Overview

overview

10

Static

static

3

29d877367d...14.exe

windows7-x64

10

29d877367d...14.exe

windows10-2004-x64

10

Resubmissions

24-10-2024 19:39

241024-ydfs8s1hqn 10

22-10-2024 18:15

241022-wvzassxhmc 10

Analysis

  • max time kernel
    147s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-10-2024 18:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe

  • Size

    916KB

  • MD5

    507d8b23a93c2f5832c2585f1a6b602d

  • SHA1

    657ccb76cf81e45114364e8ee287dce0257bc835

  • SHA256

    29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514

  • SHA512

    f7a3aa549267e6d84d0664ad152bf46ec87c606bc74e29750f2a5725a8fa0aef23f87362eee11cf9c6c7855d30c3592baa77f38975d47ab351d04ff64c6528ac

  • SSDEEP

    24576:pAT8QE+kEVNpJc7Ycw4Th7k16ThM5dJ5Om46EYjdnx+Z3:pAI+bNpJc7Yc7dXUxOm46Fnx+Z3

Score
10/10
raccoonredline5507635788776426c3f362f5a47a469f0e9d8bc3eefafb5c633c4650f69312baef49db9dfa4nam3discoveryinfostealerstealer

Malware Config

Extracted

Family

redline

Botnet

nam3

C2

103.89.90.61:34589

Attributes
  • auth_value

    64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

5076357887

C2

195.54.170.157:16525

Attributes
  • auth_value

    0dfaff60271d374d0c206d19883e06f3

Extracted

Family

redline

Botnet

5

C2

176.113.115.146:9582

Attributes
  • auth_value

    d38b30c1ccd6c1e5088d9e5bd9e51b0f

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

C2

http://193.56.146.177

Attributes
  • user_agent

    mozzzzzzzzzzz

xor.plain

Extracted

Family

raccoon

Botnet

76426c3f362f5a47a469f0e9d8bc3eef

C2

http://45.95.11.158/

Attributes
  • user_agent

    mozzzzzzzzzzz

xor.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe
    "C:\Users\Admin\AppData\Local\Temp\29d877367db8db212c287c1d00ae96b837c492a7053d945a16db52ab100eb514.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5020
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb850e46f8,0x7ffb850e4708,0x7ffb850e4718
        3⤵
          PID:4264
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
          3⤵
            PID:2388
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
            3⤵
              PID:620
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
              3⤵
                PID:400
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
                3⤵
                  PID:4792
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
                  3⤵
                    PID:1680
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
                    3⤵
                      PID:5468
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
                      3⤵
                        PID:5936
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:1
                        3⤵
                          PID:6060
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:1
                          3⤵
                            PID:3580
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
                            3⤵
                              PID:1868
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
                              3⤵
                                PID:5780
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:8
                                3⤵
                                  PID:5240
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:8
                                  3⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:4980
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1
                                  3⤵
                                    PID:1528
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
                                    3⤵
                                      PID:3488
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,16420470912284828183,5079714292084001279,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5656 /prefetch:2
                                      3⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:5180
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
                                    2⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:1976
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb850e46f8,0x7ffb850e4708,0x7ffb850e4718
                                      3⤵
                                        PID:5060
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,11043691283459480336,6274547663049106886,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
                                        3⤵
                                          PID:4272
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,11043691283459480336,6274547663049106886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
                                          3⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:4368
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
                                        2⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:2652
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb850e46f8,0x7ffb850e4708,0x7ffb850e4718
                                          3⤵
                                            PID:680
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,5629739035267337456,18306117798792498604,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
                                            3⤵
                                              PID:2564
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,5629739035267337456,18306117798792498604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
                                              3⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:4200
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
                                            2⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:3616
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb850e46f8,0x7ffb850e4708,0x7ffb850e4718
                                              3⤵
                                                PID:3664
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1500,13672541149001723340,6478405772077483497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
                                                3⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:5316
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nN6Z4
                                              2⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:4504
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb850e46f8,0x7ffb850e4708,0x7ffb850e4718
                                                3⤵
                                                  PID:3452
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,34558849809603229,6953653269744041957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
                                                  3⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:5760
                                              • C:\Program Files (x86)\Company\NewProduct\F0geI.exe
                                                "C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:2736
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 760
                                                  3⤵
                                                  • Program crash
                                                  PID:4404
                                              • C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
                                                "C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:2916
                                              • C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
                                                "C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:920
                                              • C:\Program Files (x86)\Company\NewProduct\real.exe
                                                "C:\Program Files (x86)\Company\NewProduct\real.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:768
                                              • C:\Program Files (x86)\Company\NewProduct\safert44.exe
                                                "C:\Program Files (x86)\Company\NewProduct\safert44.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:2616
                                              • C:\Program Files (x86)\Company\NewProduct\jshainx.exe
                                                "C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:2840
                                              • C:\Program Files (x86)\Company\NewProduct\me.exe
                                                "C:\Program Files (x86)\Company\NewProduct\me.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:216
                                            • C:\Windows\System32\CompPkgSrv.exe
                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                              1⤵
                                                PID:5356
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:5880
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2736 -ip 2736
                                                  1⤵
                                                    PID:4620

