Resubmissions
10-11-2024 23:53
241110-3xj28axlay 1009-11-2024 01:37
241109-b1yk8svarc 1009-11-2024 01:31
241109-bxmpkatkgv 10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 23:53
Static task
static1
Behavioral task
behavioral1
Sample
0b4df70b068c231a06bb8fcc5a256e34.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0b4df70b068c231a06bb8fcc5a256e34.exe
Resource
win10v2004-20241007-en
General
-
Target
0b4df70b068c231a06bb8fcc5a256e34.exe
-
Size
929KB
-
MD5
0b4df70b068c231a06bb8fcc5a256e34
-
SHA1
29ecfc8234162b43674d90e137546a4ecd4f65d7
-
SHA256
3ddb787dc820ae5ac61121bc0ff42e0cc86164f00bbe694d524497bd03123e93
-
SHA512
603a19c3c084bd71dbeda26d34d3d179d1c7f1eb23f4f411a83cbb4d365482885794763fa0d9711dbb6a383a32e60e8ec50aeacce7b87c859b70bf8998ff958b
-
SSDEEP
24576:pAT8QE+krVNpJc7Y/sDZ0239GhjS9knREHXsW02EhY:pAI+wNpJc7Y60EGhjSmE3sW02EhY
Malware Config
Extracted
redline
4
31.41.244.134:11643
-
auth_value
a516b2d034ecd34338f12b50347fbd92
Extracted
redline
nam3
103.89.90.61:34589
-
auth_value
64b900120bbceaa6a9c60e9079492895
Extracted
redline
@tag12312341
62.204.41.144:14096
-
auth_value
71466795417275fac01979e57016e277
Extracted
redline
5076357887
195.54.170.157:16525
-
auth_value
0dfaff60271d374d0c206d19883e06f3
Extracted
redline
RuXaRR_GG
insttaller.com:40915
-
auth_value
4a733ff307847db3ee220c11d113a305
Extracted
vidar
https://t.me/babygun222
http://168.119.59.211:80
http://62.204.41.126:80
Extracted
raccoon
afb5c633c4650f69312baef49db9dfa4
http://193.56.146.177
-
user_agent
mozzzzzzzzzzz
Extracted
raccoon
76426c3f362f5a47a469f0e9d8bc3eef
http://45.95.11.158/
-
user_agent
mozzzzzzzzzzz
Signatures
-
Raccoon family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 10 IoCs
resource yara_rule behavioral2/files/0x0007000000023cb7-159.dat family_redline behavioral2/files/0x0007000000023cbb-201.dat family_redline behavioral2/files/0x0007000000023cba-207.dat family_redline behavioral2/memory/6176-186-0x0000000000E80000-0x0000000000EA0000-memory.dmp family_redline behavioral2/files/0x0007000000023cbc-211.dat family_redline behavioral2/memory/6468-217-0x00000000009E0000-0x0000000000A24000-memory.dmp family_redline behavioral2/memory/6552-220-0x0000000000710000-0x0000000000730000-memory.dmp family_redline behavioral2/memory/6696-245-0x0000000000320000-0x0000000000340000-memory.dmp family_redline behavioral2/files/0x0007000000023cbd-253.dat family_redline behavioral2/memory/6808-262-0x00000000004B0000-0x00000000004D0000-memory.dmp family_redline -
Redline family
-
Vidar family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 0b4df70b068c231a06bb8fcc5a256e34.exe -
Executes dropped EXE 22 IoCs
pid Process 6104 F0geI.exe 5820 kukurzka9000.exe 6176 namdoitntn.exe 6300 nuplat.exe 6392 real.exe 6468 safert44.exe 6552 tag.exe 6696 jshainx.exe 6808 ffnameedit.exe 6860 rawxdev.exe 6924 EU1.exe 6512 F0geI.exe 6660 ffnameedit.exe 5788 jshainx.exe 2556 kukurzka9000.exe 5936 namdoitntn.exe 408 nuplat.exe 2356 rawxdev.exe 2900 real.exe 2652 safert44.exe 3352 tag.exe 5424 EU1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 iplogger.org 9 iplogger.org -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Company\NewProduct\jshainx.exe 0b4df70b068c231a06bb8fcc5a256e34.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\EU1.exe 0b4df70b068c231a06bb8fcc5a256e34.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe 0b4df70b068c231a06bb8fcc5a256e34.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\nuplat.exe 0b4df70b068c231a06bb8fcc5a256e34.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\real.exe 0b4df70b068c231a06bb8fcc5a256e34.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\safert44.exe 0b4df70b068c231a06bb8fcc5a256e34.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\rawxdev.exe 0b4df70b068c231a06bb8fcc5a256e34.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\F0geI.exe 0b4df70b068c231a06bb8fcc5a256e34.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe 0b4df70b068c231a06bb8fcc5a256e34.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\tag.exe 0b4df70b068c231a06bb8fcc5a256e34.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe 0b4df70b068c231a06bb8fcc5a256e34.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5560 6104 WerFault.exe 121 -
