raccoon | 3ddb787dc820ae5ac61121bc0ff42e0cc86164f00bbe694d524497bd03123e93

Resubmissions

31/03/2025, 00:46

250331-a4vs3sztev 10

10/03/2025, 05:28

10/11/2024, 23:53

09/11/2024, 01:37

09/11/2024, 01:31

Analysis

max time kernel
48s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b4df70b068c231a06bb8fcc5a256e34.exe
Size

929KB
MD5

0b4df70b068c231a06bb8fcc5a256e34
SHA1

29ecfc8234162b43674d90e137546a4ecd4f65d7
SHA256

3ddb787dc820ae5ac61121bc0ff42e0cc86164f00bbe694d524497bd03123e93
SHA512

603a19c3c084bd71dbeda26d34d3d179d1c7f1eb23f4f411a83cbb4d365482885794763fa0d9711dbb6a383a32e60e8ec50aeacce7b87c859b70bf8998ff958b
SSDEEP

24576:pAT8QE+krVNpJc7Y/sDZ0239GhjS9knREHXsW02EhY:pAI+wNpJc7Y60EGhjSmE3sW02EhY

Score

10^/10

raccoon redline 4 5076357887 76426c3f362f5a47a469f0e9d8bc3eef @tag12312341 afb5c633c4650f69312baef49db9dfa4 nam3 ruxarr_gg discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

redline

Botnet

5076357887

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Extracted

Family

redline

Botnet

RuXaRR_GG

insttaller.com:40915

Attributes

auth_value
4a733ff307847db3ee220c11d113a305

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

http://193.56.146.177

Attributes

user_agent
mozzzzzzzzzzz

xor.plain

Extracted

Family

raccoon

Botnet

76426c3f362f5a47a469f0e9d8bc3eef

http://45.95.11.158/

Attributes

user_agent
mozzzzzzzzzzz

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Raccoon family
raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 10 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b7b-175.dat	family_redline
behavioral2/memory/6308-179-0x0000000000620000-0x0000000000640000-memory.dmp	family_redline
behavioral2/files/0x000a000000023b7e-208.dat	family_redline
behavioral2/files/0x000a000000023b7f-201.dat	family_redline
behavioral2/memory/6572-209-0x00000000001E0000-0x0000000000224000-memory.dmp	family_redline
behavioral2/files/0x000a000000023b80-212.dat	family_redline
behavioral2/memory/6668-220-0x00000000003B0000-0x00000000003D0000-memory.dmp	family_redline
behavioral2/files/0x000a000000023b81-231.dat	family_redline
behavioral2/memory/6788-242-0x0000000000570000-0x0000000000590000-memory.dmp	family_redline
behavioral2/memory/6884-266-0x00000000006F0000-0x0000000000710000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	0b4df70b068c231a06bb8fcc5a256e34.exe

Executes dropped EXE 11 IoCs

pid	Process
6020	F0geI.exe
6240	kukurzka9000.exe
6308	namdoitntn.exe
6472	nuplat.exe
6504	real.exe
6572	safert44.exe
6668	tag.exe
6788	jshainx.exe
6884	ffnameedit.exe
6952	rawxdev.exe
7032	EU1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	iplogger.org
8	iplogger.org

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	0b4df70b068c231a06bb8fcc5a256e34.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	0b4df70b068c231a06bb8fcc5a256e34.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	0b4df70b068c231a06bb8fcc5a256e34.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	0b4df70b068c231a06bb8fcc5a256e34.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	0b4df70b068c231a06bb8fcc5a256e34.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	0b4df70b068c231a06bb8fcc5a256e34.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	0b4df70b068c231a06bb8fcc5a256e34.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\rawxdev.exe	0b4df70b068c231a06bb8fcc5a256e34.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\nuplat.exe	0b4df70b068c231a06bb8fcc5a256e34.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jshainx.exe	0b4df70b068c231a06bb8fcc5a256e34.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\EU1.exe	0b4df70b068c231a06bb8fcc5a256e34.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6540	6504	WerFault.exe	129
5024	6020	WerFault.exe	123

