Analysis
-
max time kernel
170s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 16:32
Static task
static1
Behavioral task
behavioral1
Sample
科威软件园.url
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
科威软件园.url
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
˸4.1.exe
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
˸4.1.exe
Resource
win10v2004-20220812-en
General
-
Target
˸4.1.exe
-
Size
5.1MB
-
MD5
d4a0825e77027a47b28ac118f0975d52
-
SHA1
fac4d04808945eda9ef71114ae715606d71bd911
-
SHA256
87cb34ebb531cfdf2abbd61c1e10184fd17e8d92a9cebd38c3684359747ecd51
-
SHA512
60f6f849c790865274d0d54aba241e1b7a4e2b066a2ccd894b507edc9b211921a6eead88557fb4151daa7a8a15967ad526cce9320471377a18b85329ccc6eeec
-
SSDEEP
98304:eCv+JlCP+zYxsWUGi95aWJEz/eYqdwkLcHHOT5kJLR6HOkJvVqmFIAG2B0zx:AJloxHUG3lzGjAOdkdou8NvB0zx
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll acprotect -
Executes dropped EXE 1 IoCs
Processes:
ÄæÕ½±¯É˸¨Öú.exepid process 4268 ÄæÕ½±¯É˸¨Öú.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll upx behavioral4/memory/4268-141-0x0000000010000000-0x000000001003D000-memory.dmp upx -
Processes:
resource yara_rule C:\Windows\SysWOW64\SuperEC_Hook.dll vmprotect C:\Windows\SysWOW64\SuperEC_Hook.dll vmprotect behavioral4/memory/1816-167-0x0000000016080000-0x0000000016152000-memory.dmp vmprotect -
Loads dropped DLL 2 IoCs
Processes:
ÄæÕ½±¯É˸¨Öú.exeregsvr32.exepid process 4268 ÄæÕ½±¯É˸¨Öú.exe 1816 regsvr32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in System32 directory 1 IoCs
Processes:
ÄæÕ½±¯É˸¨Öú.exedescription ioc process File created C:\Windows\SysWOW64\SuperEC_Hook.dll ÄæÕ½±¯É˸¨Öú.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d8a7d416-4751-49ee-ab2d-077bfab393e2.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221127083613.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 220 msedge.exe 220 msedge.exe 968 msedge.exe 968 msedge.exe 1268 identity_helper.exe 1268 identity_helper.exe 2784 msedge.exe 2784 msedge.exe 2784 msedge.exe 2784 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 968 msedge.exe 968 msedge.exe 968 msedge.exe 968 msedge.exe 968 msedge.exe 968 msedge.exe 968 msedge.exe 968 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
ÄæÕ½±¯É˸¨Öú.exedescription pid process Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe Token: 33 4268 ÄæÕ½±¯É˸¨Öú.exe Token: SeIncBasePriorityPrivilege 4268 ÄæÕ½±¯É˸¨Öú.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 968 msedge.exe 968 msedge.exe 968 msedge.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
˸4.1.exeÄæÕ½±¯É˸¨Öú.exepid process 4200 ˸4.1.exe 4200 ˸4.1.exe 4268 ÄæÕ½±¯É˸¨Öú.exe 4268 ÄæÕ½±¯É˸¨Öú.exe 4268 ÄæÕ½±¯É˸¨Öú.exe 4268 ÄæÕ½±¯É˸¨Öú.exe 4268 ÄæÕ½±¯É˸¨Öú.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
˸4.1.exemsedge.exedescription pid process target process PID 4200 wrote to memory of 4268 4200 ˸4.1.exe ÄæÕ½±¯É˸¨Öú.exe PID 4200 wrote to memory of 4268 4200 ˸4.1.exe ÄæÕ½±¯É˸¨Öú.exe PID 4200 wrote to memory of 4268 4200 ˸4.1.exe ÄæÕ½±¯É˸¨Öú.exe PID 4200 wrote to memory of 968 4200 ˸4.1.exe msedge.exe PID 4200 wrote to memory of 968 4200 ˸4.1.exe msedge.exe PID 968 wrote to memory of 4780 968 msedge.exe msedge.exe PID 968 wrote to memory of 4780 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 240 968 msedge.exe msedge.exe PID 968 wrote to memory of 220 968 msedge.exe msedge.exe PID 968 wrote to memory of 220 968 msedge.exe msedge.exe PID 968 wrote to memory of 3572 968 msedge.exe msedge.exe PID 968 wrote to memory of 3572 968 msedge.exe msedge.exe PID 968 wrote to memory of 3572 968 msedge.exe msedge.exe PID 968 wrote to memory of 3572 968 msedge.exe msedge.exe PID 968 wrote to memory of 3572 968 msedge.exe msedge.exe PID 968 wrote to memory of 3572 968 msedge.exe msedge.exe PID 968 wrote to memory of 3572 968 msedge.exe msedge.exe PID 968 wrote to memory of 3572 968 msedge.exe msedge.exe PID 968 wrote to memory of 3572 968 msedge.exe msedge.exe PID 968 wrote to memory of 3572 968 msedge.exe msedge.exe PID 968 wrote to memory of 3572 968 msedge.exe msedge.exe PID 968 wrote to memory of 3572 968 msedge.exe msedge.exe PID 968 wrote to memory of 3572 968 msedge.exe msedge.exe PID 968 wrote to memory of 3572 968 msedge.exe msedge.exe PID 968 wrote to memory of 3572 968 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\˸4.1.exe"C:\Users\Admin\AppData\Local\Temp\˸4.1.