94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2023, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
Size

13.9MB
MD5

52f20126cecbd70c986713febec3c7f7
SHA1

c1eaf17e6e0e9d02144d62ceaad1813d7bc827c7
SHA256

94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68
SHA512

1c97493c6fe0733152e16392be12665326a2530489bb0f84e271a8406a542bb7d932d0a0191e4b3ff4267d1af6496a74a0fe876aff1519155d3230785147ef62
SSDEEP

393216:2VKp8wkU0qgwHTK0CKucdS7sSAZx74BJb:6jq1HOa7x74B

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1052	wimlib.EXE
1844	Qiibiosinfo.exe
4608	Qiibiosinfo.exe
5092	Qiibiosinfo.exe
2028	Qiibiosinfo.exe

Loads dropped DLL 1 IoCs

pid	Process
1052	wimlib.EXE

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023234-133.dat	upx
behavioral2/files/0x0006000000023234-134.dat	upx
behavioral2/memory/1844-136-0x00007FF6ED990000-0x00007FF6EF1E5000-memory.dmp	upx
behavioral2/memory/1844-137-0x00007FF6ED990000-0x00007FF6EF1E5000-memory.dmp	upx
behavioral2/files/0x0006000000023234-138.dat	upx
behavioral2/memory/4608-141-0x00007FF6ED990000-0x00007FF6EF1E5000-memory.dmp	upx
behavioral2/files/0x0006000000023234-143.dat	upx
behavioral2/memory/5092-144-0x00007FF6ED990000-0x00007FF6EF1E5000-memory.dmp	upx
behavioral2/files/0x0006000000023234-145.dat	upx
behavioral2/memory/2028-146-0x00007FF6ED990000-0x00007FF6EF1E5000-memory.dmp	upx
behavioral2/memory/2028-147-0x00007FF6ED990000-0x00007FF6EF1E5000-memory.dmp	upx
behavioral2/memory/1844-182-0x00007FF6ED990000-0x00007FF6EF1E5000-memory.dmp	upx
behavioral2/memory/4608-189-0x00007FF6ED990000-0x00007FF6EF1E5000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\Y:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\B:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\G:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\J:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\L:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\O:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\P:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\V:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\A:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\E:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\I:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\K:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\M:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\Q:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\H:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\N:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\T:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\U:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\Z:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\S:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\W:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
File opened (read-only)	\??\X:	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3636	msedge.exe
3636	msedge.exe
3972	msedge.exe
3972	msedge.exe
896	identity_helper.exe
896	identity_helper.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe

Suspicious behavior: LoadsDriver 8 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeBackupPrivilege	1052	wimlib.EXE
Token: SeSecurityPrivilege	1052	wimlib.EXE
Token: SeRestorePrivilege	1052	wimlib.EXE
Token: SeSecurityPrivilege	1052	wimlib.EXE
Token: SeTakeOwnershipPrivilege	1052	wimlib.EXE
Token: SeManageVolumePrivilege	1052	wimlib.EXE
Token: SeSystemEnvironmentPrivilege	1844	Qiibiosinfo.exe
Token: SeSystemEnvironmentPrivilege	4608	Qiibiosinfo.exe
Token: SeSystemEnvironmentPrivilege	5092	Qiibiosinfo.exe
Token: SeSystemEnvironmentPrivilege	2028	Qiibiosinfo.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 4104	3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe	83
PID 3804 wrote to memory of 4104	3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe	83
PID 3804 wrote to memory of 4104	3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe	83
PID 4104 wrote to memory of 1052	4104	cmd.exe	85
PID 4104 wrote to memory of 1052	4104	cmd.exe	85
PID 3804 wrote to memory of 4344	3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe	86
PID 3804 wrote to memory of 4344	3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe	86
PID 3804 wrote to memory of 4344	3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe	86
PID 4344 wrote to memory of 1844	4344	cmd.exe	88
PID 4344 wrote to memory of 1844	4344	cmd.exe	88
PID 3804 wrote to memory of 3932	3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe	89
PID 3804 wrote to memory of 3932	3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe	89
PID 3804 wrote to memory of 3932	3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe	89
PID 3932 wrote to memory of 4608	3932	cmd.exe	91
PID 3932 wrote to memory of 4608	3932	cmd.exe	91
PID 3804 wrote to memory of 3424	3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe	94
PID 3804 wrote to memory of 3424	3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe	94
PID 3804 wrote to memory of 3424	3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe	94
PID 3424 wrote to memory of 5092	3424	cmd.exe	96
PID 3424 wrote to memory of 5092	3424	cmd.exe	96
PID 3804 wrote to memory of 4468	3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe	97
PID 3804 wrote to memory of 4468	3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe	97
PID 3804 wrote to memory of 4468	3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe	97
PID 4468 wrote to memory of 2028	4468	cmd.exe	100
PID 4468 wrote to memory of 2028	4468	cmd.exe	100
PID 3804 wrote to memory of 3972	3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe	102
PID 3804 wrote to memory of 3972	3804	94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe	102
PID 3972 wrote to memory of 1904	3972	msedge.exe	103
PID 3972 wrote to memory of 1904	3972	msedge.exe	103
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107
PID 3972 wrote to memory of 3068	3972	msedge.exe	107