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b4df70b068c231a06bb8fcc5a256e34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F0geI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kukurzka9000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	namdoitntn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nuplat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	safert44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jshainx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffnameedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	real.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rawxdev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EU1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
5448	msedge.exe
5448	msedge.exe
492	msedge.exe
492	msedge.exe
2828	msedge.exe
2828	msedge.exe
3876	msedge.exe
3876	msedge.exe
1316	msedge.exe
1316	msedge.exe
5052	identity_helper.exe
5052	identity_helper.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	7148	taskmgr.exe
Token: SeSystemProfilePrivilege	7148	taskmgr.exe
Token: SeCreateGlobalPrivilege	7148	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe
7148	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 492	1988	0b4df70b068c231a06bb8fcc5a256e34.exe	87
PID 1988 wrote to memory of 492	1988	0b4df70b068c231a06bb8fcc5a256e34.exe	87
PID 492 wrote to memory of 3080	492	msedge.exe	88
PID 492 wrote to memory of 3080	492	msedge.exe	88
PID 1988 wrote to memory of 1772	1988	0b4df70b068c231a06bb8fcc5a256e34.exe	89
PID 1988 wrote to memory of 1772	1988	0b4df70b068c231a06bb8fcc5a256e34.exe	89
PID 1772 wrote to memory of 2492	1772	msedge.exe	90
PID 1772 wrote to memory of 2492	1772	msedge.exe	90
PID 1988 wrote to memory of 3740	1988	0b4df70b068c231a06bb8fcc5a256e34.exe	91
PID 1988 wrote to memory of 3740	1988	0b4df70b068c231a06bb8fcc5a256e34.exe	91
PID 3740 wrote to memory of 4080	3740	msedge.exe	92
PID 3740 wrote to memory of 4080	3740	msedge.exe	92
PID 1988 wrote to memory of 1920	1988	0b4df70b068c231a06bb8fcc5a256e34.exe	93
PID 1988 wrote to memory of 1920	1988	0b4df70b068c231a06bb8fcc5a256e34.exe	93
PID 1920 wrote to memory of 5048	1920	msedge.exe	94
PID 1920 wrote to memory of 5048	1920	msedge.exe	94
PID 1988 wrote to memory of 3712	1988	0b4df70b068c231a06bb8fcc5a256e34.exe	95
PID 1988 wrote to memory of 3712	1988	0b4df70b068c231a06bb8fcc5a256e34.exe	95
PID 3712 wrote to memory of 5216	3712	msedge.exe	96
PID 3712 wrote to memory of 5216	3712	msedge.exe	96
PID 1988 wrote to memory of 2780	1988	0b4df70b068c231a06bb8fcc5a256e34.exe	97
PID 1988 wrote to memory of 2780	1988	0b4df70b068c231a06bb8fcc5a256e34.exe	97
PID 2780 wrote to memory of 1872	2780	msedge.exe	98
PID 2780 wrote to memory of 1872	2780	msedge.exe	98
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99
PID 492 wrote to memory of 1144	492	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\0b4df70b068c231a06bb8fcc5a256e34.exe
"C:\Users\Admin\AppData\Local\Temp\0b4df70b068c231a06bb8fcc5a256e34.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AbtZ4
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc7946f8,0x7ff9cc794708,0x7ff9cc794718
    3⤵
    PID:3080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
    3⤵
    PID:1144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
    3⤵
    PID:1496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:3108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:1588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
    3⤵
    PID:5516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
    3⤵
    PID:5936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
    3⤵
    PID:5652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
    3⤵
    PID:2308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
    3⤵
    PID:3116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
    3⤵
    PID:5556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
    3⤵
    PID:6200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
    3⤵
    PID:6380
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
    3⤵
    PID:4680
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
    3⤵
    PID:2768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
    3⤵
    PID:3880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4436 /prefetch:1
    3⤵
    PID:4980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13363000846321005949,9835260543836557975,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
    3⤵
    PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc7946f8,0x7ff9cc794708,0x7ff9cc794718
    3⤵
    PID:2492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,10450622782865810660,1364111380689877056,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
    3⤵
    PID:4764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,10450622782865810660,1364111380689877056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc7946f8,0x7ff9cc794708,0x7ff9cc794718
    3⤵
    PID:4080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,2469086029311251369,16726401438136036082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9cc7946f8,0x7ff9cc794708,0x7ff9cc794718
    3⤵
    PID:5048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,4760392452462083419,945276618543976586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1naEL4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc7946f8,0x7ff9cc794708,0x7ff9cc794718
    3⤵
    PID:5216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,11361490975799842560,2639700688579362241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc7946f8,0x7ff9cc794708,0x7ff9cc794718
    3⤵
    PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nhGL4
  2⤵
  PID:2640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc7946f8,0x7ff9cc794708,0x7ff9cc794718
    3⤵
    PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A3AZ4
  2⤵
  PID:1768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc7946f8,0x7ff9cc794708,0x7ff9cc794718
    3⤵
    PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AUSZ4
  2⤵
  PID:1356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc7946f8,0x7ff9cc794708,0x7ff9cc794718
    3⤵
    PID:1048
- C:\Program Files (x86)\Company\NewProduct\F0geI.exe
  "C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 764
    3⤵
    - Program crash
    PID:5024
- C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
  "C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6240
- C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
  "C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6308
- C:\Program Files (x86)\Company\NewProduct\nuplat.exe
  "C:\Program Files (x86)\Company\NewProduct\nuplat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6472
- C:\Program Files (x86)\Company\NewProduct\real.exe
  "C:\Program Files (x86)\Company\NewProduct\real.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6504 -s 1320
    3⤵
    - Program crash
    PID:6540
- C:\Program Files (x86)\Company\NewProduct\safert44.exe
  "C:\Program Files (x86)\Company\NewProduct\safert44.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6572
- C:\Program Files (x86)\Company\NewProduct\tag.exe
  "C:\Program Files (x86)\Company\NewProduct\tag.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6668
- C:\Program Files (x86)\Company\NewProduct\jshainx.exe
  "C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6788
- C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
  "C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6884
- C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
  "C:\Program Files (x86)\Company\NewProduct\rawxdev.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6952
- C:\Program Files (x86)\Company\NewProduct\EU1.exe
  "C:\Program Files (x86)\Company\NewProduct\EU1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6504 -ip 6504
1⤵
PID:6480

