Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2024 18:15
Static task
static1
Behavioral task
behavioral1
Sample
29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe
Resource
win10v2004-20241007-en
General
-
Target
29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe
-
Size
916KB
-
MD5
507d8b23a93c2f5832c2585f1a6b602d
-
SHA1
657ccb76cf81e45114364e8ee287dce0257bc835
-
SHA256
29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514
-
SHA512
f7a3aa549267e6d84d0664ad152bf46ec87c606bc74e29750f2a5725a8fa0aef23f87362eee11cf9c6c7855d30c3592baa77f38975d47ab351d04ff64c6528ac
-
SSDEEP
24576:pAT8QE+kEVNpJc7Ycw4Th7k16ThM5dJ5Om46EYjdnx+Z3:pAI+bNpJc7Yc7dXUxOm46Fnx+Z3
Malware Config
Extracted
redline
nam3
103.89.90.61:34589
-
auth_value
64b900120bbceaa6a9c60e9079492895
Extracted
redline
5076357887
195.54.170.157:16525
-
auth_value
0dfaff60271d374d0c206d19883e06f3
Extracted
redline
5
176.113.115.146:9582
-
auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f
Extracted
raccoon
afb5c633c4650f69312baef49db9dfa4
http://193.56.146.177
-
user_agent
mozzzzzzzzzzz
Extracted
raccoon
76426c3f362f5a47a469f0e9d8bc3eef
http://45.95.11.158/
-
user_agent
mozzzzzzzzzzz
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
resource yara_rule behavioral2/files/0x0007000000023c87-70.dat family_redline behavioral2/memory/920-101-0x0000000000E80000-0x0000000000EA0000-memory.dmp family_redline behavioral2/files/0x0007000000023c89-105.dat family_redline behavioral2/files/0x0007000000023c8a-118.dat family_redline behavioral2/memory/2840-155-0x0000000000580000-0x00000000005A0000-memory.dmp family_redline behavioral2/memory/2616-130-0x0000000000B20000-0x0000000000B64000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe -
Executes dropped EXE 7 IoCs
pid Process 2736 F0geI.exe 2916 kukurzka9000.exe 920 namdoitntn.exe 768 real.exe 2616 safert44.exe 2840 jshainx.exe 216 me.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 iplogger.org 13 iplogger.org -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Company\NewProduct\jshainx.exe 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\me.exe 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\F0geI.exe 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\real.exe 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\safert44.exe 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4404 2736 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language me.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F0geI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kukurzka9000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language namdoitntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language real.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language safert44.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jshainx.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4368 msedge.exe 4368 msedge.exe 2872 msedge.exe 2872 msedge.exe 4200 msedge.exe 4200 msedge.exe 5316 msedge.exe 5316 msedge.exe 5760 msedge.exe 5760 msedge.exe 4980 identity_helper.exe 4980 identity_helper.exe 5180 msedge.exe 5180 msedge.exe 5180 msedge.exe 5180 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe 2872 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5020 wrote to memory of 2872 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 87 PID 5020 wrote to memory of 2872 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 87 PID 2872 wrote to memory of 4264 2872 msedge.exe 88 PID 2872 wrote to memory of 4264 2872 msedge.exe 88 PID 5020 wrote to memory of 1976 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 89 PID 5020 wrote to memory of 1976 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 89 PID 1976 wrote to memory of 5060 1976 msedge.exe 90 PID 1976 wrote to memory of 5060 1976 msedge.exe 90 PID 5020 wrote to memory of 2652 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 91 PID 5020 wrote to memory of 2652 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 91 PID 2652 wrote to memory of 680 2652 msedge.exe 92 PID 2652 wrote to memory of 680 2652 msedge.exe 92 PID 5020 wrote to memory of 3616 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 93 PID 5020 wrote to memory of 3616 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 93 PID 3616 wrote to memory of 3664 3616 msedge.exe 94 PID 3616 wrote to memory of 3664 3616 msedge.exe 94 PID 5020 wrote to memory