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ÄæÕ½±¯É˸¨Öú.exeC:\Users\Admin\AppData\Local\Temp\ÄæÕ½±¯É˸¨Öú.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.cfbeishang.com/3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb943746f8,0x7ffb94374708,0x7ffb943747184⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /u /s C:\Windows\system32\SuperEC_Hook.dll3⤵
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.2345.com/?kcassidy2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb943746f8,0x7ffb94374708,0x7ffb943747183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,102653458785481514,6026318920113653822,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,102653458785481514,6026318920113653822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,102653458785481514,6026318920113653822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,102653458785481514,6026318920113653822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,102653458785481514,6026318920113653822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,102653458785481514,6026318920113653822,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4960 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,102653458785481514,6026318920113653822,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,102653458785481514,6026318920113653822,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5656 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,102653458785481514,6026318920113653822,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,102653458785481514,6026318920113653822,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,102653458785481514,6026318920113653822,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,102653458785481514,6026318920113653822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x1fc,0x230,0x7ff692c35460,0x7ff692c35470,0x7ff692c354804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,102653458785481514,6026318920113653822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,102653458785481514,6026318920113653822,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,102653458785481514,6026318920113653822,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,102653458785481514,6026318920113653822,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6236 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\574A9FE7B8348B82BDCAB078149F62FAFilesize
599B
MD585fe7f1600c64c62d26f3d4c6b7c04da
SHA148cf79d6ce076923b1e0518e91bf81cc0153dea3
SHA256a4c3ad6c71bcfb47526ef964430c3c32a3e570d0cf6a6c6e493b46c4c8047561
SHA51273c51e6043fdb2a60892900de29efa6356771dbc146f294e72835369e4257c0890393facdbbbf6f4f84de63fa6af4d8f65e78b97cfd7d3550596f111aa8f9375
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329DFilesize
1KB
MD5daccf10489a2a60b33f50f1d61edb489
SHA108ce5fc440771cd8567d66e61ce52dd601f4e7d4
SHA256f18d3c447d439559c5446d1549484b0523b9dded2938951aab337e012e009845
SHA512cc6af00512894816f60b2046766dc4c45c1e96ec5a2a7d55bc77f9fec20bd6bb9a0788ba05dd17a6f363b8c19f3df04c126cc1d872d3d2a9a75f45c0fc26c902
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\574A9FE7B8348B82BDCAB078149F62FAFilesize
500B
MD5c5f44423b13af97663511998b1ec8b7f
SHA175125108c8b8b061481f34481c8cccc537a19791
SHA25601a9e6807993b4c593392216608169d3aa571157dd89655ddbbb1502d6644a7b