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6020 -ip 6020
1⤵
PID:5256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\EU1.exe

Filesize
286KB

MD5
eaa8eacd3c59ed71b7f68ef7a96602a3

SHA1
9b35e7b6cd147a4a729d3f6b1791e774a754c589

SHA256
2f7a5ab1ce00d00b1196b2cd815457176467928a47a8c652b8af41e6bab8772b

SHA512
c19934e143dcf1242f2f1584baaad4cebbd2e06d048c2ef9d347683ef0d77e2791c364608957e8ea4c1b9613450c3c2e4112bb56280ee12a4b1b1a63c714d83e

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe

Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe

Filesize
107KB

MD5
4bf892a854af9af2802f526837819f6e

SHA1
09f2e9938466e74a67368ecd613efdc57f80c30b

SHA256
713eeb4e9271fe4b15160d900ad78498838bb33f7f97ad544a705ab2a46d97cf

SHA512
7ef9d8cb4daf6be60c5a41439dab4e7384676b34de2341ac52cb33815645fbb51a4b78725ea97479d287a8d7a0a61b4b337b1ad49cce2a23c9192fd9b7678d44

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe

Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe

Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe

Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\nuplat.exe

Filesize
287KB

MD5
17c42a0dad379448ee1e6b21c85e5ac9

SHA1
2fec7fbb4a47092f9c17cd5ebb509a6403cb6d69

SHA256
e080161f57d4eaaad9173b63219ba5a9c2c595324a6b3ffe96783db40839807b

SHA512
5ddfe9af625c54e417452fe582041cdd373b52d4ededbcba71a88050fd834bc8af822257f7ad606e89db3fde15be98f58c1d8ff139dac71d81a23f669617a189

Download Submit
C:\Program Files (x86)\Company\NewProduct\rawxdev.exe

Filesize
287KB

MD5
3434d57b4ceb54b8c85974e652175294

SHA1
6d0c7e6b7f61b73564b06ac2020a2674d227bac4

SHA256
cdd49958dd7504d9d1753899815a1542056372222687442e5b5c7fbd2993039e

SHA512
f06fa676d10ff4f5f5c20d00e06ad94895e059724fea47cdf727bd278d9a3ba9daec26f5a0695cb74d87967d6d8020e14305e82725d5bc8c421c095e6704d9aa