C:\Users\Admin\AppData\Local\Temp\94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe
"C:\Users\Admin\AppData\Local\Temp\94d6094ecc058dc29ba443b85d665c319263cd3c27f5b299c31ea8d0d11b0d68.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Temp\EasyRC\\wimlib.EXE apply "C:\Temp\EasyRC\\dism.wim" 1 C:\Temp\EasyRC\dismidtvg\
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Temp\EasyRC\wimlib.EXE
    C:\Temp\EasyRC\\wimlib.EXE apply "C:\Temp\EasyRC\\dism.wim" 1 C:\Temp\EasyRC\dismidtvg\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Temp\EasyRC\\Qiibiosinfo.exe --sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Temp\EasyRC\Qiibiosinfo.exe
    C:\Temp\EasyRC\\Qiibiosinfo.exe --sys
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Temp\EasyRC\\Qiibiosinfo.exe --uefi
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Temp\EasyRC\Qiibiosinfo.exe
    C:\Temp\EasyRC\\Qiibiosinfo.exe --uefi
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Temp\EasyRC\\Qiibiosinfo.exe --sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Temp\EasyRC\Qiibiosinfo.exe
    C:\Temp\EasyRC\\Qiibiosinfo.exe --sys
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Temp\EasyRC\\Qiibiosinfo.exe --sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Temp\EasyRC\Qiibiosinfo.exe
    C:\Temp\EasyRC\\Qiibiosinfo.exe --sys
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.firpe.cn/
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6ebb46f8,0x7ffa6ebb4708,0x7ffa6ebb4718
    3⤵
    PID:1904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,599980787739407940,15632618309415207269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,599980787739407940,15632618309415207269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
    3⤵
    PID:3196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,599980787739407940,15632618309415207269,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
    3⤵
    PID:3068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,599980787739407940,15632618309415207269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:4476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,599980787739407940,15632618309415207269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
    3⤵
    PID:848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,599980787739407940,15632618309415207269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
    3⤵
    PID:3052
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,599980787739407940,15632618309415207269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
    3⤵
    PID:3156
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,599980787739407940,15632618309415207269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,599980787739407940,15632618309415207269,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
    3⤵
    PID:1332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,599980787739407940,15632618309415207269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
    3⤵
    PID:1324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,599980787739407940,15632618309415207269,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
    3⤵
    PID:1168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,599980787739407940,15632618309415207269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
    3⤵
    PID:4648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,599980787739407940,15632618309415207269,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2736 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\EasyRC\HwRwDrvx64.sys

Filesize
22KB

MD5
d89dc4c1ccfa3553b5c92770251cf2f1

SHA1
15ec7bbf464b705441acf3bf3e4f49382cc18119

SHA256
3331af898ebe81cde9903f9f2f4dbf56f2684230ef01ef6f5cf59ad28b63c214

SHA512
b54db8d2af103fe250ab6eb7231eb7f6c3cbf2fdf696e090cea9846594db7aab580ffa4f876f9b80f13e0acd8e9dff57edbc766067e9f131486b153d785a9f60

