c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1

Resubmissions

22-01-2025 14:45

250122-r45fys1mdw 6

22-01-2025 14:10

250122-rgyd5azlhy 6

11-12-2023 14:13

231211-rjk7ksacb3 7

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2023 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1.msi
Size

836KB
MD5

e79180380997a855c8d19be02d035b7f
SHA1

8fabc9d73f32c0c01083b438ffc6f0d3bee6e80e
SHA256

c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1
SHA512

356665d2b08c652f9bb0cc3c6b441d6bcfcb02bccef876ad6c79150641ad4aa83923338b7fd085b0296b622f746daefc1eeef93869cf0b407d384c689b2a309e
SSDEEP

24576:j2XSjbixTs21LN5w6yfygtF9M5ZXn3lftfsATt:y/42Yy8vs3ftfz

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2904	OnesNotem.exe
5420	OnesNotem.exe

Loads dropped DLL 2 IoCs

pid	Process
2904	OnesNotem.exe
5420	OnesNotem.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneNote Update = "\"C:\\ProgramData\\VirtualFile\\OnesNotem.exe\" 919"	OnesNotem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneNote Update = "\"C:\\ProgramData\\VirtualFile\\OnesNotem.exe\" 919"	OnesNotem.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57d716.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d716.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0F64E67C-DF97-428D-BDF9-40EDA8A1F44D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID810.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d718.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e02189339a53643a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e02189330000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e0218933000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de0218933000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e021893300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Version Vector	OnesNotem.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	OnesNotem.exe
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\ms-pu	OnesNotem.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 35004400370033004600360037004200380039003900300045004500450031000000	OnesNotem.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2228	msiexec.exe
2228	msiexec.exe
4532	msedge.exe
4532	msedge.exe
4340	msedge.exe
4340	msedge.exe
5584	identity_helper.exe
5584	identity_helper.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2776	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2776	msiexec.exe
Token: SeSecurityPrivilege	2228	msiexec.exe
Token: SeCreateTokenPrivilege	2776	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2776	msiexec.exe
Token: SeLockMemoryPrivilege	2776	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2776	msiexec.exe
Token: SeMachineAccountPrivilege	2776	msiexec.exe
Token: SeTcbPrivilege	2776	msiexec.exe
Token: SeSecurityPrivilege	2776	msiexec.exe
Token: SeTakeOwnershipPrivilege	2776	msiexec.exe
Token: SeLoadDriverPrivilege	2776	msiexec.exe
Token: SeSystemProfilePrivilege	2776	msiexec.exe
Token: SeSystemtimePrivilege	2776	msiexec.exe
Token: SeProfSingleProcessPrivilege	2776	msiexec.exe
Token: SeIncBasePriorityPrivilege	2776	msiexec.exe
Token: SeCreatePagefilePrivilege	2776	msiexec.exe
Token: SeCreatePermanentPrivilege	2776	msiexec.exe
Token: SeBackupPrivilege	2776	msiexec.exe
Token: SeRestorePrivilege	2776	msiexec.exe
Token: SeShutdownPrivilege	2776	msiexec.exe
Token: SeDebugPrivilege	2776	msiexec.exe
Token: SeAuditPrivilege	2776	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2776	msiexec.exe
Token: SeChangeNotifyPrivilege	2776	msiexec.exe
Token: SeRemoteShutdownPrivilege	2776	msiexec.exe
Token: SeUndockPrivilege	2776	msiexec.exe
Token: SeSyncAgentPrivilege	2776	msiexec.exe
Token: SeEnableDelegationPrivilege	2776	msiexec.exe
Token: SeManageVolumePrivilege	2776	msiexec.exe
Token: SeImpersonatePrivilege	2776	msiexec.exe
Token: SeCreateGlobalPrivilege	2776	msiexec.exe
Token: SeBackupPrivilege	3572	vssvc.exe
Token: SeRestorePrivilege	3572	vssvc.exe
Token: SeAuditPrivilege	3572	vssvc.exe
Token: SeBackupPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2776	msiexec.exe
2776	msiexec.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 1772	2228	msiexec.exe	108
PID 2228 wrote to memory of 1772	2228	msiexec.exe	108
PID 2228 wrote to memory of 2904	2228	msiexec.exe	110
PID 2228 wrote to memory of 2904	2228	msiexec.exe	110
PID 2228 wrote to memory of 2904	2228	msiexec.exe	110
PID 2904 wrote to memory of 4340	2904	OnesNotem.exe	111
PID 2904 wrote to memory of 4340	2904	OnesNotem.exe	111
PID 4340 wrote to memory of 4012	4340	msedge.exe	112
PID 4340 wrote to memory of 4012	4340	msedge.exe	112
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4824	4340	msedge.exe	114
PID 4340 wrote to memory of 4532	4340	msedge.exe	113
PID 4340 wrote to memory of 4532	4340	msedge.exe	113
PID 4340 wrote to memory of 776	4340	msedge.exe	115
PID 4340 wrote to memory of 776	4340	msedge.exe	115
PID 4340 wrote to memory of 776	4340	msedge.exe	115
PID 4340 wrote to memory of 776	4340	msedge.exe	115
PID 4340 wrote to memory of 776	4340	msedge.exe	115
PID 4340 wrote to memory of 776	4340	msedge.exe	115
PID 4340 wrote to memory of 776	4340	msedge.exe	115
PID 4340 wrote to memory of 776	4340	msedge.exe	115
PID 4340 wrote to memory of 776	4340	msedge.exe	115
PID 4340 wrote to memory of 776	4340	msedge.exe	115
PID 4340 wrote to memory of 776	4340	msedge.exe	115
PID 4340 wrote to memory of 776	4340	msedge.exe	115
PID 4340 wrote to memory of 776	4340	msedge.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2776