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe

Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe

Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe

Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a4852fc46a00b2fbd09817fcd179715d

SHA1
b5233a493ea793f7e810e578fe415a96e8298a3c

SHA256
6cbb88dea372a5b15d661e78a983b0c46f7ae4d72416978814a17aa65a73079f

SHA512
38972cf90f5ca9286761280fcf8aa375f316eb59733466375f8ba055ce84b6c54e2297bad9a4212374c860898517e5a0c69343190fc4753aafc904557c1ea6dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d6b4373e059c5b1fc25b68e6d990827

SHA1
b924e33d05263bffdff75d218043eed370108161

SHA256
fafcaeb410690fcf64fd35de54150c2f9f45b96de55812309c762e0a336b4aa2

SHA512
9bffd6911c9071dd70bc4366655f2370e754274f11c2e92a9ac2f760f316174a0af4e01ddb6f071816fdcad4bb00ff49915fb18fde7ee2dabb953a29e87d29e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a2b32e1c5605e4b4176bdc4c75d1ebdb

SHA1
9b4923fc5ca3f66505f80359bec43565e47f2499

SHA256
995e6a236854f2afcd1119ab88f5094901f24b4a19cd614ae2dfc4e48f2ffffe

SHA512
dbc28a6ff556d3c7a135bff84caf7a11664c3807f6dd970fa9ed64807a1c3f2ccb729c941536d0c6f27d4cf434caac3d225a55cbf5dbbc5fea7f6fd0037ac431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
101435dbdc4b346b37a2ad9516fde6ac

SHA1
58eecd7cdb6781a17974c9b97718726baf200551

SHA256
93b33654bfd653df282c98405bde86d3f05fa33d0100813f52b8349c56637800

SHA512
70f9864ff913aa547aa1563f9046b6685984ab97e2dd3cde3c198cae56943b7d353f8aa38a148f2a2b451e1a7459cb5e7acb87fb611aeea8e71f57a6f2de89f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a9d48992358c24a971b1e8e2b6aa5e80

SHA1
859de31cda41a0d222c6f6ccfa0b441fbfef744e

SHA256
d21044114149f1fb9dd655f95a7b5a36522b21c57157c6170e306ca82fc638f8

SHA512
69ccc17f6725a1817bdf7e2628d30b82652507ea574803c9620cb1f16d580a909882aba90b2c002527742fcfbe395efc0b546d47c2e0a372b18678aee4352dcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
46a111958501789aae0d93552b027504

SHA1
09edc5f6493ca5effce7958ebba5a5689e691cb1

SHA256
e50ba88e15c6fa296c1f02fbedb41062a011c5ee3071c5fc1660585e21d596eb

SHA512
2d1f6f70dd14edad6546228ae7c8ee59631524f6abc21bf9c1cd24760bb52abc1500901b4c27566336ce217a07eb51c2f865a184065bd74659e12448660fae30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
17c68f238099d6cab71aee1f8bdf2584

SHA1
b1e68927c5e13d57734f872218d7297df1557b5a

SHA256
eba5a3f63faa40ba1d73f9d79feac3c9bc92104aca320acf0f77ae1623605c76

SHA512
b8d4c3689af116c291cb9f441f9a677566912d8668d192bd740677cec96e5d6290a75a8551dcccd75dd5a66e72d5f88417cafed5daa5feeb1c6fef5920d627e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f977ac0d1f905370b94d37d572f4eb93

SHA1
b401efe9d4048b913ddb26e730b5dcd3cfeaeaa9

SHA256
724c57df53f819437d8b850e00b8978e91ca55a20f59fbed363d07eb250ee237

SHA512
c8caa29357b910ef5ae635f6fe3399e38c8ae510ebcd04bbe60fb23b153ba52c78f7ba8a54510db471eea8234cf101af8cfd225c630860c248c716ee5e68e9e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
33108bfdb1fb85bcad4f5e3488e1454f

