fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2023, 08:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
Size

2.4MB
MD5

a369706ab239cca332e25309f8d0fd72
SHA1

1f4730b62ae05212084423a2c90d3165c5a083e9
SHA256

fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09
SHA512

d8ddec5a4149a984357ce223b511c17fcbafef220609c20341cac7c586ba4e65574bd67cfc073b1b458873510865841ecb97e397579f3416a2d62f780a091620
SSDEEP

49152:Wp9GAntifCyTBp3NYc7ifdIwLpJCxzS6qRS63dn9RTeleqJR9dI:oQfLp9YUifuAQySA9ErH

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1052-0-0x0000000000400000-0x000000000101D000-memory.dmp	upx
behavioral2/memory/1052-13-0x0000000000400000-0x000000000101D000-memory.dmp	upx
behavioral2/memory/1052-108-0x0000000000400000-0x000000000101D000-memory.dmp	upx
behavioral2/memory/1052-147-0x0000000000400000-0x000000000101D000-memory.dmp	upx
behavioral2/memory/1052-157-0x0000000000400000-0x000000000101D000-memory.dmp	upx
behavioral2/memory/1052-159-0x0000000000400000-0x000000000101D000-memory.dmp	upx
behavioral2/memory/1052-160-0x0000000000400000-0x000000000101D000-memory.dmp	upx
behavioral2/memory/1052-170-0x0000000000400000-0x000000000101D000-memory.dmp	upx
behavioral2/memory/1052-175-0x0000000000400000-0x000000000101D000-memory.dmp	upx
behavioral2/memory/1052-194-0x0000000000400000-0x000000000101D000-memory.dmp	upx
behavioral2/memory/1052-195-0x0000000000400000-0x000000000101D000-memory.dmp	upx
behavioral2/memory/1052-196-0x0000000000400000-0x000000000101D000-memory.dmp	upx
behavioral2/memory/1052-197-0x0000000000400000-0x000000000101D000-memory.dmp	upx
behavioral2/memory/1052-198-0x0000000000400000-0x000000000101D000-memory.dmp	upx
behavioral2/memory/1052-201-0x0000000000400000-0x000000000101D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe
5100	msedge.exe
5100	msedge.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
Token: SeDebugPrivilege	1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
Token: SeDebugPrivilege	1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
Token: SeDebugPrivilege	1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
Token: SeDebugPrivilege	1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
Token: 33	1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
Token: SeIncBasePriorityPrivilege	1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 5100	1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe	87
PID 1052 wrote to memory of 5100	1052	fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe	87
PID 5100 wrote to memory of 3128	5100	msedge.exe	88
PID 5100 wrote to memory of 3128	5100	msedge.exe	88
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 3992	5100	msedge.exe	89
PID 5100 wrote to memory of 4948	5100	msedge.exe	90
PID 5100 wrote to memory of 4948	5100	msedge.exe	90
PID 5100 wrote to memory of 4828	5100	msedge.exe	91
PID 5100 wrote to memory of 4828	5100	msedge.exe	91
PID 5100 wrote to memory of 4828	5100	msedge.exe	91
PID 5100 wrote to memory of 4828	5100	msedge.exe	91
PID 5100 wrote to memory of 4828	5100	msedge.exe	91
PID 5100 wrote to memory of 4828	5100	msedge.exe	91
PID 5100 wrote to memory of 4828	5100	msedge.exe	91
PID 5100 wrote to memory of 4828	5100	msedge.exe	91
PID 5100 wrote to memory of 4828	5100	msedge.exe	91
PID 5100 wrote to memory of 4828	5100	msedge.exe	91
PID 5100 wrote to memory of 4828	5100	msedge.exe	91
PID 5100 wrote to memory of 4828	5100	msedge.exe	91
PID 5100 wrote to memory of 4828	5100	msedge.exe	91
PID 5100 wrote to memory of 4828	5100	msedge.exe	91
PID 5100 wrote to memory of 4828	5100	msedge.exe	91
PID 5100 wrote to memory of 4828	5100	msedge.exe	91
PID 5100 wrote to memory of 4828	5100	msedge.exe	91
PID 5100 wrote to memory of 4828	5100	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe
"C:\Users\Admin\AppData\Local\Temp\fb62b1450808fbb344b7ed8751dd3b3d900adf0b4851c9da7b5165a3a65baf09.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://lanseyou.top:6093/txt?&ys=0&lj=%E6%94%AF%E6%8C%81%E7%B9%81%E4%BD%93%E7%B3%BB%E7%BB%9F%E6%96%B9%E6%B3%95
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffa054c46f8,0x7ffa054c4708,0x7ffa054c4718
    3⤵
    PID:3128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,12558753131899882537,8700035552347452545,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
    3⤵
    PID:3992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,12558753131899882537,8700035552347452545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,12558753131899882537,8700035552347452545,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
    3⤵
    PID:4828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12558753131899882537,8700035552347452545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
    3⤵
    PID:3528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12558753131899882537,8700035552347452545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
    3⤵
    PID:1412
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12558753131899882537,8700035552347452545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
    3⤵
    PID:220
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12558753131899882537,8700035552347452545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
    3⤵
    PID:4784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12558753131899882537,8700035552347452545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
    3⤵
    PID:4748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12558753131899882537,8700035552347452545,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
    3⤵
    PID:1360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12558753131899882537,8700035552347452545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
    3⤵
    PID:2344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12558753131899882537,8700035552347452545,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
    3⤵
    PID:2900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,12558753131899882537,8700035552347452545,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3240 /prefetch:2
    3⤵
    PID:4036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3590c7788f1f36717cbd298007259a6f

