54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe
Size

1.6MB
MD5

f84e4dd9cddd7925078a10cae8009c31
SHA1

97a94ed43ec689934fe7af84f9570194570fc781
SHA256

54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2
SHA512

3e0d7c91b144ef52ad988e53a80a1b4457d9b77e5350341f4706b2707abc5b416aa761d1c35fdd4c13c5b5bdc935670e2ee957fe62c296c3d6dab8876a2c513b
SSDEEP

24576:HNw52RX3IGgsPJnOK5BF6t1poyRBKx3htCYpJ4+I0z1N2V2:HDBhrFulixtC24+RU2

Score

8^/10

aspackv2 persistence vmprotect

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\yyberi.exe	aspack_v212_v242
C:\Windows\SysWOW64\yyberi.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

yyberi.exe

pid process

4312 yyberi.exe

pid	process
4312	yyberi.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Windows\SysWOW64\yyberi.exe	vmprotect
C:\Windows\SysWOW64\yyberi.exe	vmprotect
behavioral2/memory/4312-135-0x0000000000400000-0x00000000005A7000-memory.dmp	vmprotect
behavioral2/memory/4312-137-0x0000000000400000-0x00000000005A7000-memory.dmp	vmprotect
behavioral2/memory/4312-175-0x0000000000400000-0x00000000005A7000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

yyberi.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yyberi.exe = "C:\\Windows\\SysWOW64\\yyberi.exe"	yyberi.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in System32 directory 2 IoCs

Processes:

54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\yyberi.exe	54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe
File opened for modification	C:\Windows\SysWOW64\yyberi.exe	54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a4b97d91-a713-4c27-a1cc-1f9761840fcf.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221126183816.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

yyberi.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	yyberi.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.yy.com	yyberi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.yy.com\ = "63"	yyberi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	yyberi.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\yy.com	yyberi.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	yyberi.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yy.com	yyberi.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	yyberi.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\GPU	yyberi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	yyberi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yy.com\NumberOfSubdomains = "1"	yyberi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yy.com\Total = "63"	yyberi.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
256	msedge.exe
256	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1060	identity_helper.exe
1060	identity_helper.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1180 msedge.exe
1180 msedge.exe
1180 msedge.exe
1180 msedge.exe
1180 msedge.exe
1180 msedge.exe
1180 msedge.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

1180 msedge.exe
1180 msedge.exe
1180 msedge.exe

pid	process
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe

pid	process
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exeyyberi.exe

pid	process
2044	54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe
2044	54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe
2044	54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe
2044	54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe
4312	yyberi.exe
4312	yyberi.exe
4312	yyberi.exe
4312	yyberi.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exemsedge.exe

description	pid	process	target process
PID 2044 wrote to memory of 4312	2044	54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe	yyberi.exe
PID 2044 wrote to memory of 4312	2044	54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe	yyberi.exe
PID 2044 wrote to memory of 4312	2044	54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe	yyberi.exe
PID 2044 wrote to memory of 1180	2044	54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe	msedge.exe
PID 2044 wrote to memory of 1180	2044	54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe	msedge.exe
PID 1180 wrote to memory of 3124	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 3124	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 856	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 256	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 256	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 948	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 948	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 948	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 948	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 948	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 948	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 948	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 948	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 948	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 948	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 948	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 948	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 948	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 948	1180	msedge.exe	msedge.exe
PID 1180 wrote to memory of 948	1180	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe
"C:\Users\Admin\AppData\Local\Temp\54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\yyberi.exe
  C:\Windows\System32\/yyberi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.2345.com/?kduowanyy
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa084946f8,0x7ffa08494708,0x7ffa08494718
    3⤵
    PID:3124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
    3⤵
    PID:856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
    3⤵
    PID:948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1
    3⤵
    PID:1324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
    3⤵
    PID:4580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5240 /prefetch:8
    3⤵
    PID:756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
    3⤵
    PID:5052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
    3⤵
    PID:2352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
    3⤵
    PID:3444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6612 /prefetch:8
    3⤵
    PID:2052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
    3⤵
    PID:4492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
    3⤵
    PID:4760
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 /prefetch:8
    3⤵
    PID:1532
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:2592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff60d3f5460,0x7ff60d3f5470,0x7ff60d3f5480
      4⤵
      PID:4768
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1700 /prefetch:8
    3⤵
    PID:900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3328 /prefetch:8
    3⤵
    PID:4860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3232 /prefetch:8
    3⤵
    PID:4300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4060 /prefetch:8
    3⤵
    PID:1944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6188 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2068,6176433446016391504,12172334227281856040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5636 /prefetch:8
    3⤵
    PID:3964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
84ad40b5a681063674d53ff51082dffe

SHA1
0cc0fb07c307a74ca042fb2aa2b84f3f60df023d

SHA256
cb70ebb217c8756966fb6a2f60e1de8466dd3b7af45097eb0c1d49b98d927098

SHA512
ff60bcbe233a01acbc64c5fdc8a1e13d45a27e356f5f4391fa65e44dfd0419585efd7991ec20d9968b512245f2e850d7e6cfbcd9c1ac4e2c44abbd61611fec88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
1KB