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nuplat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jshainx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffnameedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EU1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rawxdev.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F0geI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EU1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language namdoitntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nuplat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language real.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language namdoitntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language real.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F0geI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kukurzka9000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffnameedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jshainx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kukurzka9000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0b4df70b068c231a06bb8fcc5a256e34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language safert44.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rawxdev.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language safert44.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2624 msedge.exe 2624 msedge.exe 3620 msedge.exe 3620 msedge.exe 4428 msedge.exe 4428 msedge.exe 2908 msedge.exe 2908 msedge.exe 5312 msedge.exe 5312 msedge.exe 5668 msedge.exe 5668 msedge.exe 4948 identity_helper.exe 4948 identity_helper.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
pid Process 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 6336 taskmgr.exe Token: SeSystemProfilePrivilege 6336 taskmgr.exe Token: SeCreateGlobalPrivilege 6336 taskmgr.exe Token: SeSecurityPrivilege 6336 taskmgr.exe Token: SeTakeOwnershipPrivilege 6336 taskmgr.exe Token: 33 6336 taskmgr.exe Token: SeIncBasePriorityPrivilege 6336 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 2908 msedge.exe 6336 taskmgr.exe 2908 msedge.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 2908 msedge.exe 6336 taskmgr.exe 2908 msedge.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe 6336 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 416 wrote to memory of 4264 416 0b4df70b068c231a06bb8fcc5a256e34.exe 85 PID 416 wrote to memory of 4264 416 0b4df70b068c231a06bb8fcc5a256e34.exe 85 PID 4264 wrote to memory of 3136 4264 msedge.exe 86 PID 4264 wrote to memory of 3136 4264 msedge.exe 86 PID 416 wrote to memory of 2908 416 0b4df70b068c231a06bb8fcc5a256e34.exe 87 PID 416 wrote to memory of 2908 416 0b4df70b068c231a06bb8fcc5a256e34.exe 87 PID 2908 wrote to memory of 3120 2908 msedge.exe 88 PID 2908 wrote to memory of 3120 2908 msedge.exe 88 PID 416 wrote to memory of 4848 416 0b4df70b068c231a06bb8fcc5a256e34.exe 89 PID 416 wrote to memory of 4848 416 0b4df70b068c231a06bb8fcc5a256e34.exe 89 PID 4848 wrote to memory of 1944 4848 msedge.exe 90 PID 4848 wrote to memory of 1944 4848 msedge.exe 90 PID 416 wrote to memory of 2660 416 0b4df70b068c231a06bb8fcc5a256e34.exe 91 PID 416 wrote to memory of 2660 416 0b4df70b068c231a06bb8fcc5a256e34.exe 91 PID 2660 wrote