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1772
- C:\Users\Admin\AppData\Local\MUxPOTy\OnesNotem.exe
  C:\Users\Admin\AppData\Local\MUxPOTy\OnesNotem.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\郭台銘選擇賴佩霞為總統副手深層考量.pdf
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd057846f8,0x7ffd05784708,0x7ffd05784718
      4⤵
      PID:4012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,12021307933805254208,7492105070246934262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,12021307933805254208,7492105070246934262,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
      4⤵
      PID:4824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,12021307933805254208,7492105070246934262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
      4⤵
      PID:776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12021307933805254208,7492105070246934262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
      4⤵
      PID:1972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12021307933805254208,7492105070246934262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:4544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12021307933805254208,7492105070246934262,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
      4⤵
      PID:5196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2160,12021307933805254208,7492105070246934262,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5192 /prefetch:6
      4⤵
      PID:5368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,12021307933805254208,7492105070246934262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,12021307933805254208,7492105070246934262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
      4⤵
      PID:5568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12021307933805254208,7492105070246934262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
      4⤵
      PID:5680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12021307933805254208,7492105070246934262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
      4⤵
      PID:5672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12021307933805254208,7492105070246934262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
      4⤵
      PID:5872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12021307933805254208,7492105070246934262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
      4⤵
      PID:5864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,12021307933805254208,7492105070246934262,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4080 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3632
- - C:\ProgramData\VirtualFile\OnesNotem.exe
    C:\ProgramData\VirtualFile\OnesNotem.exe 466
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:5420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d717.rbs

Filesize
8KB

MD5
a3816186b3155340eab38d5f7114455e

SHA1
0c75195ff8125b6ea5c957d84b78813c7a473788

SHA256
c101ad903413baf6c8f09a50d0b212c24ba8d1369089bb207d316608ed45e4a9

SHA512
0314b3013504d32547694fdf5539971cf5795a934ef46c10b5a7892952fc8e5304b35c56893136ab404c03fe68918ae4af82b989a8d744950ab6db7e7928593a