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Program Files (x86)\Company\NewProduct\F0geI.exe
                                                    Filesize

                                                    339KB

                                                    MD5

                                                    501e0f6fa90340e3d7ff26f276cd582e

                                                    SHA1

                                                    1bce4a6153f71719e786f8f612fbfcd23d3e130a

                                                    SHA256

                                                    f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

                                                    SHA512

                                                    dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

                                                    Download Submit

                                                  • C:\Program Files (x86)\Company\NewProduct\jshainx.exe
                                                    Filesize

                                                    107KB

                                                    MD5

                                                    2647a5be31a41a39bf2497125018dbce

                                                    SHA1

                                                    a1ac856b9d6556f5bb3370f0342914eb7cbb8840

                                                    SHA256

                                                    84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

                                                    SHA512

                                                    68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

                                                    Download Submit

                                                  • C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
                                                    Filesize

                                                    669KB

                                                    MD5

                                                    b5942a0be0b72e121dadb762044f38cc

                                                    SHA1

                                                    885909607a9747c11eac6cc47b775ad947980c5e

                                                    SHA256

                                                    c565dd409f6d17997285f6fcecf851c56ddc3129c2a777529e8470290565ace1

                                                    SHA512

                                                    d2a916738fca01b6b5a27639fbefcc7406e79f8493d8f69015c60d07d0341ab8aa8e4e3ab50208161b7398bef62b9837e11524ffefc502b9f09efc011974e3e7

                                                    Download Submit

                                                  • C:\Program Files (x86)\Company\NewProduct\me.exe
                                                    Filesize

                                                    274KB

                                                    MD5

                                                    2eee4c301ce357df8f235957fcb774b3

                                                    SHA1

                                                    f9fd1eac58b5f40475269a1e8eb1675227e2389c

                                                    SHA256

                                                    66cc79df9054fda09648b64a230427d4a574f8349de871e922fbd20432b431f1

                                                    SHA512

                                                    590589c3f8ee16f12539b943ba04402771372fe7748fb689c03b5681466ec8d3f3778007224e0a7fac1413f188aaee59a754cad2d0194af1130a8ad3191466fc

                                                    Download Submit

                                                  • C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
                                                    Filesize

                                                    107KB

                                                    MD5

                                                    bbd8ea73b7626e0ca5b91d355df39b7f

                                                    SHA1

                                                    66e298653beb7f652eb44922010910ced6242879

                                                    SHA256

                                                    1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

                                                    SHA512

                                                    625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

                                                    Download Submit

                                                  • C:\Program Files (x86)\Company\NewProduct\real.exe
                                                    Filesize

