ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758

Analysis

max time kernel
151s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
Size

600KB
MD5

62d8a4747068baebfe18c39189b48741
SHA1

48b2ebb2958fa8350e50405f7511959ad38118a4
SHA256

ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758
SHA512

0da9169e3ff94034ff31fa5988b66c58b42566e36f66f9ba0c31b720b1453fbf1426f67d1dcba8e94fc19decd3a4a2e3e6a3fcd5715a77fe92a0acc5a294fd9d
SSDEEP

12288:52JylsKT5eDQ4dvfLK2gWJJn4JJRJJJyAVJfJJGFkJLwP2ab4SRzSG:52Jyx1Yv93n4JJRJJJyAVJfJJGFkJLwz

Score

8^/10

microsoft persistence phishing

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2312	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.tmp
1620	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.mm
4516	GOG.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SoftWare\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	GOG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\GOG = "C:\\Windows\\GOG.exe"	GOG.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SoftWare\Microsoft\Windows\CurrentVersion\Run	GOG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOG = "C:\\Windows\\GOG.exe"	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.mm
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOG = "C:\\Windows\\GOG.exe"	GOG.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\MACHINE\SoftWare\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.mm
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\GOG = "C:\\Windows\\GOG.exe"	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.mm
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SoftWare\Microsoft\Windows\CurrentVersion\Run	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.mm

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened (read-only)	\??\B:	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221004111422.pma	setup.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dd082fb0-256a-497c-b563-5a9cd608f8e4.tmp	setup.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\GOG.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.mm
File opened for modification	C:\Windows\GOG.exe	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.mm
File created	C:\Windows\GOG.exe	GOG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2	GOG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2\WinX = "1"	GOG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2\NowCount = "0"	GOG.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5040	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
5040	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4244	msedge.exe
4244	msedge.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4868	msedge.exe
4868	msedge.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe
4516	GOG.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 2312	5040	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe	82
PID 5040 wrote to memory of 2312	5040	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe	82
PID 5040 wrote to memory of 1620	5040	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe	83
PID 5040 wrote to memory of 1620	5040	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe	83
PID 5040 wrote to memory of 1620	5040	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe	83
PID 1620 wrote to memory of 4516	1620	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.mm	84
PID 1620 wrote to memory of 4516	1620	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.mm	84
PID 1620 wrote to memory of 4516	1620	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.mm	84
PID 2312 wrote to memory of 4868	2312	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.tmp	85
PID 2312 wrote to memory of 4868	2312	ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.tmp	85
PID 4868 wrote to memory of 3284	4868	msedge.exe	86
PID 4868 wrote to memory of 3284	4868	msedge.exe	86
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 5004	4868	msedge.exe	89
PID 4868 wrote to memory of 4244	4868	msedge.exe	90
PID 4868 wrote to memory of 4244	4868	msedge.exe	90
PID 4868 wrote to memory of 3332	4868	msedge.exe	92
PID 4868 wrote to memory of 3332	4868	msedge.exe	92
PID 4868 wrote to memory of 3332	4868	msedge.exe	92
PID 4868 wrote to memory of 3332	4868	msedge.exe	92
PID 4868 wrote to memory of 3332	4868	msedge.exe	92
PID 4868 wrote to memory of 3332	4868	msedge.exe	92
PID 4868 wrote to memory of 3332	4868	msedge.exe	92
PID 4868 wrote to memory of 3332	4868	msedge.exe	92
PID 4868 wrote to memory of 3332	4868	msedge.exe	92
PID 4868 wrote to memory of 3332	4868	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe
"C:\Users\Admin\AppData\Local\Temp\ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.tmp
  C:\Users\Admin\AppData\Local\Temp\ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.tmp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.tmp&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8180b46f8,0x7ff8180b4708,0x7ff8180b4718
      4⤵
      PID:3284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
      4⤵
      PID:5004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
      4⤵
      PID:3332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
      4⤵
      PID:2020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
      4⤵
      PID:4524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 /prefetch:8
      4⤵
      PID:4360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
      4⤵
      PID:3672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5428 /prefetch:8
      4⤵
      PID:2684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
      4⤵
      PID:5020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
      4⤵
      PID:3488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
      4⤵
      PID:1620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:4260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6e9ca5460,0x7ff6e9ca5470,0x7ff6e9ca5480
        5⤵
        