Download Submit
C:\Users\Admin\AppData\Local\MUxPOTy\NoteLogger.dat

Filesize
718KB

MD5
b143e9814f3ce07fa7176ecdd4dfda89

SHA1
cb8314e9a25116f698ea74300cfdb35855f48905

SHA256
908ff3a80ef065ab4be1942e0d41583903f6aac02d97df6b4a92a07a633397a8

SHA512
038c5947f631e1143e3ffe6807d26755e7c39c8af7d5f95575859ab4841a1f4f1f1cc67ee7ab31b7a6f37667df32921cb1c12d6c0f53baa151fab66f350c032d

Download Submit
C:\Users\Admin\AppData\Local\MUxPOTy\OnesNotem.exe

Filesize
95KB

MD5
32c26797ab646074a2bb562f9d10adb5

SHA1
f478d70bc193f7c24da563e9eda7eb86239bbe12

SHA256
b9836265c6bfa17cd5e0265f32cedb1ced3b98e85990d000dc8e1298d5d25f93

SHA512
e68f541ef999a0ff91e24090ea80ace97e8e8a600e1f1063954cf575f431cada9b501fdab9c87b1b9da8cb779b5f351e36ccba998e24fb7c75ded387a913fe2d

Download Submit
C:\Users\Admin\AppData\Local\MUxPOTy\msi.dll

Filesize
88KB

MD5
5f39a964af306f40536aa6ac57b66758

SHA1
b84a5a5837e8aa5e5c8181f4589f9ad490acb55f

SHA256
651c096cf7043a01d939dff9ba58e4d69f15b2244c71b43bedb4ada8c37e8859

SHA512
9b33dd995ed714e490e564c6d8e1fe85c382d2e9f20e24adc831af3f390c3a52d3f3a53172e07d5461665fb3d092b230481cecaf19b8aa0ebc9b1b84c3581230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ef2ab50a3d368243b8203ac219278a5d

SHA1
2d154d63c4371354ff607656a4d94bc3734658a9

SHA256
2e2faf2873e0b8d58788da8603acdd772642a396fff661c4e32f8a581362cbdf

SHA512
4533997bf4070f99306337b8ff553691d4cf1d1b53401628524ad4dc9d29bd0536a3f2df4ecdd0a8afa81b7f917f40524c9a1898b566ee499a358abc5c84b27a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fbfe089a5e17f2c9d04cdc9624072d4b

SHA1
fc9a0655eded69a52ebe6306d4525e5d676d8ba5

SHA256
00e83ff08a91bae1345f6cd55b9aabd1052d2f8c000190666f7acea4307c8f1e

SHA512
1b9a28a3f5274c273a34b832436fd0c02fc2b1520af444be98b91fe4a10aefd2d2b6f84153acc2d714a3c1fea6df569d3ea5431edd9ee6da7fc4fdf7ca1d22ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
16b101c0edcf21d0bf99543b0ef5ca00

SHA1
3e0098d5df746c7ecb83765d9a5e663e953bb2cb

SHA256
b959b8ff060d98d3309daef8e84b33d8d1c1ba918e2e5504efd1e77be543ea36

SHA512
e4bdd1e17073ba2836f287aac0ee5468c62fc4d3d0e05e7876848c41207eadd7da6c70f8eda9d7608fb447fbca284f041c3319e4714a73809e501eb953926888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
bf38e67347aea6d520cda5fde321a1e5

SHA1
0e7a8def4c923201d76b41dfa9918bb1052827ea

SHA256
0f0744f36e30e64949c41835aa5666f25c1ab4f3636d9247b8350fd8ad4f8025

SHA512
f62478dd4e38c6bef2bfc24f46caa03840613711e2b6fda2aad707df5cbd33b25af4fc3954521e203b981c4a10e5c8fd2520cabc16cdad858eed819b45a6f366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
66dff0d45330d35d5ccf6f79a31d907a