                                                    275KB

                                                    MD5

                                                    a2414bb5522d3844b6c9a84537d7ce43

                                                    SHA1

                                                    56c91fc4fe09ce07320c03f186f3d5d293a6089d

                                                    SHA256

                                                    31f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173

                                                    SHA512

                                                    408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60

                                                    Download Submit

                                                  • C:\Program Files (x86)\Company\NewProduct\safert44.exe
                                                    Filesize

                                                    246KB

                                                    MD5

                                                    414ffd7094c0f50662ffa508ca43b7d0

                                                    SHA1

                                                    6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

                                                    SHA256

                                                    d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

                                                    SHA512

                                                    c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\8fd3b63d-f5f2-4988-8cb6-eb1057783725.tmp
                                                    Filesize

                                                    11KB

                                                    MD5

                                                    c5d5d98b106118e788e4746fc3b8ea66

                                                    SHA1

                                                    371ce3b5b2b94b50a56b11485e719e512c7d888f

                                                    SHA256

                                                    272ef5c6b72d15046f33dbf8f0990c3b3f0b8c55dde82aa2ab1e4f6db3e6e86b

                                                    SHA512

                                                    3ca3d0bdfd8325d8350501c4b82e8edc240843330569bca88714778557c602dd3c4c66924318640a5022ca7a6b1682ecf694d2c886ef3c6eee029c285286e9c2

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                    Filesize

                                                    152B

                                                    MD5

                                                    d22073dea53e79d9b824f27ac5e9813e

                                                    SHA1

                                                    6d8a7281241248431a1571e6ddc55798b01fa961

                                                    SHA256

                                                    86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

                                                    SHA512

                                                    97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                    Filesize

                                                    152B

                                                    MD5

                                                    bffcefacce25cd03f3d5c9446ddb903d

                                                    SHA1

                                                    8923f84aa86db316d2f5c122fe3874bbe26f3bab

                                                    SHA256

                                                    23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

                                                    SHA512

                                                    761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                    Filesize

                                                    6KB

                                                    MD5

                                                    b156d225d599c4486f34f1758c37ee35

                                                    SHA1

                                                    582e5d7914c948831dc1cdd7d686091f883ffc71

                                                    SHA256

                                                    4c4051c7becb89e1eb89d8323281782a2de2183cf1dd2accff3963797662fc18

                                                    SHA512

                                                    f1728d833a81ecc7a1f8f6e6d14fd755f4b2d25f10466b6ebc10164825dcc64d2b099b23f903ececc6c01a9301ad77041d01bf511f5eaf6209f0791f231faa7a

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                    Filesize

                                                    6KB

                                                    MD5

                                                    a656e03cb24c6279754d9fc997f31fdb

                                                    SHA1

                                                    1cb183e4e8765e230b7cda144181c8dc34329133

                                                    SHA256

                                                    a350d89cb6f25273fedc15e14969751bb738588d07f03984e409d00db4257c21

                                                    SHA512

                                                    d65e1f8c69c9bd198f3c1efa14f42f0cc5268ebfc27bfba2717716cf41dc4de1a575c57bc7cbbd53a62739a8b84dfa6e76222ecce16b00de730ba97b070fdaed

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                    Filesize

                                                    16B

                                                    MD5

                                                    6752a1d65b201c13b62ea44016eb221f

                                                    SHA1

                                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                    SHA256

                                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                    SHA512

                                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                    Filesize

                                                    8KB

                                                    MD5

                                                    baf5ac683c87e4216301ee64bcd165cd

                                                    SHA1

                                                    577384038d7df02ccf985681509b46e2d2093d48

                                                    SHA256

                                                    6143a23cc551cda6ef8ff88d7197763a4bc82e5a3a97449279a0e13577a19d3e

                                                    SHA512

                                                    850f527d9c7b738550cab39023dcbd59f536682efb9e0c265b24a3a6fb04894bfcd88239781c12a19f69ef0a5a1ea28b43b734fb579c7563f2e10e82e19698e8

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                    Filesize

