b3d279a0e5ebe89c26bb9f15f6d2c13234cbc81d43ab43b781cac355f21d20e1

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Temp.exe
Size

1.7MB
MD5

7f915b8e7ad0130c05398792187d115f
SHA1

df292be5f2d3f3076d5c563375359c5d4d06e1b7
SHA256

c83827b5f37172f7023641b9089da7ca3f424f113501d74809974d3053eb406f
SHA512

ce029ffd4c1c699fdc023466b9dbe645f609fe60f9340deb95eab5d3becd780a9492df828f8964181992c86197f9f808e2ba1d28bf30c0207bbde796bf60a261

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

._cache_Temp.exeSynaptics.exe.._cache_Temp.exe

pid process

2696 ._cache_Temp.exe
4208 Synaptics.exe
4152 .._cache_Temp.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Temp.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Temp.exe
Loads dropped DLL 3 IoCs

Processes:

.._cache_Temp.exeSynaptics.exe

pid process

4152 .._cache_Temp.exe
4152 .._cache_Temp.exe
4208 Synaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Temp.exe

pid	process
4152	.._cache_Temp.exe
4152	.._cache_Temp.exe
4208	Synaptics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Temp.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Temp.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in System32 directory 3 IoCs

Processes:

.._cache_Temp.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Íø½Ø.dll	.._cache_Temp.exe
File created	C:\Windows\SysWOW64\ESPI11.dll	.._cache_Temp.exe
File opened for modification	C:\Windows\SysWOW64\ESPI11.dll	.._cache_Temp.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\0213da40-7ab5-453d-b299-5d1c4a942578.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220521203423.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

Processes:

Temp.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Temp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3288 EXCEL.EXE

pid	process
3288	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4628	msedge.exe
4628	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
2748	identity_helper.exe
2748	identity_helper.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

4856 msedge.exe
4856 msedge.exe
4856 msedge.exe
4856 msedge.exe
4856 msedge.exe
4856 msedge.exe
4856 msedge.exe
4856 msedge.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

4856 msedge.exe
4856 msedge.exe

pid	process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

pid	process
4856	msedge.exe
4856	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

._cache_Temp.exe.._cache_Temp.exeEXCEL.EXE

pid	process
2696	._cache_Temp.exe
2696	._cache_Temp.exe
2696	._cache_Temp.exe
2696	._cache_Temp.exe
4152	.._cache_Temp.exe
4152	.._cache_Temp.exe
3288	EXCEL.EXE
3288	EXCEL.EXE
3288	EXCEL.EXE
3288	EXCEL.EXE
3288	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Temp.exe._cache_Temp.exeexplorer.exemsedge.exe

description	pid	process	target process
PID 1856 wrote to memory of 2696	1856	Temp.exe	._cache_Temp.exe
PID 1856 wrote to memory of 2696	1856	Temp.exe	._cache_Temp.exe
PID 1856 wrote to memory of 2696	1856	Temp.exe	._cache_Temp.exe
PID 1856 wrote to memory of 4208	1856	Temp.exe	Synaptics.exe
PID 1856 wrote to memory of 4208	1856	Temp.exe	Synaptics.exe
PID 1856 wrote to memory of 4208	1856	Temp.exe	Synaptics.exe
PID 2696 wrote to memory of 4152	2696	._cache_Temp.exe	.._cache_Temp.exe
PID 2696 wrote to memory of 4152	2696	._cache_Temp.exe	.._cache_Temp.exe
PID 2696 wrote to memory of 4152	2696	._cache_Temp.exe	.._cache_Temp.exe
PID 2696 wrote to memory of 4092	2696	._cache_Temp.exe	explorer.exe
PID 2696 wrote to memory of 4092	2696	._cache_Temp.exe	explorer.exe
PID 2696 wrote to memory of 4092	2696	._cache_Temp.exe	explorer.exe
PID 620 wrote to memory of 4856	620	explorer.exe	msedge.exe
PID 620 wrote to memory of 4856	620	explorer.exe	msedge.exe
PID 4856 wrote to memory of 2528	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 2528	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 1488	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 4628	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 4628	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3832	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3832	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3832	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3832	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3832	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3832	4856	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Temp.exe
"C:\Users\Admin\AppData\Local\Temp\Temp.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\._cache_Temp.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Temp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Temp\.._cache_Temp.exe
C:\Users\Admin\AppData\Local\Temp\.._cache_Temp.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4152

C:\Windows\SysWOW64\explorer.exe
explorer.exe "http://www.xianyoukm.com "
3⤵
PID:4092

C:\Windows\SysWOW64\explorer.exe
explorer.exe "http://zhongwangpp.com"
3⤵
PID:1624