Download Submit
C:\Temp\EasyRC\QiiImagex.EXE

Filesize
845KB

MD5
dcd13e8935cd5a235d6d3124fc9d8bc2

SHA1
41426a7d1c5932ac6853186e41797f94c043e7dc

SHA256
3d68842a89267810e4fbfa73e57d4a6519ae3269190c066cfab3e7650542465e

SHA512
c06569b6080161d26776cda16aadcb5b8c5038b1809d57bc5c6c016710736368ab4f658c6d7b71fbfafb945b045d69c5f89592b537a048458622e521da1f7c5e

Download Submit
C:\Temp\EasyRC\Qiibiosinfo.exe

Filesize
314KB

MD5
fac53f717a9cd5109ee0d96feeca2408

SHA1
31b0c7eeea65a23bac3631daefd2ba60fbcb6ce9

SHA256
b4aee8bcbf7df15080872eead1421f24b31ff358f10fe216ecf395814ad1c2fe

SHA512
6225e37e812de3d77e1a5867f95095200c4a621026995b3874d7ee9d0c4719fe17f6e27a025655dc866db935c98206d64c0e2bd0565fb76fd976a5abdb0d262c

Download Submit
C:\Temp\EasyRC\Qiibiosinfo.exe

Filesize
314KB

MD5
fac53f717a9cd5109ee0d96feeca2408

SHA1
31b0c7eeea65a23bac3631daefd2ba60fbcb6ce9

SHA256
b4aee8bcbf7df15080872eead1421f24b31ff358f10fe216ecf395814ad1c2fe

SHA512
6225e37e812de3d77e1a5867f95095200c4a621026995b3874d7ee9d0c4719fe17f6e27a025655dc866db935c98206d64c0e2bd0565fb76fd976a5abdb0d262c

Download Submit
C:\Temp\EasyRC\Qiibiosinfo.exe

Filesize
314KB

MD5
fac53f717a9cd5109ee0d96feeca2408

SHA1
31b0c7eeea65a23bac3631daefd2ba60fbcb6ce9

SHA256
b4aee8bcbf7df15080872eead1421f24b31ff358f10fe216ecf395814ad1c2fe

SHA512
6225e37e812de3d77e1a5867f95095200c4a621026995b3874d7ee9d0c4719fe17f6e27a025655dc866db935c98206d64c0e2bd0565fb76fd976a5abdb0d262c

Download Submit
C:\Temp\EasyRC\Qiibiosinfo.exe

Filesize
314KB

MD5
fac53f717a9cd5109ee0d96feeca2408

SHA1
31b0c7eeea65a23bac3631daefd2ba60fbcb6ce9

SHA256
b4aee8bcbf7df15080872eead1421f24b31ff358f10fe216ecf395814ad1c2fe

SHA512
6225e37e812de3d77e1a5867f95095200c4a621026995b3874d7ee9d0c4719fe17f6e27a025655dc866db935c98206d64c0e2bd0565fb76fd976a5abdb0d262c

Download Submit
C:\Temp\EasyRC\Qiibiosinfo.exe

Filesize
314KB

MD5
fac53f717a9cd5109ee0d96feeca2408

SHA1
31b0c7eeea65a23bac3631daefd2ba60fbcb6ce9

SHA256
b4aee8bcbf7df15080872eead1421f24b31ff358f10fe216ecf395814ad1c2fe

SHA512
6225e37e812de3d77e1a5867f95095200c4a621026995b3874d7ee9d0c4719fe17f6e27a025655dc866db935c98206d64c0e2bd0565fb76fd976a5abdb0d262c

Download Submit
C:\Temp\EasyRC\dism.wim

Filesize
3.1MB

MD5
cd6a67b7fa1958f0b6879009f38c3e3b

SHA1
f92f534dd6c7ba3d9edd7bec292d0a489afbe50c

SHA256
14e348aa7e8dcd4094993102a09e8309ea8f327d57febd73034b19f792cf6090

SHA512
225fc4d92976cc1236db77215a36a3a1977ac396c8146cd54a5984569483d3c96d6f345c07d961b5318d4d1dd85b1a7096cd091b2e5bce3a5cdbb774604109b8