                                                    8KB

                                                    MD5

                                                    bc6dbffa4f27a0f742e9a7212d8f2e80

                                                    SHA1

                                                    3297024e64f6fcb80536914ad4b0002e212a149c

                                                    SHA256

                                                    64495635e9081baae7b2bbf5e1472280e0ef2940f725456512f9e2d6190e0f24

                                                    SHA512

                                                    38f1c57ad3cdf18f3cdaedf87454641c21045790ab2b79b15be6af2261a80ac42ebc475330dbc7c6f73fa8ac10e3bd5875931c0c559cf1a062f5fab3767848d2

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                    Filesize

                                                    8KB

                                                    MD5

                                                    c7f20e09237192ec347f70d3df72bb2d

                                                    SHA1

                                                    58b8b4066b78b00d35eaa673f8665e6df804d28e

                                                    SHA256

                                                    68497910cb961f5e99c7e7c25ecbb881ef31e985082da1ac424242376d9edcd9

                                                    SHA512

                                                    013f744cc528cf2f1d239d0e05d6a821fef336f408af614a8e5a9a0bc2a5eb85912c7dae1e6d40679cd35476615c6d18293436c6cf2399cc186bd6d24a0b916e

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                    Filesize

                                                    8KB

                                                    MD5

                                                    0ed2794541c161bce7ffa0f5a0eba8bb

                                                    SHA1

                                                    b8f229dacfac2c22542c7c15e4cbd37acdff80ca

                                                    SHA256

                                                    33b38f74bdc9cf1524276359725973f382e4ec719dfef21903c59e48349b3bcc

                                                    SHA512

                                                    1d45c39224ee1039ff017848ad4e2a17e507467382e5667a684369b12631863db202745a3bbf4088027758bb58852845980060b408a11e86df8b1857d18014c0

                                                    Download Submit

                                                  • \??\pipe\LOCAL\crashpad_1976_NGDCXZAUPAHJHPCI
                                                    MD5

                                                    d41d8cd98f00b204e9800998ecf8427e

                                                    SHA1

                                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                    SHA256

                                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                    SHA512

                                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                    Download Submit

                                                  • memory/920-165-0x00000000062F0000-0x0000000006908000-memory.dmp

                                                    Filesize

                                                    6.1MB

                                                    Download

                                                  • memory/920-176-0x0000000007C80000-0x0000000007D8A000-memory.dmp

                                                    Filesize

                                                    1.0MB

                                                    Download

                                                  • memory/920-178-0x0000000007E50000-0x0000000007E9C000-memory.dmp

                                                    Filesize

                                                    304KB

                                                    Download

                                                  • memory/920-177-0x0000000007E10000-0x0000000007E4C000-memory.dmp

                                                    Filesize

                                                    240KB

                                                    Download

                                                  • memory/920-167-0x0000000006220000-0x0000000006232000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/920-101-0x0000000000E80000-0x0000000000EA0000-memory.dmp

                                                    Filesize

                                                    128KB

                                                    Download

                                                  • memory/2616-130-0x0000000000B20000-0x0000000000B64000-memory.dmp

                                                    Filesize

                                                    272KB

                                                    Download

                                                  • memory/2616-144-0x00000000077E0000-0x00000000077E6000-memory.dmp

                                                    Filesize

                                                    24KB

                                                    Download

                                                  • memory/2736-280-0x0000000000400000-0x000000000046E000-memory.dmp

                                                    Filesize

                                                    440KB

                                                    Download

                                                  • memory/2840-155-0x0000000000580000-0x00000000005A0000-memory.dmp

                                                    Filesize

                                                    128KB

                                                    Download

                                                  • memory/2916-213-0x0000000000400000-0x00000000004AE000-memory.dmp

                                                    Filesize

                                                    696KB

                                                    Download

                                                  • memory/5020-168-0x0000000000400000-0x0000000000433000-memory.dmp

                                                    Filesize

                                                    204KB

                                                    Download