to memory of 1108 2660 msedge.exe 92 PID 2660 wrote to memory of 1108 2660 msedge.exe 92 PID 416 wrote to memory of 3752 416 0b4df70b068c231a06bb8fcc5a256e34.exe 93 PID 416 wrote to memory of 3752 416 0b4df70b068c231a06bb8fcc5a256e34.exe 93 PID 3752 wrote to memory of 4160 3752 msedge.exe 94 PID 3752 wrote to memory of 4160 3752 msedge.exe 94 PID 416 wrote to memory of 4708 416 0b4df70b068c231a06bb8fcc5a256e34.exe 95 PID 416 wrote to memory of 4708 416 0b4df70b068c231a06bb8fcc5a256e34.exe 95 PID 4708 wrote to memory of 1044 4708 msedge.exe 96 PID 4708 wrote to memory of 1044 4708 msedge.exe 96 PID 416 wrote to memory of 1692 416 0b4df70b068c231a06bb8fcc5a256e34.exe 97 PID 416 wrote to memory of 1692 416 0b4df70b068c231a06bb8fcc5a256e34.exe 97 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98 PID 2908 wrote to memory of 60 2908 msedge.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b4df70b068c231a06bb8fcc5a256e34.exe"C:\Users\Admin\AppData\Local\Temp\0b4df70b068c231a06bb8fcc5a256e34.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AbtZ42⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8472346f8,0x7ff847234708,0x7ff8472347183⤵PID:3136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,3170710740860228285,12652433846405542950,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:23⤵PID:4304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,3170710740860228285,12652433846405542950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3620
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC42⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8472346f8,0x7ff847234708,0x7ff8472347183⤵PID:3120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:23⤵PID:60
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:83⤵PID:1168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:13⤵PID:1812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:13⤵PID:656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:13⤵PID:5244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:13⤵PID:5620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:13⤵PID:5844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:13⤵PID:6052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:13⤵PID:6084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:13⤵PID:5596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:13⤵PID:6148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:13⤵PID:6276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:13⤵PID:6156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:13⤵PID:5952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7244 /prefetch:83⤵PID:6692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7244 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7304 /prefetch:13⤵PID:6120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:13⤵PID:4124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2736 /prefetch:83⤵PID:5228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1952 /prefetch:13⤵PID:2000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:13⤵PID:5076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3525477851300412629,2607092534866949030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:13⤵PID:5952
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK42⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8472346f8,0x7ff847234708,0x7ff8472347183⤵PID:1944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,4779591129343575710,2043815321510895541,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:23⤵PID:548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,4779591129343575710,2043815321510895541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4428
