Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:33
Static task
static1
Behavioral task
behavioral1
Sample
??QQ????.url
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
??QQ????.url
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Temp.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Temp.exe
Resource
win10v2004-20220414-en
General
-
Target
Temp.exe
-
Size
1.7MB
-
MD5
7f915b8e7ad0130c05398792187d115f
-
SHA1
df292be5f2d3f3076d5c563375359c5d4d06e1b7
-
SHA256
c83827b5f37172f7023641b9089da7ca3f424f113501d74809974d3053eb406f
-
SHA512
ce029ffd4c1c699fdc023466b9dbe645f609fe60f9340deb95eab5d3becd780a9492df828f8964181992c86197f9f808e2ba1d28bf30c0207bbde796bf60a261
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
._cache_Temp.exeSynaptics.exe.._cache_Temp.exepid process 2696 ._cache_Temp.exe 4208 Synaptics.exe 4152 .._cache_Temp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Temp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Temp.exe -
Loads dropped DLL 3 IoCs
Processes:
.._cache_Temp.exeSynaptics.exepid process 4152 .._cache_Temp.exe 4152 .._cache_Temp.exe 4208 Synaptics.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Temp.exemsedge.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" Temp.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in System32 directory 3 IoCs
Processes:
.._cache_Temp.exedescription ioc process File created C:\Windows\SysWOW64\Íø½Ø.dll .._cache_Temp.exe File created C:\Windows\SysWOW64\ESPI11.dll .._cache_Temp.exe File opened for modification C:\Windows\SysWOW64\ESPI11.dll .._cache_Temp.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\0213da40-7ab5-453d-b299-5d1c4a942578.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220521203423.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exeEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
Processes:
Temp.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Temp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3288 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4628 msedge.exe 4628 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 2748 identity_helper.exe 2748 identity_helper.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 4856 msedge.exe 4856 msedge.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
._cache_Temp.exe.._cache_Temp.exeEXCEL.EXEpid process 2696 ._cache_Temp.exe 2696 ._cache_Temp.exe 2696 ._cache_Temp.exe 2696 ._cache_Temp.exe 4152 .._cache_Temp.exe 4152 .._cache_Temp.exe 3288 EXCEL.EXE 3288 EXCEL.EXE 3288 EXCEL.EXE 3288 EXCEL.EXE 3288 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Temp.exe._cache_Temp.exeexplorer.exemsedge.exedescription pid process target process PID 1856 wrote to memory of 2696 1856 Temp.exe ._cache_Temp.exe PID 1856 wrote to memory of 2696 1856 Temp.exe ._cache_Temp.exe PID 1856 wrote to memory of 2696 1856 Temp.exe ._cache_Temp.exe PID 1856 wrote to memory of 4208 1856 Temp.exe Synaptics.exe PID 1856 wrote to memory of 4208 1856 Temp.exe Synaptics.exe PID 1856 wrote to memory of 4208 1856 Temp.exe Synaptics.exe PID 2696 wrote to memory of 4152 2696 ._cache_Temp.exe .._cache_Temp.exe PID 2696 wrote to memory of 4152 2696 ._cache_Temp.exe .._cache_Temp.exe PID 2696 wrote to memory of 4152 2696 ._cache_Temp.exe .._cache_Temp.exe PID 2696 wrote to memory of 4092 2696 ._cache_Temp.exe explorer.exe PID 2696 wrote to memory of 4092 2696 ._cache_Temp.exe explorer.exe PID 2696 wrote to memory of 4092 2696 ._cache_Temp.exe explorer.exe PID 620 wrote to memory of 4856 620 explorer.exe msedge.exe PID 620 wrote to memory of 4856 620 explorer.exe msedge.exe PID 4856 wrote to memory of 2528 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 2528 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1488 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4628 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4628 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 3832 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 3832 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 3832 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 3832 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 3832 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 3832 4856 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Temp.exe"C:\Users\Admin\AppData\Local\Temp\Temp.