SHA1
5abc7c3e816d169ea9b0184906ff0170fc149e8b

SHA256
a2207bdfd0f9661e583e11fd5debe0416ed2b92086507c38560818e71223fcaf

SHA512
bbf140946d0c54a4893980e7bbfcb3b8f73eedfc83f310c8d4b79d3ef426f480fe2f251b740a74dc17672b2d945e7876a965fdb56bc37fc03621a28096ea24e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
49caef93ed9e33d4b51c9e5a66d89eeb

SHA1
cb7b9d089653f270715459ea8039646c1e420858

SHA256
1c09ddd5deabe47474445ac23fa9127d68932ef337e9fc51360cc6d1151220e7

SHA512
71a3da064b8cd1019ff0f2e6c9306cdb572e6e773641b2803fa28b3aead7544f02ae790dfa46ee4b7819ed51c3a65bec7d50858b0a6a659ca9babcb23d3d2707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
59d483f1a3d927602bd0e44d1a43d3a1

SHA1
13e83feb4a2da1bf77e73a655ea54f8df4fe6fdc

SHA256
bc1134de6ad08f92d871fc58da8640caf1fe3d8fd764821e7814b61c0753e896

SHA512
a809c078c9309378bd0d7deb7e0284f43b076b736e9955acfb843cc707b34567b3e9539f70f5fd576c3dae18aa585f606de170cac50bce016b363daaf5d073cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1b439575a46e38546e5d267569687f4d

SHA1
0f20dab54daf5175b1a2cd6349f969f6629cbdc2

SHA256
e4f10433722ea919b12d8def21e40a6a62edc26f1f5556fd0076984160a50981

SHA512
642ac27955656d3aba62cdd11e468a2a28f3bb5d59a42c2a3ca2e9a011eef3912b09d1ad37ae57f400aed6665befc0e770b40e1a84636424b9ea139cdc1c725e

Download Submit
memory/1988-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6020-354-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/6240-283-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/6308-240-0x0000000007490000-0x000000000759A000-memory.dmp

Filesize
1.0MB

Download
memory/6308-238-0x0000000005A20000-0x0000000006038000-memory.dmp

Filesize
6.1MB

Download
memory/6308-179-0x0000000000620000-0x0000000000640000-memory.dmp

Filesize
128KB

Download
memory/6572-209-0x00000000001E0000-0x0000000000224000-memory.dmp

Filesize
272KB

Download
memory/6572-227-0x0000000000C60000-0x0000000000C66000-memory.dmp

Filesize
24KB

Download
memory/6668-243-0x0000000004C90000-0x0000000004CCC000-memory.dmp

Filesize
240KB

Download
memory/6668-250-0x0000000004CD0000-0x0000000004D1C000-memory.dmp

Filesize
304KB

Download
memory/6668-220-0x00000000003B0000-0x00000000003D0000-memory.dmp

Filesize
128KB

Download
memory/6668-229-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/6788-242-0x0000000000570000-0x0000000000590000-memory.dmp

Filesize
128KB

Download
memory/6884-266-0x00000000006F0000-0x0000000000710000-memory.dmp

Filesize
128KB

Download
memory/7148-376-0x000002646CD30000-0x000002646CD31000-memory.dmp

Filesize
4KB

Download
memory/7148-375-0x000002646CD30000-0x000002646CD31000-memory.dmp

Filesize
4KB

Download
memory/7148-386-0x000002646CD30000-0x000002646CD31000-memory.dmp

Filesize
4KB

Download
memory/7148-385-0x000002646CD30000-0x000002646CD31000-memory.dmp

Filesize
4KB

Download
memory/7148-384-0x000002646CD30000-0x000002646CD31000-memory.dmp

Filesize
4KB

Download
memory/7148-383-0x000002646CD30000-0x000002646CD31000-memory.dmp

Filesize
4KB

Download
memory/7148-382-0x000002646CD30000-0x000002646CD31000-memory.dmp

Filesize
4KB

Download
memory/7148-381-0x000002646CD30000-0x000002646CD31000-memory.dmp

Filesize
4KB

Download
memory/7148-380-0x000002646CD30000-0x000002646CD31000-memory.dmp

Filesize
4KB

Download
memory/7148-374-0x000002646CD30000-0x000002646CD31000-memory.dmp

Filesize
4KB

Download