of 4504 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 95 PID 5020 wrote to memory of 4504 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 95 PID 4504 wrote to memory of 3452 4504 msedge.exe 96 PID 4504 wrote to memory of 3452 4504 msedge.exe 96 PID 5020 wrote to memory of 2736 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 97 PID 5020 wrote to memory of 2736 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 97 PID 5020 wrote to memory of 2736 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 97 PID 5020 wrote to memory of 2916 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 98 PID 5020 wrote to memory of 2916 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 98 PID 5020 wrote to memory of 2916 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 98 PID 5020 wrote to memory of 920 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 99 PID 5020 wrote to memory of 920 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 99 PID 5020 wrote to memory of 920 5020 29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe 99 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100 PID 2872 wrote to memory of 2388 2872 msedge.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe"C:\Users\Admin\AppData\Local\Temp\29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC42⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb850e46f8,0x7ffb850e4708,0x7ffb850e47183⤵PID:4264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:23⤵PID:2388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:33⤵PID:620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:83⤵PID:400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:13⤵PID:4792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:13⤵PID:1680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:13⤵PID:5468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:13⤵PID:5936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:13⤵PID:6060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:13⤵PID:3580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:13⤵PID:1868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:13⤵PID:5780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:83⤵PID:5240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:13⤵PID:1528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:13⤵PID:3488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5656 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5180
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK42⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb850e46f8,0x7ffb850e4708,0x7ffb850e47183⤵PID:5060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,11043691283459480336,6274547663049106886,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:23⤵PID:4272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,11043691283459480336,6274547663049106886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4368
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX42⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb850e46f8,0x7ffb850e4708,0x7ffb850e47183⤵PID:680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,5629739035267337456,18306117798792498604,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:23⤵PID:2564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,5629739035267337456,18306117798792498604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4200
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX42⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb850e46f8,0x7ffb850e4708,0x7ffb850e47183⤵PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1500,13672541149001723340,6478405772077483497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:5316
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nN6Z42⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb850e46f8,0x7ffb850e4708,0x7ffb850e47183⤵PID:3452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,34558849809603229,6953653269744041957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:5760
-
-
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exe"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 7603⤵
- Program crash
PID:4404
-
-
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916
-
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:920
-
-
C:\Program Files (x86)\Company\NewProduct\real.exe"C:\Program Files (x86)\Company\NewProduct\real.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:768
