c6143fc18a9dfe888d2aac0db8ce04ae383740d243402d39da7675d0d43d2da4

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 23:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

206f8cc5d4d8b7419d84535b3d96ecce.exe
Size

295KB
MD5

206f8cc5d4d8b7419d84535b3d96ecce
SHA1

2d6c78efd91a3276f85aae8e0deaea2f86e4a083
SHA256

c6143fc18a9dfe888d2aac0db8ce04ae383740d243402d39da7675d0d43d2da4
SHA512

cff1f9e8a1f18120ed11feb20cb24f87fb6d6544c5a83120486a9af8ad40d0a8fb0e1bf9b00f1be9a12d50dfadf9f76cee97cf42c07002b104b8aba07305b9e6
SSDEEP

6144:cdYgxDpx2luzMm2mBiXS6S9JSelDyX2UFLstcAyXRU0ODDoL:tgxDpx0uLTKSH9flD74sK60ODDoL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
484	206f8cc5d4d8b7419d84535b3d96ecce.tmp

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Progra~1\TaoBao\is-4Q6DK.tmp	206f8cc5d4d8b7419d84535b3d96ecce.tmp
File created	C:\Progra~1\TaoBao\is-CT1DQ.tmp	206f8cc5d4d8b7419d84535b3d96ecce.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main	Regedit.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.hae123.com"	Regedit.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\Shell\open\command\ = "\"Rundll32.exe\" \"proser.bak\" SetHP"	Regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	Regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\Shell	Regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\Shell\open	Regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\Shell\open\command	Regedit.exe

Runs regedit.exe 1 IoCs

pid	Process
1316	Regedit.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1208	msedge.exe
1208	msedge.exe
1844	msedge.exe
1844	msedge.exe
3244	identity_helper.exe
3244	identity_helper.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
484	206f8cc5d4d8b7419d84535b3d96ecce.tmp
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 484	5116	206f8cc5d4d8b7419d84535b3d96ecce.exe	38
PID 5116 wrote to memory of 484	5116	206f8cc5d4d8b7419d84535b3d96ecce.exe	38
PID 5116 wrote to memory of 484	5116	206f8cc5d4d8b7419d84535b3d96ecce.exe	38
PID 484 wrote to memory of 2788	484	206f8cc5d4d8b7419d84535b3d96ecce.tmp	65
PID 484 wrote to memory of 2788	484	206f8cc5d4d8b7419d84535b3d96ecce.tmp	65
PID 484 wrote to memory of 2788	484	206f8cc5d4d8b7419d84535b3d96ecce.tmp	65
PID 484 wrote to memory of 3632	484	206f8cc5d4d8b7419d84535b3d96ecce.tmp	70
PID 484 wrote to memory of 3632	484	206f8cc5d4d8b7419d84535b3d96ecce.tmp	70
PID 484 wrote to memory of 3632	484	206f8cc5d4d8b7419d84535b3d96ecce.tmp	70
PID 484 wrote to memory of 1316	484	206f8cc5d4d8b7419d84535b3d96ecce.tmp	72
PID 484 wrote to memory of 1316	484	206f8cc5d4d8b7419d84535b3d96ecce.tmp	72
PID 484 wrote to memory of 1316	484	206f8cc5d4d8b7419d84535b3d96ecce.tmp	72
PID 484 wrote to memory of 1844	484	206f8cc5d4d8b7419d84535b3d96ecce.tmp	100
PID 484 wrote to memory of 1844	484	206f8cc5d4d8b7419d84535b3d96ecce.tmp	100
PID 484 wrote to memory of 2296	484	206f8cc5d4d8b7419d84535b3d96ecce.tmp	99
PID 484 wrote to memory of 2296	484	206f8cc5d4d8b7419d84535b3d96ecce.tmp	99
PID 484 wrote to memory of 2296	484	206f8cc5d4d8b7419d84535b3d96ecce.tmp	99
PID 1844 wrote to memory of 1112	1844	msedge.exe	97
PID 1844 wrote to memory of 1112	1844	msedge.exe	97
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1656	1844	msedge.exe	102
PID 1844 wrote to memory of 1208	1844	msedge.exe	101
PID 1844 wrote to memory of 1208	1844	msedge.exe	101
PID 1844 wrote to memory of 4652	1844	msedge.exe	103
PID 1844 wrote to memory of 4652	1844	msedge.exe	103
PID 1844 wrote to memory of 4652	1844	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\206f8cc5d4d8b7419d84535b3d96ecce.exe
"C:\Users\Admin\AppData\Local\Temp\206f8cc5d4d8b7419d84535b3d96ecce.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\AppData\Local\Temp\is-1JIIR.tmp\206f8cc5d4d8b7419d84535b3d96ecce.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1JIIR.tmp\206f8cc5d4d8b7419d84535b3d96ecce.tmp" /SL5="$B0232,51982,51712,C:\Users\Admin\AppData\Local\Temp\206f8cc5d4d8b7419d84535b3d96ecce.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\206f8cc5d4d8b7419d84535b3d96ecce.exe"
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\206f8cc5d4d8b7419d84535b3d96ecce.exe"
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\Regedit.exe
    "C:\Windows\Regedit.exe" -s C:\Progra~1\TaoBao\info.desc
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Runs regedit.exe
    PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\206f8cc5d4d8b7419d84535b3d96ecce.exe"
    3⤵
    PID:2296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ttver.com/taobao8.htm
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,5693981772544715857,1201925577112408169,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,5693981772544715857,1201925577112408169,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
      4⤵
      PID:1656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,5693981772544715857,1201925577112408169,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
      4⤵
      PID:4652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5693981772544715857,1201925577112408169,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
      4⤵
      PID:496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5693981772544715857,1201925577112408169,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
      4⤵
      PID:3180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,5693981772544715857,1201925577112408169,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4848 /prefetch:2
      4⤵
      PID:3148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5693981772544715857,1201925577112408169,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2736 /prefetch:1
      4⤵
      PID:1316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5693981772544715857,1201925577112408169,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
      4⤵
      PID:2116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5693981772544715857,1201925577112408169,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1
      4⤵
      PID:4444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5693981772544715857,1201925577112408169,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
      4⤵
      PID:1012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,5693981772544715857,1201925577112408169,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4196 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,5693981772544715857,1201925577112408169,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4196 /prefetch:8
      4⤵
      PID:2852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5693981772544715857,1201925577112408169,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
      4⤵
      PID:1696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5693981772544715857,1201925577112408169,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
      4⤵
      PID:4124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5693981772544715857,1201925577112408169,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
      4⤵
      PID:4272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,5693981772544715857,1201925577112408169,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3172 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d42a46f8,0x7ff9d42a4708,0x7ff9d42a4718
1⤵
PID:1112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\TaoBao\info.desc

