b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe
Size

3.7MB
MD5

59f973362a017d73908f1b5e644b3e92
SHA1

7587ec3ccb0f63f2d454d39f96a9888d6b29e3fe
SHA256

b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7
SHA512

9e58ad431d75f1586f43a1c31f95ddef22c68cdf6f83e41af146ab8c562e41488558f463a24d65c627ab16180add38137ca68e48620b7592b7dd621760c36765
SSDEEP

49152:GKONXlQJ6NB9gA+FnLl3CeMwFZ0+TmM3HuETOsmVF8I8fD9vxBtCKd9EZ:oNJH+xLtCGtirsmb8vRZBLYZ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4508	Q³è´óÀÖ¶·.exe
1096	18DJQUYc.exe
4068	Q³è´óÀÖ¶·.exe
4412	empty.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\windows\CurrentVersion\Run	Q³è´óÀÖ¶·.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\18DJQUYc = "\"C:\\18DJQUYc.exe\""	Q³è´óÀÖ¶·.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\df6d58bb-0f15-4efd-80a1-9063a2a6d9ef.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221128173302.pma	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\empty.exe	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3172	msedge.exe
3172	msedge.exe
4796	msedge.exe
4796	msedge.exe
3008	msedge.exe
3008	msedge.exe
4560	identity_helper.exe
4560	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1096	18DJQUYc.exe
Token: SeDebugPrivilege	4412	empty.exe
Token: SeIncBasePriorityPrivilege	1096	18DJQUYc.exe
Token: SeIncBasePriorityPrivilege	1096	18DJQUYc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3008	msedge.exe
3008	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe
3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe
3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe
3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe
3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe
3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 4508	3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe	83
PID 3736 wrote to memory of 4508	3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe	83
PID 3736 wrote to memory of 4508	3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe	83
PID 4508 wrote to memory of 1096	4508	Q³è´óÀÖ¶·.exe	84
PID 4508 wrote to memory of 1096	4508	Q³è´óÀÖ¶·.exe	84
PID 4508 wrote to memory of 1096	4508	Q³è´óÀÖ¶·.exe	84
PID 3736 wrote to memory of 4068	3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe	85
PID 3736 wrote to memory of 4068	3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe	85
PID 3736 wrote to memory of 4068	3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe	85
PID 3736 wrote to memory of 3008	3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe	90
PID 3736 wrote to memory of 3008	3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe	90
PID 3736 wrote to memory of 5084	3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe	91
PID 3736 wrote to memory of 5084	3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe	91
PID 3008 wrote to memory of 4296	3008	msedge.exe	92
PID 3008 wrote to memory of 4296	3008	msedge.exe	92
PID 3736 wrote to memory of 4412	3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe	94
PID 3736 wrote to memory of 4412	3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe	94
PID 3736 wrote to memory of 4412	3736	b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe	94
PID 5084 wrote to memory of 5088	5084	msedge.exe	93
PID 5084 wrote to memory of 5088	5084	msedge.exe	93
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 3008 wrote to memory of 4348	3008	msedge.exe	99
PID 5084 wrote to memory of 4248	5084	msedge.exe	98
PID 5084 wrote to memory of 4248	5084	msedge.exe	98
PID 5084 wrote to memory of 4248	5084	msedge.exe	98
PID 5084 wrote to memory of 4248	5084	msedge.exe	98
PID 5084 wrote to memory of 4248	5084	msedge.exe	98
PID 5084 wrote to memory of 4248	5084	msedge.exe	98
PID 5084 wrote to memory of 4248	5084	msedge.exe	98
PID 5084 wrote to memory of 4248	5084	msedge.exe	98
PID 5084 wrote to memory of 4248	5084	msedge.exe	98
PID 5084 wrote to memory of 4248	5084	msedge.exe	98
PID 5084 wrote to memory of 4248	5084	msedge.exe	98
PID 5084 wrote to memory of 4248	5084	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe
"C:\Users\Admin\AppData\Local\Temp\b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
  C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\18DJQUYc.exe
    C:\18DJQUYc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1096
- C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
  "C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe"
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bbs.waig8.com/forum.php?mod=forumdisplay&fid=80
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff985f846f8,0x7ff985f84708,0x7ff985f84718
    3⤵
    PID:4296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
    3⤵
    PID:4348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
    3⤵
    PID:456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
    3⤵
    PID:4100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
    3⤵
    PID:384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
    3⤵
    PID:4756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5432 /prefetch:8
    3⤵
    PID:2856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5880 /prefetch:8
    3⤵
    PID:3432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
    3⤵
    PID:3868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
    3⤵
    PID:2412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
    3⤵
    PID:4248
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6640 /prefetch:8
    3⤵
    PID:4988
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff63be05460,0x7ff63be05470,0x7ff63be05480
      4⤵
      PID:2400
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6640 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:8
    3⤵
    PID:4424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6784 /prefetch:8
    3⤵
    PID:948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3464 /prefetch:8
    3⤵
    PID:5076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3416 /prefetch:8
    3⤵
    PID:712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,11130794524900137358,13654142077459479826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1472 /prefetch:8
    3⤵
    PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://shop110665107.taobao.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff985f846f8,0x7ff985f84708,0x7ff985f84718
    3⤵
    PID:5088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,2598947392515118430,2406702630139877649,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
    3⤵
    PID:4248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,2598947392515118430,2406702630139877649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4796
- C:\Windows\empty.exe
  C:\Windows\empty.exe 3736
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\18DJQUYc.exe