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4208

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3288

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.xianyoukm.com/
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff89ab846f8,0x7ff89ab84708,0x7ff89ab84718
3⤵
PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
3⤵
PID:1488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
3⤵
PID:3832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
3⤵
PID:1852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
3⤵
PID:964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
3⤵
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5556 /prefetch:8
3⤵
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
3⤵
PID:2004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
3⤵
PID:928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
3⤵
PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
3⤵
PID:1304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
3⤵
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1708 /prefetch:8
3⤵
PID:2796

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:2832

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1c4,0x22c,0x7ff76cae5460,0x7ff76cae5470,0x7ff76cae5480
4⤵
PID:3696

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1708 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4436 /prefetch:8
3⤵
PID:2832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7336 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5304 /prefetch:8
3⤵
PID:800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1996

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://zhongwangpp.com/
2⤵
PID:1096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff89ab846f8,0x7ff89ab84708,0x7ff89ab84718
3⤵
PID:2088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
0a76133f89a377e4f419a1dd01dd0416

SHA1
df2e3fcbcedabad9d1d562deb02bf4bc9ca0fbfb

SHA256
1534cf31f5ccd6f46e3b9b411bd7d9e2bfbfd64326f0c69fc7d8cfcd59d63302

SHA512
073864af16fe2173a9bbb9a7abc163411d905d90b0036974146157b5b3883fedd1396a3e70b61e987a644cc0fe54973d0881a4314c1438c37ef1ab3fe4a08851

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
0a76133f89a377e4f419a1dd01dd0416

SHA1
df2e3fcbcedabad9d1d562deb02bf4bc9ca0fbfb

SHA256
1534cf31f5ccd6f46e3b9b411bd7d9e2bfbfd64326f0c69fc7d8cfcd59d63302

SHA512
073864af16fe2173a9bbb9a7abc163411d905d90b0036974146157b5b3883fedd1396a3e70b61e987a644cc0fe54973d0881a4314c1438c37ef1ab3fe4a08851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
57df4904eea85aeb7b4d9b9d9130ecad

SHA1
f6b26bbbf2a5f6645e1a400b49a8bb1c346a0cc4

SHA256
ad7f7e5f652cca952b91effac780ae3f46aa02eb9de5f18340d8f55efd8a4c68

SHA512
9ee0ab6f4e4a55f748e0177bbdac33c824c2b02cd3110fd3a0545f5885a6e4da6da3eb61f30880e5a30b29eb33274cd518f548b527f9da9cd74c8413bec57f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
53473ab893aa74c050da4b15a702cea9

SHA1
85c34c1138235afa21eae7c142640358ee110a5d

SHA256
0ab2a2ba17aad5490bd5c0e2febf6087af97eff3cf347b615b1542a70909b852

SHA512
3ffad5f15b37bcddd4018adfc0633e7e1573b5de829e217550d805870afdbe13194e1f0ef3026d1d26a50fc2a231966ed5eff465df4f9ea8e8490dc478df7e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.._cache_Temp.exe
Filesize
960KB

MD5
4dc238ef9ede3451bf66d844ebbfd3c3

SHA1
1d3b9943a2b81916b94320d4438b219d7b65e98c

SHA256
0d5e403adabc86e74abf515e7f543933f6e7c56eb001f09a9d6fee8ad5d31319

SHA512
eca1718bd575c35418c584b5fed763f66d874da1733655276f8256f983c5327d6ca5692eb04769f9a4e7dd34d27b078c1206a1740e5d94ea5f11bddd424d44d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.._cache_Temp.exe
Filesize
960KB

MD5
4dc238ef9ede3451bf66d844ebbfd3c3

SHA1
1d3b9943a2b81916b94320d4438b219d7b65e98c

SHA256
0d5e403adabc86e74abf515e7f543933f6e7c56eb001f09a9d6fee8ad5d31319

SHA512
eca1718bd575c35418c584b5fed763f66d874da1733655276f8256f983c5327d6ca5692eb04769f9a4e7dd34d27b078c1206a1740e5d94ea5f11bddd424d44d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Temp.exe
Filesize
992KB

MD5
fa2b9f8a883493d96b213cb3cbbc9d83

SHA1
25a742f7ac16754887dfedf21c9e8b589372adc3

SHA256
0aea839ca673e8506decfe77bc6789d096e66dc6b073e65db8959dc152dec370

SHA512
85c199f651862773bd7c629692324b8439c5f10541b4ba4fa5cce90a37bf4c05a2b41aadf1e1b8069cf650089b645f9dab384d80269d7e465c7d5598cd076030