Download Submit
C:\Temp\EasyRC\dismidtvg\X64\dism.exe

Filesize
329KB

MD5
f350e791f2ed95fb4a6fc50a0ea32b37

SHA1
472a3de24cd10913354798d51082d20fb166b2b1

SHA256
3c63ddb1e3f10ad6aa96ad7e35a080495e32cd748dbdbc0460f3f93beeee6b7f

SHA512
4b50aa71bec1aea7e18bd6b4c930942f513e2e8f55e7de217e5f7e19e0363f8f202dd75c9efb4a9b3f5046a90315a99614595ca13fffc4b3c80f9e2a44f5f51b

Download Submit
C:\Temp\EasyRC\libwim-15.dll

Filesize
471KB

MD5
e00fa5e9967055c31a62410fa4a758a2

SHA1
334b69f34bb6eb3c4dcd4a3a5ff570642b672ef6

SHA256
b8f1f4a0a74bf2b009dcfa8854fd9146cd061ad39b78da24abbed5d9396759f0

SHA512
1f0db54b043da9749bda9902b71d9755d6b425856874a00f4005bc0d1ec09c99bd4d84321944ac20f04a0708afaf38f2b67256c06892828781655c7c92052458

Download Submit
C:\Temp\EasyRC\libwim-15.dll

Filesize
471KB

MD5
e00fa5e9967055c31a62410fa4a758a2

SHA1
334b69f34bb6eb3c4dcd4a3a5ff570642b672ef6

SHA256
b8f1f4a0a74bf2b009dcfa8854fd9146cd061ad39b78da24abbed5d9396759f0

SHA512
1f0db54b043da9749bda9902b71d9755d6b425856874a00f4005bc0d1ec09c99bd4d84321944ac20f04a0708afaf38f2b67256c06892828781655c7c92052458

Download Submit
C:\Temp\EasyRC\wimlib.EXE

Filesize
136KB

MD5
c297992a7e8a207508fe30c71bf2691c

SHA1
bdbf4936b0450cbaeb679f79bcbd1e719e13f813

SHA256
a2fabc32d5c405c013e29d5b5f553067aeed6896098945e490726269f415d1a2

SHA512
9662eee3563be1b9da683353b6b57091f96bce339d8732f1b9031867ac1ec5dbbc939f8adf297afd5c786347eecb5f801766a0f52edafb5e5c47803b87b58299

Download Submit
C:\Temp\EasyRC\wimlib.EXE

Filesize
136KB

MD5
c297992a7e8a207508fe30c71bf2691c

SHA1
bdbf4936b0450cbaeb679f79bcbd1e719e13f813

SHA256
a2fabc32d5c405c013e29d5b5f553067aeed6896098945e490726269f415d1a2

SHA512
9662eee3563be1b9da683353b6b57091f96bce339d8732f1b9031867ac1ec5dbbc939f8adf297afd5c786347eecb5f801766a0f52edafb5e5c47803b87b58299

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fc99b0086d7714fd471ed4acc862ccc0

SHA1
39a3c43c97f778d67413a023d66e8e930d0e2314

SHA256
45ef01f81605bfd96126d5520c5aa0304c7fa7d5fdb3e4d5b2dd2bf84e2afd96

SHA512
c308fa3eda9235d67a506a5f058fefb9a769ec01d7b0d4f5a2397892cc4f8155301c55c1fac23bebacdd087ab3f47f1eacc9ff88eff4115a7d67aa7b1d6581a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
1c9ec2f87cc6e557b3bb3a8d9cbda25b

SHA1
7353853db0848d0038ebd0774814fc66883a34cb

SHA256
8fdf9389ae0bb0fe4e773e2fcc6da0f447e905223b64d87bb71325e820e031c9

SHA512
0c44b7439717004cb67c81392652aef530b1c500d14bf2a22b7067bd90104898f1452c00a0f51cb348553c4aee26f9cc76c05957f8e3f26d2ccf050570a87055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
1efa6ab5f5299edfed56acb3125ba151

SHA1
63f9faa30723165fa7dc9d41d2217f367743c304

SHA256
6c04882c8dbee979d601910ba232e2d7bd6ac0eb3dc7502f43c507426a82fedc

SHA512
58a6965ec9d38103c5a21a56c61259d3b396278cfc9b389a53d9d924f9ecf838a7451a86184233fbeb1e36a1d896d9693d23e693fa623ab9922831e4b61f25c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
65b1d35e43c78cae1353212f423a4ad0