        PID:1380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
      4⤵
      PID:2320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
      4⤵
      PID:3900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
      4⤵
      PID:4580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5044 /prefetch:8
      4⤵
      PID:4916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3652 /prefetch:8
      4⤵
      PID:3592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3652 /prefetch:8
      4⤵
      PID:3264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6224 /prefetch:8
      4⤵
      PID:3236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,223337143757766649,15930989232985107345,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5124 /prefetch:2
      4⤵
      PID:4904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.tmp&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:4812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8180b46f8,0x7ff8180b4708,0x7ff8180b4718
      4⤵
      PID:1636
- C:\Users\Admin\AppData\Local\Temp\ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.mm
  C:\Users\Admin\AppData\Local\Temp\ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.mm /zhj
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\GOG.exe
    C:\Windows\GOG.exe /zhj
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f647a9024e00f209b4882586b48a6d1c

SHA1
825a1e51260086c4261315dbc9704e1848fe5ff7

SHA256
77614c9d1cb42c41c0ce0415aecc9a20823ba79bdcdb8a27e90be7a16c57229b

SHA512
84961cc97defa398b0053b40453db58198b3e5bd2ad59770707ed11eb282eff479664253e616427826b40377e6486cdc1676369324617e5b5b0262b904f2ca9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.mm

Filesize
584KB

MD5
7dee065ec770029499ede9a0c38bd2a6

SHA1
f74317a7a08ea31191e8c600507e6ad3a84515d3

SHA256
624305222d7acd7238139b047768cdc8c6f66b6fb2c05e0745ace4e9a81aeb14

SHA512
1e964153d2c6c1d16a26c98e37258f1f340f5abfe223493fe2698011c7e9c4119ee0ca504af1829830ff124a73c3b5a9d391905c31b2fc50cfaead44e5deb573

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.mm

Filesize
584KB

MD5
7dee065ec770029499ede9a0c38bd2a6

SHA1
f74317a7a08ea31191e8c600507e6ad3a84515d3

SHA256
624305222d7acd7238139b047768cdc8c6f66b6fb2c05e0745ace4e9a81aeb14

SHA512
1e964153d2c6c1d16a26c98e37258f1f340f5abfe223493fe2698011c7e9c4119ee0ca504af1829830ff124a73c3b5a9d391905c31b2fc50cfaead44e5deb573

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.tmp

Filesize
16KB

MD5
6e8744fe68bce93805506bf94a959913

SHA1
dcbdc237d7885ea02156e1c9301b889efb773781

SHA256
a799b24cc1fa8eaf27b391fc2294c8e46e004a57a1ff3f2ab355505defacd63c

SHA512
0577e525b8e64102659853aa9df198f49a8ad7e6282f94408d6681dd68a6bf521ebc45825a5aefff4f36833fb6f95e2c9d4d5d5b2b762090fe4f9106110b1fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca0f7e82bec3108c35e59738696b4f74314fed6c11a186f1c808f4c2f03a0758.tmp

Filesize
16KB

MD5
6e8744fe68bce93805506bf94a959913

SHA1
dcbdc237d7885ea02156e1c9301b889efb773781

SHA256
a799b24cc1fa8eaf27b391fc2294c8e46e004a57a1ff3f2ab355505defacd63c

SHA512
0577e525b8e64102659853aa9df198f49a8ad7e6282f94408d6681dd68a6bf521ebc45825a5aefff4f36833fb6f95e2c9d4d5d5b2b762090fe4f9106110b1fd2

Download Submit
C:\Windows\GOG.exe

Filesize
584KB

MD5
7dee065ec770029499ede9a0c38bd2a6

SHA1
f74317a7a08ea31191e8c600507e6ad3a84515d3

SHA256
624305222d7acd7238139b047768cdc8c6f66b6fb2c05e0745ace4e9a81aeb14

SHA512
1e964153d2c6c1d16a26c98e37258f1f340f5abfe223493fe2698011c7e9c4119ee0ca504af1829830ff124a73c3b5a9d391905c31b2fc50cfaead44e5deb573

Download Submit
C:\Windows\GOG.exe

Filesize
584KB

MD5
7dee065ec770029499ede9a0c38bd2a6

SHA1
f74317a7a08ea31191e8c600507e6ad3a84515d3

SHA256
624305222d7acd7238139b047768cdc8c6f66b6fb2c05e0745ace4e9a81aeb14

SHA512
1e964153d2c6c1d16a26c98e37258f1f340f5abfe223493fe2698011c7e9c4119ee0ca504af1829830ff124a73c3b5a9d391905c31b2fc50cfaead44e5deb573

Download Submit