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX42⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8472346f8,0x7ff847234708,0x7ff8472347183⤵PID:1108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1492,15799250919672400174,15250311063318499119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:5312
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1naEL42⤵
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ff8472346f8,0x7ff847234708,0x7ff8472347183⤵PID:4160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,18183868811383268768,10982086335783507323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:5668
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX42⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ff8472346f8,0x7ff847234708,0x7ff8472347183⤵PID:1044
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nhGL42⤵PID:1692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8472346f8,0x7ff847234708,0x7ff8472347183⤵PID:3516
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A3AZ42⤵PID:5344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8472346f8,0x7ff847234708,0x7ff8472347183⤵PID:5372
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AUSZ42⤵PID:5864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8472346f8,0x7ff847234708,0x7ff8472347183⤵PID:5908
-
-
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exe"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 12963⤵
- Program crash
PID:5560
-
-
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5820
-
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6176
-
-
C:\Program Files (x86)\Company\NewProduct\nuplat.exe"C:\Program Files (x86)\Company\NewProduct\nuplat.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6300
-
-
C:\Program Files (x86)\Company\NewProduct\real.exe"C:\Program Files (x86)\Company\NewProduct\real.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6392
-
-
C:\Program Files (x86)\Company\NewProduct\safert44.exe"C:\Program Files (x86)\Company\NewProduct\safert44.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6468
-
-
C:\Program Files (x86)\Company\NewProduct\tag.exe"C:\Program Files (x86)\Company\NewProduct\tag.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6552
-
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exe"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6696
-
-
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6808
-
-
C:\Program Files (x86)\Company\NewProduct\rawxdev.exe"C:\Program Files (x86)\Company\NewProduct\rawxdev.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6860
-
-
C:\Program Files (x86)\Company\NewProduct\EU1.exe"C:\Program Files (x86)\Company\NewProduct\EU1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6924
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5180
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5948
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6104 -ip 61041⤵PID:3020
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2612
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exe"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6512
-
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6660
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exe"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5788
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2556
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5936
-
C:\Program Files (x86)\Company\NewProduct\nuplat.exe"C:\Program Files (x86)\Company\NewProduct\nuplat.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:408
-
C:\Program Files (x86)\Company\NewProduct\rawxdev.exe"C:\Program Files (x86)\Company\NewProduct\rawxdev.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356
-
C:\Program Files (x86)\Company\NewProduct\real.exe"C:\Program Files (x86)\Company\NewProduct\real.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900
