a363f367e9c527e6f1fc6da0308487d233f3ce00a7325a6a880e9953e6489c92

Analysis

max time kernel
150s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a363f367e9c527e6f1fc6da0308487d233f3ce00a7325a6a880e9953e6489c92.exe
Size

205KB
MD5

825c51d8f6d086de039189f6abc1e35a
SHA1

5077fd28a5eb87fd8d02e3a377ac5a392e5a2dc6
SHA256

a363f367e9c527e6f1fc6da0308487d233f3ce00a7325a6a880e9953e6489c92
SHA512

eafecd0e19a3953538810ca55ff06632f0268cdc1896deecdc2ec1907876f195d1b06efde48a552fc8dcd1bffc8d9523461b8de0b22efc6c5e3444e5751bb807
SSDEEP

6144:CZuuObR8sVImcyYIK2J8PPPV2EisbOCCAj+wmo:BV+mz0Pd2hOOH3i

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Windows\\system32\\rstray.exe"	bf.exe

Executes dropped EXE 5 IoCs

pid	Process
1344	bf.exe
3152	360Setup.exe
4100	xin.exe
4280	AnySetup.exe
4976	AnySetup.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e4f-138.dat	upx
behavioral2/files/0x0006000000022e4f-139.dat	upx
behavioral2/memory/3152-144-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral2/files/0x000400000001d9f1-157.dat	upx
behavioral2/files/0x000400000001d9f1-158.dat	upx
behavioral2/memory/4280-159-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4280-160-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4280-161-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/files/0x000400000001d9f1-163.dat	upx
behavioral2/memory/4976-164-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4976-166-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a363f367e9c527e6f1fc6da0308487d233f3ce00a7325a6a880e9953e6489c92.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	xin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\360setup.exe	bf.exe
File opened for modification	C:\Windows\SysWOW64\rstray.exe	bf.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\be633ec8-daee-4eaa-bcc8-f5427576bee4.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221207131110.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2620	msedge.exe
2620	msedge.exe
1740	msedge.exe
1740	msedge.exe
3092	identity_helper.exe
3092	identity_helper.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1344	bf.exe
3152	360Setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1344	1192	a363f367e9c527e6f1fc6da0308487d233f3ce00a7325a6a880e9953e6489c92.exe	80
PID 1192 wrote to memory of 1344	1192	a363f367e9c527e6f1fc6da0308487d233f3ce00a7325a6a880e9953e6489c92.exe	80
PID 1192 wrote to memory of 1344	1192	a363f367e9c527e6f1fc6da0308487d233f3ce00a7325a6a880e9953e6489c92.exe	80
PID 1344 wrote to memory of 3152	1344	bf.exe	81
PID 1344 wrote to memory of 3152	1344	bf.exe	81
PID 1344 wrote to memory of 3152	1344	bf.exe	81
PID 1344 wrote to memory of 4860	1344	bf.exe	82
PID 1344 wrote to memory of 4860	1344	bf.exe	82
PID 1344 wrote to memory of 4860	1344	bf.exe	82
PID 1192 wrote to memory of 1740	1192	a363f367e9c527e6f1fc6da0308487d233f3ce00a7325a6a880e9953e6489c92.exe	84
PID 1192 wrote to memory of 1740	1192	a363f367e9c527e6f1fc6da0308487d233f3ce00a7325a6a880e9953e6489c92.exe	84
PID 1740 wrote to memory of 508	1740	msedge.exe	85
PID 1740 wrote to memory of 508	1740	msedge.exe	85
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 4388	1740	msedge.exe	88
PID 1740 wrote to memory of 2620	1740	msedge.exe	89
PID 1740 wrote to memory of 2620	1740	msedge.exe	89
PID 1740 wrote to memory of 4432	1740	msedge.exe	90
PID 1740 wrote to memory of 4432	1740	msedge.exe	90
PID 1740 wrote to memory of 4432	1740	msedge.exe	90
PID 1740 wrote to memory of 4432	1740	msedge.exe	90
PID 1740 wrote to memory of 4432	1740	msedge.exe	90
PID 1740 wrote to memory of 4432	1740	msedge.exe	90
PID 1740 wrote to memory of 4432	1740	msedge.exe	90
PID 1740 wrote to memory of 4432	1740	msedge.exe	90
PID 1740 wrote to memory of 4432	1740	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\a363f367e9c527e6f1fc6da0308487d233f3ce00a7325a6a880e9953e6489c92.exe
"C:\Users\Admin\AppData\Local\Temp\a363f367e9c527e6f1fc6da0308487d233f3ce00a7325a6a880e9953e6489c92.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\bf.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bf.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\360Setup.exe
    "C:\Windows\system32\360Setup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templateskill.bat""
    3⤵
    PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.989228.cn/hu.htm?2
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa456446f8,0x7ffa45644708,0x7ffa45644718
    3⤵
    PID:508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17226895205913610438,8374847098662123994,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
    3⤵
    PID:4388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17226895205913610438,8374847098662123994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17226895205913610438,8374847098662123994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
    3⤵
    PID:4432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17226895205913610438,8374847098662123994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
    3⤵
    PID:2276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17226895205913610438,8374847098662123994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
    3⤵
    PID:4376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17226895205913610438,8374847098662123994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
    3⤵
    PID:3268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17226895205913610438,8374847098662123994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1424 /prefetch:1
    3⤵
    PID:3276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17226895205913610438,8374847098662123994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
    3⤵
    PID:1928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17226895205913610438,8374847098662123994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:1860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,17226895205913610438,8374847098662123994,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3996 /prefetch:8
    3⤵
    PID:3320
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17226895205913610438,8374847098662123994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
    3⤵
    PID:3724
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:3324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff66fae5460,0x7ff66fae5470,0x7ff66fae5480
      4⤵
      PID:4256
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17226895205913610438,8374847098662123994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17226895205913610438,8374847098662123994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
    3⤵
    PID:4340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17226895205913610438,8374847098662123994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6292 /prefetch:8
    3⤵
    PID:204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17226895205913610438,8374847098662123994,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3332 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17226895205913610438,8374847098662123994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6528 /prefetch:8
    3⤵
    PID:2232
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\xin.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xin.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\AnySetup.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\AnySetup.exe" 2
    3⤵
    - Executes dropped EXE
    PID:4280
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\AnySetup.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\AnySetup.exe" 1
    3⤵
    - Executes dropped EXE
    PID:4976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bf.exe