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Temp.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Temp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\.._cache_Temp.exeC:\Users\Admin\AppData\Local\Temp\.._cache_Temp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe "http://www.xianyoukm.com "3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe "http://zhongwangpp.com"3⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.xianyoukm.com/2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff89ab846f8,0x7ff89ab84708,0x7ff89ab847183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5556 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1708 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1c4,0x22c,0x7ff76cae5460,0x7ff76cae5470,0x7ff76cae54804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1708 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4436 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7336 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2096,4122104707109034236,11139581285343353079,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5304 /prefetch:83⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://zhongwangpp.com/2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff89ab846f8,0x7ff89ab84708,0x7ff89ab847183⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Synaptics\Synaptics.exeFilesize
753KB
MD50a76133f89a377e4f419a1dd01dd0416
SHA1df2e3fcbcedabad9d1d562deb02bf4bc9ca0fbfb
SHA2561534cf31f5ccd6f46e3b9b411bd7d9e2bfbfd64326f0c69fc7d8cfcd59d63302
SHA512073864af16fe2173a9bbb9a7abc163411d905d90b0036974146157b5b3883fedd1396a3e70b61e987a644cc0fe54973d0881a4314c1438c37ef1ab3fe4a08851
-
C:\ProgramData\Synaptics\Synaptics.exeFilesize
753KB
MD50a76133f89a377e4f419a1dd01dd0416
SHA1df2e3fcbcedabad9d1d562deb02bf4bc9ca0fbfb
SHA2561534cf31f5ccd6f46e3b9b411bd7d9e2bfbfd64326f0c69fc7d8cfcd59d63302
SHA512073864af16fe2173a9bbb9a7abc163411d905d90b0036974146157b5b3883fedd1396a3e70b61e987a644cc0fe54973d0881a4314c1438c37ef1ab3fe4a08851
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD557df4904eea85aeb7b4d9b9d9130ecad
SHA1f6b26bbbf2a5f6645e1a400b49a8bb1c346a0cc4
SHA256ad7f7e5f652cca952b91effac780ae3f46aa02eb9de5f18340d8f55efd8a4c68
SHA5129ee0ab6f4e4a55f748e0177bbdac33c824c2b02cd3110fd3a0545f5885a6e4da6da3eb61f30880e5a30b29eb33274cd518f548b527f9da9cd74c8413bec57f4f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD553473ab893aa74c050da4b15a702cea9
SHA185c34c1138235afa21eae7c142640358ee110a5d
SHA2560ab2a2ba17aad5490bd5c0e2febf6087af97eff3cf347b615b1542a70909b852
SHA5123ffad5f15b37bcddd4018adfc0633e7e1573b5de829e217550d805870afdbe13194e1f0ef3026d1d26a50fc2a231966ed5eff465df4f9ea8e8490dc478df7e6d
-
C:\Users\Admin\AppData\Local\Temp\.._cache_Temp.exeFilesize
960KB
MD54dc238ef9ede3451bf66d844ebbfd3c3
SHA11d3b9943a2b81916b94320d4438b219d7b65e98c
SHA2560d5e403adabc86e74abf515e7f543933f6e7c56eb001f09a9d6fee8ad5d31319
SHA512eca1718bd575c35418c584b5fed763f66d874da1733655276f8256f983c5327d6ca5692eb04769f9a4e7dd34d27b078c1206a1740e5d94ea5f11bddd424d44d6
-
C:\Users\Admin\AppData\Local\Temp\.._cache_Temp.exeFilesize
960KB
MD54dc238ef9ede3451bf66d844ebbfd3c3
SHA11d3b9943a2b81916b94320d4438b219d7b65e98c
SHA2560d5e403adabc86e74abf515e7f543933f6e7c56eb001f09a9d6fee8ad5d31319
SHA512eca1718bd575c35418c584b5fed763f66d874da1733655276f8256f983c5327d6ca5692eb04769f9a4e7dd34d27b078c1206a1740e5d94ea5f11bddd424d44d6