SHA1
7d88d770833a6dac4bc1f243efdb8cf52b5c148e

SHA256
29c516d8d339a1caf26027d8fa41339a4130b741102db755c8dd07858a23e472

SHA512
78945c426d77242560b66073803b8ee8d07ce4d4e85484db80c42ba9a47750f85291f23c85d6c855dcc01e63f18ab26055702e0568ec5af3870c3fc14394f9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\郭台銘選擇賴佩霞為總統副手深層考量.pdf

Filesize
96KB

MD5
153f31b1dbe2d7b6a3aa41ba6338e129

SHA1
87731dff3f5aa93fbb9161cc51381b36d7824ed5

SHA256
c6ef220d0c6e9015bdfb7977ff15e7f2c4c0dbfcd3b28ffb3066fe6d21251322

SHA512
ac817f3e544bc1f2ac4784432ea12f948cafc4e4fbd9fd69d5c86b9116c72ff6d3652c851f5b8358e7c6ecb3d26d3bd856ea1d5124866ad1f4b42df15ef40d48

Download Submit
C:\Windows\Installer\e57d716.msi

Filesize
836KB

MD5
e79180380997a855c8d19be02d035b7f

SHA1
8fabc9d73f32c0c01083b438ffc6f0d3bee6e80e

SHA256
c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1

SHA512
356665d2b08c652f9bb0cc3c6b441d6bcfcb02bccef876ad6c79150641ad4aa83923338b7fd085b0296b622f746daefc1eeef93869cf0b407d384c689b2a309e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
1.5MB

MD5
02b877f1dba1390df9c04a867ae34145

SHA1
3bd52a5445383ec59991f661beedb735f082454a

SHA256
f74f347fb17c04cb8df8d53801360de53d669271c2a6f998688795bda938f488

SHA512
347bf712e88ca909c8ba027297de1ed2b083facf8a66b7c1f06457b9098aa5619c038d6836ff6449bf1012ee5904bb84f8aac51a7c21b895637096b22bf49599

Download Submit
\??\Volume{338921e0-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{08a16808-097b-4552-95f0-520f2d37eb4d}_OnDiskSnapshotProp

Filesize
6KB

MD5
9557833d94e6f14e3730c89a45bf8113

SHA1
8f24c542bfa9120c0548d977a920a63dcbed51f0

SHA256
5bbc8591e681ee78e829ad0d18e7330c37d521ee03d17a75e97f796a1a2357bf

SHA512
c7d9500ec1573eefbbd76b947529c51a2ef9cc3e11e9e234de202cbe94b7429faea7074857ff518b189e735bc53430c0ff4f04283106e743142bc8636855fdec

Download Submit
memory/2904-30-0x0000000003230000-0x0000000006ED6000-memory.dmp

Filesize
60.6MB

Download
memory/2904-84-0x0000000075940000-0x0000000075966000-memory.dmp

Filesize
152KB

Download
memory/2904-79-0x0000000003230000-0x0000000006ED6000-memory.dmp

Filesize
60.6MB

Download
memory/2904-32-0x0000000003230000-0x0000000006ED6000-memory.dmp

Filesize
60.6MB

Download
memory/2904-31-0x0000000003070000-0x0000000003124000-memory.dmp

Filesize
720KB

Download
memory/5420-98-0x00000000031A0000-0x0000000006E46000-memory.dmp

Filesize
60.6MB

Download
memory/5420-85-0x00000000031A0000-0x0000000006E46000-memory.dmp

Filesize
60.6MB

Download
memory/5420-83-0x00000000031A0000-0x0000000006E46000-memory.dmp

Filesize
60.6MB

Download
memory/5420-125-0x0000000074570000-0x0000000074596000-memory.dmp

Filesize
152KB

Download
memory/5420-175-0x0000000074570000-0x0000000074596000-memory.dmp

Filesize
152KB

Download