SHA1
9e9a602016435a1d642e18a54d8d6589f938a5bb

SHA256
09a08de2fcd19e304c3b8f6e04f5e4da257a3f18759827be4e9c6af862412174

SHA512
07df3ee7e2d4a313c996c6b8451450556a75e5ac8e4d10595f255164fdd25d6bc596ad579d90f6496c78a15a3c6fc349d748dd7c5f4b2b51d330c52577e2988a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f7cfdb9251698a6c37e408dbc10ed633

SHA1
959d0f088b3d0a499b6556cf60c1efb6d704908e

SHA256
80728375dcf31d7a24da0cb81f245611409d0562744c001afabb9cbbaed1e337

SHA512
cad6567062be5fb108f59ec80d1341cfd00cc358ce62c4d5a07ca3cf6b276b83549d5d8d822f9a95988ac7720b94d68bb344a7306bafec3b5dbac099efd76cda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
821b6b926b74e8ebf211742030fdf592

SHA1
56e11eea026e145f1261047e6bd8cffbfb745ab9

SHA256
4626c53080fb0ce1fe88ffae48a1ed81f90c104c59aa0bbe34367622d5e74aff

SHA512
33e03c0cdb624df91a8c6db385fc6465df6463e6743bd67823494fa5f8d6a23a79569b3e2d71882b00bd4550f1a1b043b9dcc9daa361ddc3b442da8785383ba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
a128973ca2ca245299ef7e60156b4ef8

SHA1
d39a437204591bbff98d673e6d1c4f869683ebcc

SHA256
5c6e1f3c7213460c24dc670521adbe32ec76df5e3facc0a7b92a3fa9e340b302

SHA512
bbbdbe2fae61c2a27b4aadfbda2efae2675156dcea6edb8b45fbe83f397f8a1f50d694d8bcd1f53939a277722baf102f3f80caffadfcf0ca80d7408d77d8c490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
91ba053cee24e58d76a0ff13710981e1

SHA1
d9df0fec471faee629157800472928c4bad9e190

SHA256
a34c266cd32c4907555c1ce75121cf2686c1c88d3e263495fc172e4cdd20cea4

SHA512
618ec835dc8dd964a156e69973aded1dadd5171e0483daa21742bdb75a8909204a97925e354efe3420d8e3f9c5a8f51317cd5a4176dc482265d5a377bf50e4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\fuwuqi.ini

Filesize
261B

MD5
dbe9de9c0ee038a2a78d8da0c2666375

SHA1
8594de18ca2d01d949acd546774b9f86bc6c92d1

SHA256
7178aa63a3bd913325cf413222d84a22485b4efe717d016c96a70fbc62ee2ae2

SHA512
5d9faa2f88c4632ebb31fa126260bfd5b7ac039ef817f71449b08b05dbaba3175cce62458e6e58f12e108147c064e48a23b0f82c0250e57d5f392c1c70a56fde

Download Submit
memory/1052-159-0x0000000000400000-0x000000000101D000-memory.dmp

Filesize
12.1MB

Download
memory/1052-160-0x0000000000400000-0x000000000101D000-memory.dmp

Filesize
12.1MB

Download
memory/1052-13-0x0000000000400000-0x000000000101D000-memory.dmp

Filesize
12.1MB

Download
memory/1052-0-0x0000000000400000-0x000000000101D000-memory.dmp

Filesize
12.1MB

Download
memory/1052-147-0x0000000000400000-0x000000000101D000-memory.dmp

Filesize
12.1MB

Download
memory/1052-157-0x0000000000400000-0x000000000101D000-memory.dmp

Filesize
12.1MB

Download
memory/1052-108-0x0000000000400000-0x000000000101D000-memory.dmp

Filesize
12.1MB

Download
memory/1052-14-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/1052-170-0x0000000000400000-0x000000000101D000-memory.dmp

Filesize
12.1MB

Download
memory/1052-175-0x0000000000400000-0x000000000101D000-memory.dmp

Filesize
12.1MB

Download
memory/1052-194-0x0000000000400000-0x000000000101D000-memory.dmp

Filesize
12.1MB

Download
memory/1052-195-0x0000000000400000-0x000000000101D000-memory.dmp

Filesize
12.1MB

Download
memory/1052-196-0x0000000000400000-0x000000000101D000-memory.dmp

Filesize
12.1MB

Download
memory/1052-197-0x0000000000400000-0x000000000101D000-memory.dmp

Filesize
12.1MB

Download
memory/1052-198-0x0000000000400000-0x000000000101D000-memory.dmp

Filesize
12.1MB

Download
memory/1052-201-0x0000000000400000-0x000000000101D000-memory.dmp

Filesize
12.1MB

Download