MD5
731b8f0570b938ddfd449cde23f77558

SHA1
3edd9f9e4ec3a4a99afe08f071b29f91cfddf9f4

SHA256
7d938895d153ec61371388c58a96eedfec9a06050020ce6a46e3da9f0dac0bbb

SHA512
857b3c28249de00a5805b462cb4bbf8d6238c9a90ccde7c88462157295a295a22b07c920bb560ef2445fa657a56a077d019861f9f94574025c4c467c0b27731c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
5af2c6cf62b686ee08579021f1fe704f

SHA1
4bc6515c3fbf4daf621376406d472a723376cb39

SHA256
56b03ff2d4fc0ae9f870fa57294e4f964c964004e0f13acd0a09492d66ca94cf

SHA512
1380753f85be756f2792fce67c6e1eca51ec253580b6d4d39a0d0b193673a336e452d95c350663e3ba1a9411fb1cd41bd1451541a9fb59b69253ce48de09fd4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
d8fd055f58bdb4ac408ccedcf3a8e12b

SHA1
f4af812a1a6ebb185364a98220f505c2fb5c5ab8

SHA256
8caa0b9b7bc4e1c325595b63e53b0c440565d4f40666258027cfa182f1a158fe

SHA512
7191ae358c16d29579d7c908ba9500a665774a2bf40a9894dae5befc26b5277635198f2062629a3b91577307683e265b4e8985c8b67bf78897692dea718a8ad0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
532B

MD5
2061dac5a76b1e8eb287ca1dbbf018ea

SHA1
c4a78559f639b912d850b4e8f455a860fec38369

SHA256
00eea5c9d27aa7c129f9b09170c39ea5cba6d5aa700ea83d8793177e77c7f274

SHA512
350c3e129c3a00015f3eb01ca0fb33fc0243ad75725330cb4ecbd306a3b102119c0c31c415c4b3f636c5c804eb65545a2967ac6a4aefea69e3c67f43ad911a66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
feea0661a43a52db6982bf0b4d307275

SHA1
1af9895fbd9fc3abf303b926ae981c5f473b85fc

SHA256
7ad8226b85d0e1f1e4bd5ccd8872a50873ae12f9e714107eafb95e0364137cad

SHA512
82210fb1e4c153e705ff3a44aabaae61dbc58e6f532763cb8dc9658b6038e0ab764ff4cddd8af8e0d4252ffb7470939643cca8a13d928332b59a6e85963ca652

Download Submit
C:\Windows\SysWOW64\yyberi.exe

Filesize
476KB

MD5
262c5d4706f08de4ee40cfd533f0c3d6

SHA1
3150ca9f7b477d1403bf3a4af73ee712cc8797f1

SHA256
81bdb4e664879104d8754aad80bfc7f189450da3ea000198960fbd0c2c98ae67

SHA512
1b72667b8428437ba68d994ff5b5918fed58d143f486b64089675d1bdca5afdfe4871df519082e7b26ac480b3d488c4a98abcf8375dcb4cdd8a2c57fe99b3a51

Download Submit
C:\Windows\SysWOW64\yyberi.exe

Filesize
476KB

MD5
262c5d4706f08de4ee40cfd533f0c3d6

SHA1
3150ca9f7b477d1403bf3a4af73ee712cc8797f1

SHA256
81bdb4e664879104d8754aad80bfc7f189450da3ea000198960fbd0c2c98ae67

SHA512
1b72667b8428437ba68d994ff5b5918fed58d143f486b64089675d1bdca5afdfe4871df519082e7b26ac480b3d488c4a98abcf8375dcb4cdd8a2c57fe99b3a51

Download Submit
\??\pipe\LOCAL\crashpad_1180_CGDNHXAOQQOLSTDE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/256-142-0x0000000000000000-mapping.dmp

Download
memory/756-151-0x0000000000000000-mapping.dmp

Download
memory/856-141-0x0000000000000000-mapping.dmp

Download
memory/900-174-0x0000000000000000-mapping.dmp

Download
memory/948-145-0x0000000000000000-mapping.dmp

Download
memory/1060-172-0x0000000000000000-mapping.dmp

Download
memory/1180-138-0x0000000000000000-mapping.dmp

Download
memory/1324-147-0x0000000000000000-mapping.dmp

Download
memory/1944-181-0x0000000000000000-mapping.dmp

Download
memory/2052-165-0x0000000000000000-mapping.dmp

Download
memory/2352-161-0x0000000000000000-mapping.dmp

Download
memory/2592-170-0x0000000000000000-mapping.dmp

Download
memory/3124-139-0x0000000000000000-mapping.dmp

Download
memory/3444-163-0x0000000000000000-mapping.dmp

Download
memory/3964-184-0x0000000000000000-mapping.dmp

Download
memory/4044-182-0x0000000000000000-mapping.dmp

Download
memory/4300-179-0x0000000000000000-mapping.dmp

Download
memory/4312-175-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/4312-135-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/4312-137-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/4312-132-0x0000000000000000-mapping.dmp

Download
memory/4492-167-0x0000000000000000-mapping.dmp

Download
memory/4580-149-0x0000000000000000-mapping.dmp

Download
memory/4760-169-0x0000000000000000-mapping.dmp

Download
memory/4768-171-0x0000000000000000-mapping.dmp

Download
memory/4860-177-0x0000000000000000-mapping.dmp

Download
memory/5052-153-0x0000000000000000-mapping.dmp

Download