SHA5121ba27ca24f7f0dc27f74330f986b0f417aedae17f3c39c2171c5ad6b25fa8b1bbff0c66e569a4c8223bcdfe292406ad36f5103d47d743f37c012d8ef168ee063
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329DFilesize
482B
MD5bfec9478e55932dd67bea2ece3ee0890
SHA10241745014057209c47c6d2a5c69cabd7e17c1ca
SHA2564700607161b46ff6845052cbaefd929d95f9aaf83f466012ff8b97f49e8b50a3
SHA512e62e3250a9dee7358832840190a92184fb5922680bd31a8231e848885e0386c2462b3b2a25ee53024dd9a1ffd4521add3bf1cd44b5895b9c1eccf13d0ef5f728
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59cc113cab81df2ff66421c3dd6bf4d31
SHA1c1e1b1e2f007732c8c79eedac889b7312b08990e
SHA25648438eda8d47a465f7aa67c36937ec174be450bea6b501e2fc1cc929c917e2ea
SHA512e069f0cbd04f3fc91824df48f247e1542c6858cc3cf3dd4f16c26258beac2f7aa256bad6cdda3b2cef916afd186b269375a43013138fbc795f22c1367c799a2b
-
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dllFilesize
86KB
MD5147127382e001f495d1842ee7a9e7912
SHA192d1ed56032183c75d4b57d7ce30b1c4ae11dc9b
SHA256edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc
SHA51297f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d
-
C:\Users\Admin\AppData\Local\Temp\ÄæÕ½±¯É˸¨Öú.exeFilesize
4.5MB
MD535820cb78e5516ee20625389a67b7a5c
SHA19bbe8d20b8352c392f8d47da1b61e5894c4db585
SHA256ff3719f6abade4c0604d944e90ddbb6fdd8b84c1476a7917218d76233520dd9f
SHA5120e1f4687833ef9f8355e28210565baabc01af55d6cb4e47185215c1e739d6f64d7bebbe9c9ab11fb5be1f61021ccdf1d390b6c92c3049f7e4f3f8241c70cb043
-
C:\Users\Admin\AppData\Local\Temp\ÄæÕ½±¯É˸¨Öú.exeFilesize
4.5MB
MD535820cb78e5516ee20625389a67b7a5c
SHA19bbe8d20b8352c392f8d47da1b61e5894c4db585
SHA256ff3719f6abade4c0604d944e90ddbb6fdd8b84c1476a7917218d76233520dd9f
SHA5120e1f4687833ef9f8355e28210565baabc01af55d6cb4e47185215c1e739d6f64d7bebbe9c9ab11fb5be1f61021ccdf1d390b6c92c3049f7e4f3f8241c70cb043
-
C:\Windows\SysWOW64\SuperEC_Hook.dllFilesize
368KB
MD56446f02463634295797ff698eb7eb92e
SHA164a20417acf7c9bd67efc601236c85fa640426a8
SHA25653022e175ff09af40a8569a641a261ed08dabc7331afbdde97f2f3d6f9321b33
SHA512eeeb4152b92f9c4cad35d596f6fdec8d4e26b93c1a71627007ce5e490c46bd7773cc65309645ace429467b335fea5fe33cb5aac4cf507367cd9ad72a1b9efbfe
-
C:\Windows\SysWOW64\SuperEC_Hook.dllFilesize
368KB
MD56446f02463634295797ff698eb7eb92e
SHA164a20417acf7c9bd67efc601236c85fa640426a8
SHA25653022e175ff09af40a8569a641a261ed08dabc7331afbdde97f2f3d6f9321b33
SHA512eeeb4152b92f9c4cad35d596f6fdec8d4e26b93c1a71627007ce5e490c46bd7773cc65309645ace429467b335fea5fe33cb5aac4cf507367cd9ad72a1b9efbfe
-
\??\pipe\LOCAL\crashpad_968_RERIMSIJGMEIDSHJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/220-140-0x0000000000000000-mapping.dmp
-
memory/240-139-0x0000000000000000-mapping.dmp
-
memory/968-135-0x0000000000000000-mapping.dmp
-
memory/1268-175-0x0000000000000000-mapping.dmp
-
memory/1480-152-0x0000000000000000-mapping.dmp
-
memory/1572-173-0x0000000000000000-mapping.dmp
-
memory/1596-154-0x0000000000000000-mapping.dmp
-
memory/1816-162-0x0000000000000000-mapping.dmp
-
memory/1816-167-0x0000000016080000-0x0000000016152000-memory.dmpFilesize
840KB
-
memory/1828-156-0x0000000000000000-mapping.dmp
-
memory/1880-146-0x0000000000000000-mapping.dmp
-
memory/2092-159-0x0000000000000000-mapping.dmp
-
memory/2276-179-0x0000000000000000-mapping.dmp
-
memory/2784-180-0x0000000000000000-mapping.dmp
-
memory/3516-158-0x0000000000000000-mapping.dmp
-
memory/3572-144-0x0000000000000000-mapping.dmp
-
memory/3900-174-0x0000000000000000-mapping.dmp
-
memory/3948-150-0x0000000000000000-mapping.dmp
-
memory/4044-164-0x0000000000000000-mapping.dmp
-
memory/4248-177-0x0000000000000000-mapping.dmp
-
memory/4268-141-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/4268-132-0x0000000000000000-mapping.dmp
-
memory/4276-148-0x0000000000000000-mapping.dmp
-
memory/4712-160-0x0000000000000000-mapping.dmp
-
memory/4780-136-0x0000000000000000-mapping.dmp