Filesize
680KB

MD5
80ce85ebf76d47cf796e9dc816f5dcba

SHA1
d70c7591a9af0e3ce93ac04caff050982b9c1932

SHA256
9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

SHA512
091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

Download Submit
C:\18DJQUYc.exe

Filesize
680KB

MD5
80ce85ebf76d47cf796e9dc816f5dcba

SHA1
d70c7591a9af0e3ce93ac04caff050982b9c1932

SHA256
9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

SHA512
091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
471B

MD5
9f238721e0dfd68d1fd20c56c25bcdac

SHA1
9ef4ee704db25d9688bd479cbfb0b0c4dae94c87

SHA256
d56a5dc2d1392484b9743fee8570b8414f1bfede7f0614141a86448c465b58c1

SHA512
13dfbf83e7f8a5a18867af9de512943ddebf8a3c1c6d24521e23b4558b16c1a7cdfa2004ebbd4393bae4908c4d1e2a5579e1fe7a56547b5f13b0b171a9775c8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
446B

MD5
2a18a5934850c7e26d0bcc69d5398407

SHA1
fbd76bd78e5e25cecacf7625cc62f937ed9203df

SHA256
1f18799847e4e1cdfb60bc9241813005c065fd2673de3f910301a7359a608618

SHA512
21a9747bda1e76286fe290271ed7b091b90ea0483a41a159f7cc2744798bbcc5cbf90ab6059d3a8687d0afcf34715ddc9b349883561222f99e9828f22ab63a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1dde831b3f72227121241cfbcf0b8bfa

SHA1
e076ca61127cce19e3495b3a0ae3dfdb8592effd

SHA256
b3f388e535f4220252e0b0b4fc8146c51489ecbeca74227f8cdff78ed0062cc6

SHA512
2ec5a389bb710a725b75ba3e27f3fbcb0d5d6bd2ff0803d1f2381d1a79c7162581c6818afaa7e10aa03900482e2a1f683ca8cb7ed2f68489efa093715740f03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1dde831b3f72227121241cfbcf0b8bfa

SHA1
e076ca61127cce19e3495b3a0ae3dfdb8592effd

SHA256
b3f388e535f4220252e0b0b4fc8146c51489ecbeca74227f8cdff78ed0062cc6

SHA512
2ec5a389bb710a725b75ba3e27f3fbcb0d5d6bd2ff0803d1f2381d1a79c7162581c6818afaa7e10aa03900482e2a1f683ca8cb7ed2f68489efa093715740f03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1dde831b3f72227121241cfbcf0b8bfa

SHA1
e076ca61127cce19e3495b3a0ae3dfdb8592effd

SHA256
b3f388e535f4220252e0b0b4fc8146c51489ecbeca74227f8cdff78ed0062cc6

SHA512
2ec5a389bb710a725b75ba3e27f3fbcb0d5d6bd2ff0803d1f2381d1a79c7162581c6818afaa7e10aa03900482e2a1f683ca8cb7ed2f68489efa093715740f03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1aa7e0f203b5b0b2f753567d77fbe2d9

SHA1
443937fd906e3a356a6689181b29a9e849f54209

SHA256
27f1577aa081b2222b6549e74de58ef60bf0a054c7b2a345366e6ebbf44fab8c

SHA512
ce2fff1ddfab2e82f4e8ec6b3d04405f9fb2ad07dccfdde404411de9bbc66033610ad1689316173878be9758bb822612d4a931901e1ed4bbbd41199c2885debf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1aa7e0f203b5b0b2f753567d77fbe2d9

SHA1
443937fd906e3a356a6689181b29a9e849f54209

SHA256
27f1577aa081b2222b6549e74de58ef60bf0a054c7b2a345366e6ebbf44fab8c

SHA512
ce2fff1ddfab2e82f4e8ec6b3d04405f9fb2ad07dccfdde404411de9bbc66033610ad1689316173878be9758bb822612d4a931901e1ed4bbbd41199c2885debf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1aa7e0f203b5b0b2f753567d77fbe2d9

SHA1
443937fd906e3a356a6689181b29a9e849f54209

SHA256
27f1577aa081b2222b6549e74de58ef60bf0a054c7b2a345366e6ebbf44fab8c

SHA512
ce2fff1ddfab2e82f4e8ec6b3d04405f9fb2ad07dccfdde404411de9bbc66033610ad1689316173878be9758bb822612d4a931901e1ed4bbbd41199c2885debf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
6c59190a5b199087681ef6723487a859

SHA1
482979ea01cc59fbc369f76ed2904280950239fe

SHA256
8f5d0a208a3603dd9da26f17fc496a25f83e53fda6d1e96e6a6fa604576ed87a

SHA512
e1858a05d722d4a0ea48b429b566406944c6985db8462383f3f4f3a0521d47a3d56a0595535c9acdb2c9a481088cec39008a75899a37c530dda155910a44ad0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe

Filesize
680KB

MD5
80ce85ebf76d47cf796e9dc816f5dcba

SHA1
d70c7591a9af0e3ce93ac04caff050982b9c1932

SHA256
9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

SHA512
091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe

Filesize
680KB

MD5
80ce85ebf76d47cf796e9dc816f5dcba

SHA1
d70c7591a9af0e3ce93ac04caff050982b9c1932

SHA256
9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

SHA512
091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe

Filesize
680KB

MD5
80ce85ebf76d47cf796e9dc816f5dcba

SHA1
d70c7591a9af0e3ce93ac04caff050982b9c1932

SHA256
9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

SHA512
091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

Download Submit
C:\Windows\empty.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\empty.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit