9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 13:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe
Size

36KB
MD5

859cc247e9f9f612eb010ebfe8bc1f7a
SHA1

35b86fe24963fe523fa50fe8a2bcfc374a7314a4
SHA256

9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608
SHA512

60b47be01827ffc6dafba4217d38e649d37fed9c94aafe983bb3853b0ae1c509094d116af19a4ae11d584d62ae4d65efba6f1aa95265954f90c04a52c61cd19d
SSDEEP

192:sLRgcTP2KV2iB4yWKbB5RMbr7dfJ/eJcD0ue/8:EHOK0iJWRfJnAvU

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7a236ac8-f30f-46c6-8e29-232b984fd5b8.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221211031054.pma	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.wghai.com/"	9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.wghai.com/"	9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
516	msedge.exe
516	msedge.exe
2792	msedge.exe
2792	msedge.exe
2780	msedge.exe
2780	msedge.exe
4264	msedge.exe
4264	msedge.exe
2988	identity_helper.exe
2988	identity_helper.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4264	msedge.exe
4264	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4004	9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 3852	4004	9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe	80
PID 4004 wrote to memory of 3852	4004	9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe	80
PID 4004 wrote to memory of 3852	4004	9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe	80
PID 4004 wrote to memory of 5108	4004	9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe	81
PID 4004 wrote to memory of 5108	4004	9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe	81
PID 4004 wrote to memory of 5108	4004	9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe	81
PID 4004 wrote to memory of 1516	4004	9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe	84
PID 4004 wrote to memory of 1516	4004	9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe	84
PID 4004 wrote to memory of 1516	4004	9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe	84
PID 4004 wrote to memory of 4680	4004	9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe	86
PID 4004 wrote to memory of 4680	4004	9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe	86
PID 4004 wrote to memory of 4680	4004	9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe	86
PID 4916 wrote to memory of 4772	4916	explorer.exe	88
PID 4916 wrote to memory of 4772	4916	explorer.exe	88
PID 984 wrote to memory of 4764	984	explorer.exe	89
PID 984 wrote to memory of 4764	984	explorer.exe	89
PID 3536 wrote to memory of 4264	3536	explorer.exe	90
PID 3536 wrote to memory of 4264	3536	explorer.exe	90
PID 4772 wrote to memory of 1992	4772	msedge.exe	93
PID 4772 wrote to memory of 1992	4772	msedge.exe	93
PID 4764 wrote to memory of 4312	4764	msedge.exe	92
PID 4764 wrote to memory of 4312	4764	msedge.exe	92
PID 4264 wrote to memory of 628	4264	msedge.exe	94
PID 4264 wrote to memory of 628	4264	msedge.exe	94
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4772 wrote to memory of 5004	4772	msedge.exe	97
PID 4264 wrote to memory of 3248	4264	msedge.exe	98
PID 4264 wrote to memory of 3248	4264	msedge.exe	98
PID 4264 wrote to memory of 3248	4264	msedge.exe	98
PID 4264 wrote to memory of 3248	4264	msedge.exe	98
PID 4264 wrote to memory of 3248	4264	msedge.exe	98
PID 4264 wrote to memory of 3248	4264	msedge.exe	98
PID 4264 wrote to memory of 3248	4264	msedge.exe	98
PID 4264 wrote to memory of 3248	4264	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe
"C:\Users\Admin\AppData\Local\Temp\9a57d0f6df862743f97b0e26a53e07f2390e9e8983955887cd428bb75bd93608.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Windows\SysWOW64\explorer.exe
  explorer http://www.wghai.com/
  2⤵
  PID:3852
- C:\Windows\SysWOW64\explorer.exe
  explorer http://www.qsyou.com/
  2⤵
  PID:5108
- C:\Windows\SysWOW64\explorer.exe
  explorer http://www.super-ec.cn
  2⤵
  PID:1516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\a.bat
  2⤵
  PID:4680

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.wghai.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffca08b46f8,0x7ffca08b4708,0x7ffca08b4718
    3⤵
    PID:1992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,11028661245921335396,3194361389892007395,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:5004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,11028661245921335396,3194361389892007395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:516

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.qsyou.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffca08b46f8,0x7ffca08b4708,0x7ffca08b4718
    3⤵
    PID:4312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,7144510449139700982,750790370502662757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,7144510449139700982,750790370502662757,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
    3⤵
    PID:1104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.super-ec.cn/
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca08b46f8,0x7ffca08b4708,0x7ffca08b4718
    3⤵
    PID:628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:3248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
    3⤵
    PID:3872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:3604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
    3⤵
    PID:4440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
    3⤵
    PID:2228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1
    3⤵
    PID:3104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4980 /prefetch:8
    3⤵
    PID:2000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
    3⤵
    PID:3460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
    3⤵
    PID:1808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    PID:1236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
    3⤵
    PID:1092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
    3⤵
    PID:4100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3484 /prefetch:8
    3⤵
    PID:3340
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7432 /prefetch:8
    3⤵
    PID:4612
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:4448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff78c3f5460,0x7ff78c3f5470,0x7ff78c3f5480
      4⤵
      PID:1272
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7432 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5556 /prefetch:8
    3⤵
    PID:4680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1952 /prefetch:8
    3⤵
    PID:4048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6188 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,1979851308598467958,217439049690308356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5396 /prefetch:8
    3⤵
    PID:1888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
d740e465d799d860e58766b158f6dd3a

SHA1
66d074ec31061b1fff4d14d70fed8c90f019fd25

SHA256
fe21cc72b390d0b2d855e8968e4b3d4f2fff76fc7fc937a84e34dfa76d5b9546

SHA512
1db7929068db94ebcc51b59bc463d070165658223819a090edcfc7c0405bac467befe665cd9b808b8543fa7462aa33d54965a92fad0c9545b8bc6f560f328a29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
d740e465d799d860e58766b158f6dd3a

SHA1
66d074ec31061b1fff4d14d70fed8c90f019fd25

SHA256
fe21cc72b390d0b2d855e8968e4b3d4f2fff76fc7fc937a84e34dfa76d5b9546

SHA512
1db7929068db94ebcc51b59bc463d070165658223819a090edcfc7c0405bac467befe665cd9b808b8543fa7462aa33d54965a92fad0c9545b8bc6f560f328a29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
76a6181352b643ce9c83e1bf2d1a4375

SHA1
3e02546d0037a55100284f9642fa178f487bb010

SHA256
3e3f67e8a61ff2e0d0ea6e7c60c72719889d8f82c0192b0e86f95a803950c831

SHA512
a9eca274e8ad628714f87cf31dcd96c74fea3f141fc9f6de231fac1e82960e7f353b73a7233bc8e5eb216303ab25754688719b5475f4a038723ac96ae83e9625

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
2fc6d7661c6c931b8a178d1e9d2cfb1b

SHA1
2df837d0afa3b96e7b03f4fdd8b99de02df324e3

SHA256
d33d321e6db3eeb1b1a20fa4f4543aebbd7147613dc145d3dfb177e8a334efde

SHA512
a70588fd31702acd04a1465e2fbc5ed4b78ce2d14b6676589e9ed43d5f610ca2a0e989078e26289f3e3441c2d947738f22642e859696416a6b5d42409930e97a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
442B

MD5
f564970d0edce55342131ec3bfe04bab

SHA1
3cf358269149c65311171dc9f6e42cefddce4c00

SHA256
1ef3cb169935e7b8661bbd3aea3378580132f6a80fe6612bf53c4febf05e6a89

SHA512
5ef75fc5a36ae15554eeace1483f51302fdb02f50a9e86097acbb9036303e002c2ba76e509639849014eaf07f6c822e1ab959f4d133cd1549fa88c3795a1f54a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
442B

MD5
cfcf67a8d13aa15a2afaf466b76b597a

SHA1
4487aaf6f4e827783d9477ad643e5ad41fc18c36

SHA256
5466747a0873c8ba6369f1ff1cb74ec96914a0ad49533ede65f9335337cd79bb

SHA512
41def338aeb107b8175c88b97b9b5e35f2b79ece0dedb8125f9f93d47f7267cb647dc01300513821ebdb821b08ec77e7bf9486100f02cbd0b4750d0d5b75ae0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
442B

MD5
cfcf67a8d13aa15a2afaf466b76b597a

SHA1
4487aaf6f4e827783d9477ad643e5ad41fc18c36

SHA256
5466747a0873c8ba6369f1ff1cb74ec96914a0ad49533ede65f9335337cd79bb

SHA512
41def338aeb107b8175c88b97b9b5e35f2b79ece0dedb8125f9f93d47f7267cb647dc01300513821ebdb821b08ec77e7bf9486100f02cbd0b4750d0d5b75ae0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
442B

MD5
cfcf67a8d13aa15a2afaf466b76b597a

SHA1
4487aaf6f4e827783d9477ad643e5ad41fc18c36

SHA256
5466747a0873c8ba6369f1ff1cb74ec96914a0ad49533ede65f9335337cd79bb

SHA512
41def338aeb107b8175c88b97b9b5e35f2b79ece0dedb8125f9f93d47f7267cb647dc01300513821ebdb821b08ec77e7bf9486100f02cbd0b4750d0d5b75ae0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
865248d4c630211f99ff36872ef0ce07

SHA1
e30022b8a4f5a6af668c58429d2cbbfcd53a6abf

SHA256
9f78c3321021dab1e65d3da5cf3ed50e44b90e4bc7748ca0152ff226d33548cc

SHA512
bd646620de7e94dcf29aec9aa4b8a72da8d553c20019f233e8692a81c994fe1b689bfdcb8734f078a6a01061a91163cbb70f1bb113954efde4d5a62ea17af430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
43d9e959a48c5cc6999dddbcf60fefca

SHA1
bcf4bb797e744cf3c34bbbf8fd611e835d9bb8ff

SHA256
47a6ca123b57b6990911f1e4216236357907cfea57e141b843a37bd2b99fb9ba

SHA512
85b12c793289288d365acf5ff6372b265f6e2c2c349272a6b53a5c68bae3c39d32d2267f5cd627c5a5a2c56b4697c476da5247b2b9cb73b382f9279f2fd25b68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
865248d4c630211f99ff36872ef0ce07

SHA1
e30022b8a4f5a6af668c58429d2cbbfcd53a6abf

SHA256
9f78c3321021dab1e65d3da5cf3ed50e44b90e4bc7748ca0152ff226d33548cc

SHA512
bd646620de7e94dcf29aec9aa4b8a72da8d553c20019f233e8692a81c994fe1b689bfdcb8734f078a6a01061a91163cbb70f1bb113954efde4d5a62ea17af430

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.bat

Filesize
118B

MD5
79c2d477a8ce46d58e595f517aaa6304

SHA1
d6f6f39d0231c16b1d0b1a9058e24c61c74dd990

SHA256
284a48568ac0fe5858c338a6752f14b211d68442280ae33506d6a21defd28b77

SHA512
678ea74fc7759ceb98f54524d6fe08f43c61bdcb9073f1c7b809b5bc7fab8869132a97b1b05840a9dbe426e0ae34eeb6c92743a7e34e34fd89b478246eb9f469

Download Submit