exe 90 PID 1676 wrote to memory of 116 1676 msedge.exe 90 PID 4072 wrote to memory of 1788 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 91 PID 4072 wrote to memory of 1788 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 91 PID 1788 wrote to memory of 1144 1788 msedge.exe 92 PID 1788 wrote to memory of 1144 1788 msedge.exe 92 PID 4072 wrote to memory of 3404 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 93 PID 4072 wrote to memory of 3404 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 93 PID 3404 wrote to memory of 368 3404 msedge.exe 94 PID 3404 wrote to memory of 368 3404 msedge.exe 94 PID 4072 wrote to memory of 2812 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 95 PID 4072 wrote to memory of 2812 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 95 PID 2812 wrote to memory of 1856 2812 msedge.exe 96 PID 2812 wrote to memory of 1856 2812 msedge.exe 96 PID 4072 wrote to memory of 5028 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 97 PID 4072 wrote to memory of 5028 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 97 PID 4072 wrote to memory of 5028 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 97 PID 4072 wrote to memory of 3748 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 98 PID 4072 wrote to memory of 3748 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 98 PID 4072 wrote to memory of 3748 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 98 PID 4072 wrote to memory of 2416 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 99 PID 4072 wrote to memory of 2416 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 99 PID 4072 wrote to memory of 2416 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 99 PID 4072 wrote to memory of 4076 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 100 PID 4072 wrote to memory of 4076 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 100 PID 4072 wrote to memory of 4076 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 100 PID 4072 wrote to memory of 2444 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 101 PID 4072 wrote to memory of 2444 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 101 PID 4072 wrote to memory of 2444 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 101 PID 4072 wrote to memory of 2040 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 102 PID 4072 wrote to memory of 2040 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 102 PID 4072 wrote to memory of 2040 4072 36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe 102 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103 PID 4504 wrote to memory of 4996 4504 msedge.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe"C:\Users\Admin\AppData\Local\Temp\36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC42⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd769c46f8,0x7ffd769c4708,0x7ffd769c47183⤵PID:976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:23⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:83⤵PID:1884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:13⤵PID:4084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:13⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:13⤵PID:2692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:13⤵PID:5240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:13⤵PID:5512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:13⤵PID:5740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:83⤵PID:5508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:13⤵PID:6016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:13⤵PID:5480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:13⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:13⤵PID:1588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,10336402671679254262,16437949736860781564,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2320 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5548
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK42⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd769c46f8,0x7ffd769c4708,0x7ffd769c47183⤵PID:116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,9468344723019365520,15275979912446879624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX42⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd769c46f8,0x7ffd769c4708,0x7ffd769c47183⤵PID:1144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,15066755397380843496,12676651319726238202,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:23⤵PID:4244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,15066755397380843496,12676651319726238202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4116
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX42⤵
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd769c46f8,0x7ffd769c4708,0x7ffd769c47183⤵PID:368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,16572939092700625471,12447531107561639958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:5456