-
C:\Program Files (x86)\Company\NewProduct\safert44.exe"C:\Program Files (x86)\Company\NewProduct\safert44.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652
-
C:\Program Files (x86)\Company\NewProduct\tag.exe"C:\Program Files (x86)\Company\NewProduct\tag.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3352
-
C:\Program Files (x86)\Company\NewProduct\EU1.exe"C:\Program Files (x86)\Company\NewProduct\EU1.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
286KB
MD5eaa8eacd3c59ed71b7f68ef7a96602a3
SHA19b35e7b6cd147a4a729d3f6b1791e774a754c589
SHA2562f7a5ab1ce00d00b1196b2cd815457176467928a47a8c652b8af41e6bab8772b
SHA512c19934e143dcf1242f2f1584baaad4cebbd2e06d048c2ef9d347683ef0d77e2791c364608957e8ea4c1b9613450c3c2e4112bb56280ee12a4b1b1a63c714d83e
-
Filesize
339KB
MD5501e0f6fa90340e3d7ff26f276cd582e
SHA11bce4a6153f71719e786f8f612fbfcd23d3e130a
SHA256f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b
SHA512dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69
-
Filesize
107KB
MD54bf892a854af9af2802f526837819f6e
SHA109f2e9938466e74a67368ecd613efdc57f80c30b
SHA256713eeb4e9271fe4b15160d900ad78498838bb33f7f97ad544a705ab2a46d97cf
SHA5127ef9d8cb4daf6be60c5a41439dab4e7384676b34de2341ac52cb33815645fbb51a4b78725ea97479d287a8d7a0a61b4b337b1ad49cce2a23c9192fd9b7678d44
-
Filesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
Filesize
491KB
MD5681d98300c552b8c470466d9e8328c8a
SHA1d15f4a432a2abce96ba9ba74443e566c1ffb933f
SHA2568bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912
SHA512b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887
-
Filesize
107KB
MD5bbd8ea73b7626e0ca5b91d355df39b7f
SHA166e298653beb7f652eb44922010910ced6242879
SHA2561aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e
SHA512625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f
-
Filesize
287KB
MD517c42a0dad379448ee1e6b21c85e5ac9
SHA12fec7fbb4a47092f9c17cd5ebb509a6403cb6d69
SHA256e080161f57d4eaaad9173b63219ba5a9c2c595324a6b3ffe96783db40839807b
SHA5125ddfe9af625c54e417452fe582041cdd373b52d4ededbcba71a88050fd834bc8af822257f7ad606e89db3fde15be98f58c1d8ff139dac71d81a23f669617a189
-
Filesize
287KB
MD53434d57b4ceb54b8c85974e652175294
SHA16d0c7e6b7f61b73564b06ac2020a2674d227bac4
SHA256cdd49958dd7504d9d1753899815a1542056372222687442e5b5c7fbd2993039e
SHA512f06fa676d10ff4f5f5c20d00e06ad94895e059724fea47cdf727bd278d9a3ba9daec26f5a0695cb74d87967d6d8020e14305e82725d5bc8c421c095e6704d9aa
-
Filesize
286KB
MD58a370815d8a47020150efa559ffdf736
SHA1ba9d8df8f484b8da51161a0e29fd29e5001cff5d
SHA256975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58
SHA512d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf
-
Filesize
244KB
MD5dbe947674ea388b565ae135a09cc6638
SHA1ae8e1c69bd1035a92b7e06baad5e387de3a70572
SHA25686aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709
SHA51267441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893
-
Filesize
107KB
MD52ebc22860c7d9d308c018f0ffb5116ff
SHA178791a83f7161e58f9b7df45f9be618e9daea4cd
SHA2568e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89
SHA512d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e
-
Filesize
152B
MD5c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA14d16a7e82190f8490a00008bd53d85fb92e379b0
SHA2561e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd
-
Filesize
152B
MD5e55832d7cd7e868a2c087c4c73678018
SHA1ed7a2f6d6437e907218ffba9128802eaf414a0eb
SHA256a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574
SHA512897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f
-
Filesize
260B
MD5f64bdd78fecc24109d8df9f1fb8f32c8
SHA127d0e2cd85b6b5c14ac826d2983d62c4fc1b7f1a
SHA2563a46ba6cb94d8a53dc814750e7b9053a9d32d0cc7551cc675761cf009b2fd671