Filesize
48KB

MD5
d6e9446f5aac0df00f2427cae16932f3

SHA1
d2f00e3058d9e5b9cf029b1b35541720b4c14447

SHA256
4ffb380fcc6150d3709bc938a5fb5097ab9e8137c5760a5289f4cddbd10b9297

SHA512
f2baa7af88f7ba6d493e60560ce8f67dfa5c60c1f70eeb787f8d95477289788a63a2714da4d4fccc6b2f929c178b55b1b799f1b3a5c346c20bdbf55438655a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bf.exe

Filesize
48KB

MD5
d6e9446f5aac0df00f2427cae16932f3

SHA1
d2f00e3058d9e5b9cf029b1b35541720b4c14447

SHA256
4ffb380fcc6150d3709bc938a5fb5097ab9e8137c5760a5289f4cddbd10b9297

SHA512
f2baa7af88f7ba6d493e60560ce8f67dfa5c60c1f70eeb787f8d95477289788a63a2714da4d4fccc6b2f929c178b55b1b799f1b3a5c346c20bdbf55438655a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xin.exe

Filesize
131KB

MD5
a1a81a17ac3f5f2f904f79d2b1da2f51

SHA1
c2f857b582e07f139e28d2a29c0ba64263762029

SHA256
51fbfadfdeab524af77e34e53adfbb30d112f45d24523737dd3e4c910c08e612

SHA512
ce0d29387adedd527bd503f5cb94b3ba1783a6916fa7a18b1cc3ac0d6051255afb04013b68c236f9184c67e877abac9d69bd12ef93eea53a20a068ad1c59eb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xin.exe

Filesize
131KB

MD5
a1a81a17ac3f5f2f904f79d2b1da2f51

SHA1
c2f857b582e07f139e28d2a29c0ba64263762029

SHA256
51fbfadfdeab524af77e34e53adfbb30d112f45d24523737dd3e4c910c08e612

SHA512
ce0d29387adedd527bd503f5cb94b3ba1783a6916fa7a18b1cc3ac0d6051255afb04013b68c236f9184c67e877abac9d69bd12ef93eea53a20a068ad1c59eb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AnySetup.exe