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nN6Z42⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd769c46f8,0x7ffd769c4708,0x7ffd769c47183⤵PID:1856
-
-
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exe"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5028 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 10523⤵
- Program crash
PID:4456
-
-
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3748
-
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2416
-
-
C:\Program Files (x86)\Company\NewProduct\real.exe"C:\Program Files (x86)\Company\NewProduct\real.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4076
-
-
C:\Program Files (x86)\Company\NewProduct\safert44.exe"C:\Program Files (x86)\Company\NewProduct\safert44.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444
-
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exe"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2040
-
-
C:\Program Files (x86)\Company\NewProduct\WW1.exe"C:\Program Files (x86)\Company\NewProduct\WW1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1608
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1836
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2616
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5448
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5028 -ip 50281⤵PID:5196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
339KB
MD5501e0f6fa90340e3d7ff26f276cd582e
SHA11bce4a6153f71719e786f8f612fbfcd23d3e130a
SHA256f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b
SHA512dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69
-
Filesize
274KB
MD5a62d25b9a70fe5e4be932036814e6832
SHA1e1571597ff7648d6c7e8eb013d04d00b129343c7
SHA256904b8d3d5fe952b833e0815e1b90ac21f86ff16749be122e7632824348d29f62
SHA5120a6a97b2cd9a60393eef4006d78b676cf199244ef4369321b6d0de145b3e067393dde68ec5550215cd77f5ae0553ffaacf24f862fddefbc87f78ca86c82235e6
-
Filesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
Filesize
669KB
MD5b5942a0be0b72e121dadb762044f38cc
SHA1885909607a9747c11eac6cc47b775ad947980c5e
SHA256c565dd409f6d17997285f6fcecf851c56ddc3129c2a777529e8470290565ace1
SHA512d2a916738fca01b6b5a27639fbefcc7406e79f8493d8f69015c60d07d0341ab8aa8e4e3ab50208161b7398bef62b9837e11524ffefc502b9f09efc011974e3e7
-
Filesize
107KB
MD5bbd8ea73b7626e0ca5b91d355df39b7f
SHA166e298653beb7f652eb44922010910ced6242879
SHA2561aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e
SHA512625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f
-
Filesize
274KB
MD56f6b64ee71021439e50f32cfea2c19a9
SHA1a7d0b57904e9572ff9994f656c50daf55068cd75
SHA2563bd07a00c9e492bdd65b36dbe6fd91c30bfa2c8ced7e627f35011e5356c7e1d2
SHA5120ab19e6bcedd6eef3347133208fcb275ffbf534176fe09f6c5d9e715ef3db4704abb0491d974be8858eda129e3706982999626a649780666a1a24972c6084ae0
-
Filesize
246KB
MD5414ffd7094c0f50662ffa508ca43b7d0
SHA16ec67bd53da2ff3d5538a3afcc6797af1e5a53fb
SHA256d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee
SHA512c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
Filesize
180B
MD54bc8a3540a546cfe044e0ed1a0a22a95
SHA15387f78f1816dee5393bfca1fffe49cede5f59c1
SHA256f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca
SHA512e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf
-
Filesize
6KB
MD5ebc2ad9b363246f657597a910db90ea1
SHA13141685f1b8a71ccb6f31bb03bddf02dc96e934a
SHA256bd84e714dda99a6dd15843a6fc9058c5c9e46224699172e6c825633a8106e085
SHA512d30cae8c636f88af3bcffb6bfa6d488a301a108177cea5a917e0c01dc530aaac05d6b601832fb861af8caca550edeb951d262a13cda5b440a74fae23bb57d7ed
-
Filesize
6KB
MD5a6723b587e9aa1e8cf436de063cf1313
SHA1c16969503ceddf7936a31804acfaef9ae43660df
SHA256b5f445201271ab289306011c6e691088b743053bf3e9eb8edc1fced86aba20d9
SHA512c49a5ae019564d22f1d1f0b735657be610dc0ee1ee0369700e0df87126aae85a1835bffca92c5c301e9db075672f3e7c18f0239206f5f70327bd13a1572772d9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5bbec8b8e7f07e0f154eaaca6ec06d185
SHA132bb658fa3a1bfdd2b93414757ed3658e9114ef2
SHA25630fd4591aa5600a66a2703102f6524b5a795dd0383367081067b730d28104ec9
SHA512118151a5fd6cbb9622eaed43b7d62320624d5368b18cf24d48eb6eade0a8bb67a74574300feaa160e6a7b5cdd0f3d2ae52b67f8b97053a6ea2e2bb9f2feb0a62
-
Filesize
8KB
MD58a30d2eaa3946ecd30816899e9dfe76d
SHA188b5600301430c00643705d484db805e0d69106f
SHA2561470a1b431e15ebdeba1c8553526c69c4feb02f314d03236eb3a3d860f9afdba
SHA512d5eff5ca49e909d6545115de1a989ac851fb3f806984d1f24b631fea07d176365b10fdfadf1ef249a998b58fe3cb9c245887cfd0781ef8c9061d0dacf99761e6
-
Filesize
8KB
MD519fa2c7b730740819bce3e8bed55d30e
SHA19364a6a0fb470c7debbfb4af3fa9fffe5d4093fc
SHA2564acaa77ac43f333c28bcaba3201763a262cf5d51a260b7a781823bf532f340f8
SHA51257ad96d5ecb1daf828b6dd3006182be2c4133e88ed2cc2320a9010212512e0fb17e1ea053397dd584e259ecb878cf045ade8d301142d2ab736f4634e05091515
-
Filesize
11KB
MD581a4355e6e8b6958f17b5d08b227f20d
SHA14c25e310760c1011cc05f868068613fdc76abcf8
SHA256a67958ad3af018e130e79ff00c9f2bb7d9fd6ca606207e4dd519b2b874aa44a1
SHA51240b675c503bb2826a2bb5ac9475573b44959115700d3a5dca6253cb1b39258e59deedcada61aef1a67bf4c479bfaa159ec6977c43e19f97e4f7a7a927c2e29ad