-
-
C:\Program Files (x86)\Company\NewProduct\safert44.exe"C:\Program Files (x86)\Company\NewProduct\safert44.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616
-
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exe"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840
-
-
C:\Program Files (x86)\Company\NewProduct\me.exe"C:\Program Files (x86)\Company\NewProduct\me.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:216
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5356
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2736 -ip 27361⤵PID:4620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
339KB
MD5501e0f6fa90340e3d7ff26f276cd582e
SHA11bce4a6153f71719e786f8f612fbfcd23d3e130a
SHA256f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b
SHA512dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69
-
Filesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
Filesize
669KB
MD5b5942a0be0b72e121dadb762044f38cc
SHA1885909607a9747c11eac6cc47b775ad947980c5e
SHA256c565dd409f6d17997285f6fcecf851c56ddc3129c2a777529e8470290565ace1
SHA512d2a916738fca01b6b5a27639fbefcc7406e79f8493d8f69015c60d07d0341ab8aa8e4e3ab50208161b7398bef62b9837e11524ffefc502b9f09efc011974e3e7
-
Filesize
274KB
MD52eee4c301ce357df8f235957fcb774b3
SHA1f9fd1eac58b5f40475269a1e8eb1675227e2389c
SHA25666cc79df9054fda09648b64a230427d4a574f8349de871e922fbd20432b431f1
SHA512590589c3f8ee16f12539b943ba04402771372fe7748fb689c03b5681466ec8d3f3778007224e0a7fac1413f188aaee59a754cad2d0194af1130a8ad3191466fc
-
Filesize
107KB
MD5bbd8ea73b7626e0ca5b91d355df39b7f
SHA166e298653beb7f652eb44922010910ced6242879
SHA2561aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e
SHA512625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f
-
Filesize
275KB
MD5a2414bb5522d3844b6c9a84537d7ce43
SHA156c91fc4fe09ce07320c03f186f3d5d293a6089d
SHA25631f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173
SHA512408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60
-
Filesize
246KB
MD5414ffd7094c0f50662ffa508ca43b7d0
SHA16ec67bd53da2ff3d5538a3afcc6797af1e5a53fb
SHA256d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee
SHA512c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399
-
Filesize
11KB
MD5c5d5d98b106118e788e4746fc3b8ea66
SHA1371ce3b5b2b94b50a56b11485e719e512c7d888f
SHA256272ef5c6b72d15046f33dbf8f0990c3b3f0b8c55dde82aa2ab1e4f6db3e6e86b
SHA5123ca3d0bdfd8325d8350501c4b82e8edc240843330569bca88714778557c602dd3c4c66924318640a5022ca7a6b1682ecf694d2c886ef3c6eee029c285286e9c2
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
6KB
MD5b156d225d599c4486f34f1758c37ee35
SHA1582e5d7914c948831dc1cdd7d686091f883ffc71
SHA2564c4051c7becb89e1eb89d8323281782a2de2183cf1dd2accff3963797662fc18
SHA512f1728d833a81ecc7a1f8f6e6d14fd755f4b2d25f10466b6ebc10164825dcc64d2b099b23f903ececc6c01a9301ad77041d01bf511f5eaf6209f0791f231faa7a
-
Filesize
6KB
MD5a656e03cb24c6279754d9fc997f31fdb
SHA11cb183e4e8765e230b7cda144181c8dc34329133
SHA256a350d89cb6f25273fedc15e14969751bb738588d07f03984e409d00db4257c21
SHA512d65e1f8c69c9bd198f3c1efa14f42f0cc5268ebfc27bfba2717716cf41dc4de1a575c57bc7cbbd53a62739a8b84dfa6e76222ecce16b00de730ba97b070fdaed
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5baf5ac683c87e4216301ee64bcd165cd
SHA1577384038d7df02ccf985681509b46e2d2093d48
SHA2566143a23cc551cda6ef8ff88d7197763a4bc82e5a3a97449279a0e13577a19d3e
SHA512850f527d9c7b738550cab39023dcbd59f536682efb9e0c265b24a3a6fb04894bfcd88239781c12a19f69ef0a5a1ea28b43b734fb579c7563f2e10e82e19698e8
-
Filesize
8KB
MD5bc6dbffa4f27a0f742e9a7212d8f2e80
SHA13297024e64f6fcb80536914ad4b0002e212a149c
SHA25664495635e9081baae7b2bbf5e1472280e0ef2940f725456512f9e2d6190e0f24
SHA51238f1c57ad3cdf18f3cdaedf87454641c21045790ab2b79b15be6af2261a80ac42ebc475330dbc7c6f73fa8ac10e3bd5875931c0c559cf1a062f5fab3767848d2
-
Filesize
8KB
MD5c7f20e09237192ec347f70d3df72bb2d
SHA158b8b4066b78b00d35eaa673f8665e6df804d28e
SHA25668497910cb961f5e99c7e7c25ecbb881ef31e985082da1ac424242376d9edcd9
SHA512013f744cc528cf2f1d239d0e05d6a821fef336f408af614a8e5a9a0bc2a5eb85912c7dae1e6d40679cd35476615c6d18293436c6cf2399cc186bd6d24a0b916e
-
Filesize
8KB
MD50ed2794541c161bce7ffa0f5a0eba8bb
SHA1b8f229dacfac2c22542c7c15e4cbd37acdff80ca
SHA25633b38f74bdc9cf1524276359725973f382e4ec719dfef21903c59e48349b3bcc
SHA5121d45c39224ee1039ff017848ad4e2a17e507467382e5667a684369b12631863db202745a3bbf4088027758bb58852845980060b408a11e86df8b1857d18014c0