Filesize
39KB

MD5
b30aab712eeb87dee36fef42328143e6

SHA1
22114fc40de7c63a026a542be6b742f4cc20feaf

SHA256
338306111da74aaa288eff4027c3571dc03613211c72791c00888c49d7a2f8bb

SHA512
7c76ab58bf27f5ec9210966b8e5749c1499d83ab2220e78636cd1ee73335b1966c3cbc8ec5be8286ced96cbac79e274ba0b690cc675f1b1587e0c4a1d5001043

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AnySetup.exe

Filesize
39KB

MD5
b30aab712eeb87dee36fef42328143e6

SHA1
22114fc40de7c63a026a542be6b742f4cc20feaf

SHA256
338306111da74aaa288eff4027c3571dc03613211c72791c00888c49d7a2f8bb

SHA512
7c76ab58bf27f5ec9210966b8e5749c1499d83ab2220e78636cd1ee73335b1966c3cbc8ec5be8286ced96cbac79e274ba0b690cc675f1b1587e0c4a1d5001043

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AnySetup.exe

Filesize
39KB

MD5
b30aab712eeb87dee36fef42328143e6

SHA1
22114fc40de7c63a026a542be6b742f4cc20feaf

SHA256
338306111da74aaa288eff4027c3571dc03613211c72791c00888c49d7a2f8bb

SHA512
7c76ab58bf27f5ec9210966b8e5749c1499d83ab2220e78636cd1ee73335b1966c3cbc8ec5be8286ced96cbac79e274ba0b690cc675f1b1587e0c4a1d5001043

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templateskill.bat

Filesize
146B

MD5
fbd5ab5f45ff0256360e698bb0ba1a43

SHA1
9c58b164bab31de56fc8f20b81747adc4d3acabe

SHA256
d5801147fae08f6cd41648f24735e1082f95219890b86d3b843c6dd26a6e8ea6

SHA512
d70e66c4d1decb936695879bfbad709f13b28d7b52884b705d2cba4b42ef0897156b2a8ada3a018a1aa9e51cc37e79e83c9652f12cc67ec29aba33d5a5635b4f

Download Submit
C:\Users\Admin\AppData\Roaming\SrDownLoader\up.ini

Filesize
146B

MD5
8eec510e57f5f732fd2cce73df7b73ef

SHA1
3c0af39ecb3753c5fee3b53d063c7286019eac3b

SHA256
55f7d9e99b8e2d4e0e193b2f0275501e6d9c1ebd29cadbea6a0da48a8587e3e0

SHA512
73bbf698482132b5fd60a0b58926fddec9055f8095a53bc52714e211e9340c3419736ceafd6b279667810114d306bfccdcfcddf51c0b67fe9e3c73c54583e574

Download Submit
C:\Windows\SysWOW64\360Setup.exe

Filesize
10KB

MD5
72d115ff53c4e83be0dd50fa391cc949

SHA1
b21ce6b1388c6aecb3cba4cbdcd00ada32f6d4e0

SHA256
fd82b3e5e2ec447736cab8d41fab6696b1d60031475c13f5461c82a40bc1cc2b

SHA512
f839f25ae4c97933d4158e2c15837eae893c9371402c133f604581edad2a1eca52ba2826cd08f4232a8687c55fc353436646f3172fa7c928065998da33e315a0

Download Submit
C:\Windows\SysWOW64\360setup.exe

Filesize
10KB

MD5
72d115ff53c4e83be0dd50fa391cc949

SHA1
b21ce6b1388c6aecb3cba4cbdcd00ada32f6d4e0

SHA256
fd82b3e5e2ec447736cab8d41fab6696b1d60031475c13f5461c82a40bc1cc2b

SHA512
f839f25ae4c97933d4158e2c15837eae893c9371402c133f604581edad2a1eca52ba2826cd08f4232a8687c55fc353436646f3172fa7c928065998da33e315a0

Download Submit
memory/3152-144-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4280-159-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4280-161-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4280-160-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4976-166-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4976-164-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download