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Temp.exe
Filesize
992KB

MD5
fa2b9f8a883493d96b213cb3cbbc9d83

SHA1
25a742f7ac16754887dfedf21c9e8b589372adc3

SHA256
0aea839ca673e8506decfe77bc6789d096e66dc6b073e65db8959dc152dec370

SHA512
85c199f651862773bd7c629692324b8439c5f10541b4ba4fa5cce90a37bf4c05a2b41aadf1e1b8069cf650089b645f9dab384d80269d7e465c7d5598cd076030

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXr7oPl7.xlsm
Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\SysWOW64\ESPI11.dll
Filesize
120KB

MD5
b4c2caaa15d4e505ad2858ab15eafb58

SHA1
a1c30a4d016f1c6bd3bf50e36767af8af166d59b

SHA256
93e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1

SHA512
09b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2

Download Submit
C:\Windows\SysWOW64\ESPI11.dll
Filesize
120KB

MD5
b4c2caaa15d4e505ad2858ab15eafb58

SHA1
a1c30a4d016f1c6bd3bf50e36767af8af166d59b

SHA256
93e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1

SHA512
09b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2

Download Submit
C:\Windows\SysWOW64\ESPI11.dll
Filesize
120KB

MD5
b4c2caaa15d4e505ad2858ab15eafb58

SHA1
a1c30a4d016f1c6bd3bf50e36767af8af166d59b

SHA256
93e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1

SHA512
09b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2

Download Submit
C:\Windows\SysWOW64\Íø½Ø.dll
Filesize
120KB

MD5
b4c2caaa15d4e505ad2858ab15eafb58

SHA1
a1c30a4d016f1c6bd3bf50e36767af8af166d59b

SHA256
93e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1

SHA512
09b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2

Download Submit
\??\pipe\LOCAL\crashpad_4856_GXIMGQTPRZRYGRYG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-178-0x0000000000000000-mapping.dmp

Download
memory/800-190-0x0000000000000000-mapping.dmp

Download
memory/928-174-0x0000000000000000-mapping.dmp

Download
memory/964-161-0x0000000000000000-mapping.dmp

Download
memory/1096-162-0x0000000000000000-mapping.dmp

Download
memory/1304-180-0x0000000000000000-mapping.dmp

Download
memory/1488-152-0x0000000000000000-mapping.dmp

Download
memory/1624-157-0x0000000000000000-mapping.dmp

Download
memory/1852-159-0x0000000000000000-mapping.dmp

Download
memory/2004-172-0x0000000000000000-mapping.dmp

Download
memory/2088-163-0x0000000000000000-mapping.dmp

Download
memory/2416-167-0x0000000000000000-mapping.dmp

Download
memory/2424-182-0x0000000000000000-mapping.dmp

Download
memory/2528-143-0x0000000000000000-mapping.dmp

Download
memory/2692-169-0x0000000000000000-mapping.dmp

Download
memory/2696-130-0x0000000000000000-mapping.dmp

Download
memory/2748-185-0x0000000000000000-mapping.dmp

Download
memory/2832-183-0x0000000000000000-mapping.dmp

Download
memory/2832-187-0x0000000000000000-mapping.dmp

Download
memory/3288-150-0x00007FF876940000-0x00007FF876950000-memory.dmp

Filesize
64KB

Download
memory/3288-149-0x00007FF876940000-0x00007FF876950000-memory.dmp

Filesize
64KB

Download
memory/3288-148-0x00007FF878B50000-0x00007FF878B60000-memory.dmp

Filesize
64KB

Download
memory/3288-147-0x00007FF878B50000-0x00007FF878B60000-memory.dmp

Filesize
64KB

Download
memory/3288-146-0x00007FF878B50000-0x00007FF878B60000-memory.dmp

Filesize
64KB

Download
memory/3288-145-0x00007FF878B50000-0x00007FF878B60000-memory.dmp

Filesize
64KB

Download
memory/3288-144-0x00007FF878B50000-0x00007FF878B60000-memory.dmp

Filesize
64KB

Download
memory/3696-184-0x0000000000000000-mapping.dmp

Download
memory/3832-156-0x0000000000000000-mapping.dmp

Download
memory/4092-141-0x0000000000000000-mapping.dmp

Download
memory/4152-136-0x0000000000000000-mapping.dmp

Download
memory/4208-133-0x0000000000000000-mapping.dmp

Download
memory/4628-153-0x0000000000000000-mapping.dmp

Download
memory/4856-142-0x0000000000000000-mapping.dmp

Download
memory/5060-188-0x0000000000000000-mapping.dmp

Download