-
C:\Users\Admin\AppData\Local\Temp\._cache_Temp.exeFilesize
992KB
MD5fa2b9f8a883493d96b213cb3cbbc9d83
SHA125a742f7ac16754887dfedf21c9e8b589372adc3
SHA2560aea839ca673e8506decfe77bc6789d096e66dc6b073e65db8959dc152dec370
SHA51285c199f651862773bd7c629692324b8439c5f10541b4ba4fa5cce90a37bf4c05a2b41aadf1e1b8069cf650089b645f9dab384d80269d7e465c7d5598cd076030
-
C:\Users\Admin\AppData\Local\Temp\._cache_Temp.exeFilesize
992KB
MD5fa2b9f8a883493d96b213cb3cbbc9d83
SHA125a742f7ac16754887dfedf21c9e8b589372adc3
SHA2560aea839ca673e8506decfe77bc6789d096e66dc6b073e65db8959dc152dec370
SHA51285c199f651862773bd7c629692324b8439c5f10541b4ba4fa5cce90a37bf4c05a2b41aadf1e1b8069cf650089b645f9dab384d80269d7e465c7d5598cd076030
-
C:\Users\Admin\AppData\Local\Temp\FXr7oPl7.xlsmFilesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
C:\Windows\SysWOW64\ESPI11.dllFilesize
120KB
MD5b4c2caaa15d4e505ad2858ab15eafb58
SHA1a1c30a4d016f1c6bd3bf50e36767af8af166d59b
SHA25693e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1
SHA51209b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2
-
C:\Windows\SysWOW64\ESPI11.dllFilesize
120KB
MD5b4c2caaa15d4e505ad2858ab15eafb58
SHA1a1c30a4d016f1c6bd3bf50e36767af8af166d59b
SHA25693e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1
SHA51209b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2
-
C:\Windows\SysWOW64\ESPI11.dllFilesize
120KB
MD5b4c2caaa15d4e505ad2858ab15eafb58
SHA1a1c30a4d016f1c6bd3bf50e36767af8af166d59b
SHA25693e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1
SHA51209b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2
-
C:\Windows\SysWOW64\Íø½Ø.dllFilesize
120KB
MD5b4c2caaa15d4e505ad2858ab15eafb58
SHA1a1c30a4d016f1c6bd3bf50e36767af8af166d59b
SHA25693e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1
SHA51209b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2
-
\??\pipe\LOCAL\crashpad_4856_GXIMGQTPRZRYGRYGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/60-178-0x0000000000000000-mapping.dmp
-
memory/800-190-0x0000000000000000-mapping.dmp
-
memory/928-174-0x0000000000000000-mapping.dmp
-
memory/964-161-0x0000000000000000-mapping.dmp
-
memory/1096-162-0x0000000000000000-mapping.dmp
-
memory/1304-180-0x0000000000000000-mapping.dmp
-
memory/1488-152-0x0000000000000000-mapping.dmp
-
memory/1624-157-0x0000000000000000-mapping.dmp
-
memory/1852-159-0x0000000000000000-mapping.dmp
-
memory/2004-172-0x0000000000000000-mapping.dmp
-
memory/2088-163-0x0000000000000000-mapping.dmp
-
memory/2416-167-0x0000000000000000-mapping.dmp
-
memory/2424-182-0x0000000000000000-mapping.dmp
-
memory/2528-143-0x0000000000000000-mapping.dmp
-
memory/2692-169-0x0000000000000000-mapping.dmp
-
memory/2696-130-0x0000000000000000-mapping.dmp
-
memory/2748-185-0x0000000000000000-mapping.dmp
-
memory/2832-183-0x0000000000000000-mapping.dmp
-
memory/2832-187-0x0000000000000000-mapping.dmp
-
memory/3288-150-0x00007FF876940000-0x00007FF876950000-memory.dmpFilesize
64KB
-
memory/3288-149-0x00007FF876940000-0x00007FF876950000-memory.dmpFilesize
64KB
-
memory/3288-148-0x00007FF878B50000-0x00007FF878B60000-memory.dmpFilesize
64KB
-
memory/3288-147-0x00007FF878B50000-0x00007FF878B60000-memory.dmpFilesize
64KB
-
memory/3288-146-0x00007FF878B50000-0x00007FF878B60000-memory.dmpFilesize
64KB
-
memory/3288-145-0x00007FF878B50000-0x00007FF878B60000-memory.dmpFilesize
64KB
-
memory/3288-144-0x00007FF878B50000-0x00007FF878B60000-memory.dmpFilesize
64KB
-
memory/3696-184-0x0000000000000000-mapping.dmp
-
memory/3832-156-0x0000000000000000-mapping.dmp
-
memory/4092-141-0x0000000000000000-mapping.dmp
-
memory/4152-136-0x0000000000000000-mapping.dmp
-
memory/4208-133-0x0000000000000000-mapping.dmp
-
memory/4628-153-0x0000000000000000-mapping.dmp
-
memory/4856-142-0x0000000000000000-mapping.dmp
-
memory/5060-188-0x0000000000000000-mapping.dmp