SHA51264397afc494850f7355e1f50e484d3f928205f75c92edef7ed61e73c54fbf6c66c6aa57131c3ff51abc622c3ad090f951c3d5ed09c3b013fecfb99b89b14becf
-
Filesize
6KB
MD52416ec808f5346ad20c793a2cfdff82f
SHA1b77d94e7e20c1119b053bfb787926d102faccbee
SHA25605bd8180f75e3e7b9c653d37933ee19130802a0565f9c4abc890b319e03417fb
SHA5124ceffc1321e4e75e7150a56c22f1b2320fc89df972cdb96b737daaa74d45677528141b8bc4b0454f13397b37845392301dd28831d1aad6b5f907e6350b4dd63c
-
Filesize
9KB
MD59e1f308ecc7e510cc1914630faf643cf
SHA1d7c207955214eb18a8ae39d21be57d8c91c79960
SHA2569b6d05f3c60e542ce79018da8e01163a2738c07f68878c09260829e0db840c71
SHA5129481f7139351c4c881f6793375e807f63c18e3c11c415b1f6a71509f479ea1bd3615313c4adb9586e86bf34d8bb2beaf5a97fc57943b1df09ef70c4798837553
-
Filesize
6KB
MD548cf2439452d8a3aa7f11d0a0e7a766e
SHA10b6d9e4acd2e307c96f2252f83a9b50abd90125a
SHA256f7474800b66186092e870612cad3fcb98a2571d9141c7d94d771bf7b0adf7e08
SHA512e2d289e47ebd5ddd01198e842d7d34883bdccad8b7d56107d868bdf28167d4001be8639d7821a2d89f911b7d0c4d981687fac10d6775e0b86cf447012f279a7d
-
Filesize
9KB
MD5e95dafda8707e5bacdcfd69d0c5d4599
SHA15fe74a6a0f8f30a85b7d75b5e411f15720d65d64
SHA256b41a72414ef75cf57698dedc7cc8b99644ff7242ad6085d7cd551ee9627d3243
SHA512f1b710e2a1e151fc75712c077711fa11d4ebae9df6afdb267538c0a5dc0c32403632e781ab4bd1b938684414bac567ccf7cd5ce3dce99eba35f57ab6e2a628dd
-
Filesize
6KB
MD59cd3c320aead156f12bddc94221b2869
SHA175bb42e85b2de3b9033e2c97c1941bb455b25efe
SHA25663f345af89ace52ebbba5f32d64c4be19b105dcfcf5932bb5e24d856cdfec25d
SHA51289f360cafa2559e31176efcabb642844e0249985afbe0b93feef0f2fcba0b9b42d2c0e169566c053d5d37906331a3d9665bbe82ac476fdc7796cce774d912496
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD523893a4074c612f8de9d9e3a4b7654f3
SHA1bd7bed907fbd0c8f58712946deb891955a24df82
SHA2561bd79dc97de7631a37fb805dfe6fda9d2c3ebe3f56fc2c1eae0ea516b2d0e50e
SHA51295af858f8ed21d5b5f29bf30ee2b792e66f70efcf588f13d5e9a8db1a0301930ab65f3421d189683e35acda61d7d1a30fc516a73c7279caae3e7343154c3e95a
-
Filesize
8KB
MD56c4a7754fea0dd46851fa3c75a13bca9
SHA10567a30d1df8f1ca3aadbb85c2b2bd655e60f279
SHA256594542d7fc0fcb04421b88c7d384a256ba42556b5ec455be8cdadae9c31086b9
SHA512e975cce3274adbe3a9346855c9f53f3b6b615ea02b8f3bd2a7f67a0aee7733b04f7038721947ac26fa65e78cbe84364948ee97620e123de6a909b5427e4ca312
-
Filesize
10KB
MD523bcc548e734362aaa609e9afa8efd8b
SHA14bb349264ae80cd17ad384d7d1b01614cc5e57bc
SHA25678233d81281180e9abbe756777afe6afa9342d2e9d354b104680f31d7885ba8d
SHA51239e5cbaecc755cb42ffe4a52a09585998e62aa1a594a8314ca72745beb1f57da4d3ba247d2b42612ca6320d978913f53b492c3a998590783d0c60cff7ab03f10
-
Filesize
8KB
MD52ebb776fe62bf3f2d66e5bd1bb32d729
SHA1fa09bb3545e840f530989841e0ff1f2db33a2b28
SHA2567e6b06b260b72b2957ceafc5087b582083b68ae88f63ae7d7c535ea62066935d
SHA512561bae61ed6f6077a17e187efc875c72d8b998a670d2ce91e77a73808d81345e3e6bb755a227d34c0590d03dbbbe05493d95ae4bbc4585bb4f239b7d3facc78c
-
Filesize
10KB
MD59c229a3065be6cc8e1cf7fba8feb02cc
SHA163e52d7987b2683f0f572f77053240a79d8e32b1
SHA256e1e6add83826daa33b991f4f9dcfec8370e2a240f1737e690f3ef4bddd8879ef
SHA512173b713d1aa5169e92cba66d59797fbc696ca1b48f3ec38dc6a09253e1608cd904108ebee4728eeb22db4bafab8e3d089626a18e6d21ff8779a01b13a7c33242
-
Filesize
10KB
MD54752b5361be15b0cdf4ea54272fb3382
SHA1ef8c6ffb2748abbe100c91c3bff4458f5f0d9bee
SHA256051af52939847ca427fd84c84262d845924b2734971535de22331a457bb079bf
SHA512104154b632de170e13caeef688c7b8475cd1bbc5ef18d2fdde8583441726f547b3cb7f8ded9f2a8e7cc78bd40782a1e6ef6d02a4c0fdf8c3687ff104ca21cc42
-
Filesize
8KB
MD52b8e8d39685d0c2572a65ad2773431b5
SHA12e99c3d3c2abbe8ae40013f9b6606c072fe2d61d
SHA256f876eebc51dc63c50565f27bfc293504ddc5e72a08e3fc26e40f133137f4ed8a
SHA51258b86d0bcaa9f5bc53564bc7072143992963727e4aab049a4b8db2e5e89266796216f33294f89a9c06e35b12d4cce6e3e7290a685161f684d7e014c19999b8a2