SHA1
e99fb4b596a4f8cd2f2d5293885f2d5a189b725c

SHA256
b7d893a55296347b5a1808266ca211100e4e4a627e7063c11ecbdb81688c1af7

SHA512
c4403543d0cf635f079cb794e192f5932905cba0dfe8e42715b90543883c193c27361d6d222f81f988dadd22d966827ef229650e39efad36b76bed14044079d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
45951e58ed952f375627a5815dba7cd7

SHA1
832b025026f7ee6dcf8618dd0986d9aa2464c255

SHA256
d54641a16b41b38492cc5e4fe7ce571fc42791b399e6b4c0c2c9576b02fbcd83

SHA512
ab7de758c181cc31103fd44f9b152bc5c79f1a561fb499de175b0239807ace29e6f5862e3baa52f2acabbaa46633cbb032b46f7e558934f77f90178678446ac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
96f00bbd6a174879c58220f95f0115f5

SHA1
d3d7f82b0bf27daf1b3903bfe050c2d05422050f

SHA256
644442e740a8c0bb20f712f6f84f5bf4a81bb29d4e9446b2832ca65618961107

SHA512
e7c5e90eb85aee7b81b9c163f618ad3789a48b256040f6f00eee7fce52c60e1ff491bf0538b9c846fb115b73163710e46a45ce056e3b41ca59d88c421502ccea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
842cb5efc10c1afb6e3bee7ffe865451

SHA1
0f793963759ed6d223799f8270de97590fc06f86

SHA256
ae26789e3eca470c3d49902688a3d22698982800d88dde9fcc781b39296c211d

SHA512
01e8460e0df89b87ffc934d0afcdad447851d927e582723b2874544198cfa57d3e45f745959ff289f5ef69f4a550f79d0565bc8ec43ac148cb1faae5d025fd14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c5d4302071794348c0cf5381aaa8142

SHA1
8e161b3e61a16934aca140fbe01c31a5f1583158

SHA256
d44e7dc9d384cdb3fac5d7e1eaa535793679fff01703bbdf941d93a9e9f8227b

SHA512
2c8ec73fdbe966e2320036a34c176c9e57c622b19975f4f491dc04c72e3b884b96a05a30585d841f33c9acf1a6cc98a21c2c98e4e0c7b2ab6f21a51c279da483

Download Submit
memory/1052-122-0x00007FF6B7090000-0x00007FF6B70BA000-memory.dmp

Filesize
168KB

Download
memory/1052-123-0x00007FFA7DF40000-0x00007FFA7DFDF000-memory.dmp

Filesize
636KB

Download
memory/1844-136-0x00007FF6ED990000-0x00007FF6EF1E5000-memory.dmp

Filesize
24.3MB

Download
memory/1844-182-0x00007FF6ED990000-0x00007FF6EF1E5000-memory.dmp

Filesize
24.3MB

Download
memory/1844-137-0x00007FF6ED990000-0x00007FF6EF1E5000-memory.dmp

Filesize
24.3MB

Download
memory/2028-147-0x00007FF6ED990000-0x00007FF6EF1E5000-memory.dmp

Filesize
24.3MB

Download
memory/2028-146-0x00007FF6ED990000-0x00007FF6EF1E5000-memory.dmp

Filesize
24.3MB

Download
memory/3804-2-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/3804-148-0x0000000000400000-0x0000000002799000-memory.dmp

Filesize
35.6MB

Download
memory/3804-0-0x0000000000400000-0x0000000002799000-memory.dmp

Filesize
35.6MB

Download
memory/3804-139-0x0000000000400000-0x0000000002799000-memory.dmp

Filesize
35.6MB

Download
memory/3804-1-0x0000000000400000-0x0000000002799000-memory.dmp

Filesize
35.6MB

Download
memory/4608-189-0x00007FF6ED990000-0x00007FF6EF1E5000-memory.dmp

Filesize
24.3MB

Download
memory/4608-141-0x00007FF6ED990000-0x00007FF6EF1E5000-memory.dmp

Filesize
24.3MB

Download
memory/5092-211-0x00007FF6ED990000-0x00007FF6EF1E5000-memory.dmp

Filesize
24.3MB

Download
memory/5092-144-0x00007FF6ED990000-0x00007FF6EF1E5000-memory.dmp

Filesize
24.3MB

Download