Filesize
638B

MD5
8234879b9a26865f12c35dd78489ac1d

SHA1
75e13a431cdb604c62f4cc254506f815ac23dfb4

SHA256
51db39dc9595995744cf31ca49b86baf54fd3b3f7344c695f310f59b365aec31

SHA512
d1b1e7a4f5e77e17e75b8f865ee211c1f2c547feeafd13bfae0007935df90db6dcd4eedfb0d71440bd8984cdb016ca3a7d4c58b0da602d359116cb866c166fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84381d71cf667d9a138ea03b3283aea5

SHA1
33dfc8a32806beaaafaec25850b217c856ce6c7b

SHA256
32dd52cc3142b6e758bd60adead81925515b31581437472d1f61bdeda24d5424

SHA512
469bfac06152c8b0a82de28e01f7ed36dc27427205830100b1416b7cd8d481f5c4369e2ba89ef1fdd932aaf17289a8e4ede303393feab25afc1158cb931d23a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7a35123af0209b3e29ab006580096e32

SHA1
a1404e59571668b5503d229eb3f3d33a7a74ef4f

SHA256
91d6e6bf380c383191f7b6452950212a1d82f9cad37dbcce6891b1b1f2c90453

SHA512
f58fb1db466069b880543e06c6c76734f784b57dc9863a0931c763c6fc86cd16c9f879b3343128121ef9204b77dac86ef965e1b1741bde89466a7ccb3816a458

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4f267317ad6c7d0e1f3befbe7b41559f

SHA1
6f59c4c22c89e2dd9676599a85e74f4ad610facd

SHA256
08e3d10f606bd00a3aa5ebf94db8d9c4c073a55b2bef2bf4ec2e3707e2475f81

SHA512
80deac4008eb51c663e47581d691b5b591523b703a1a7cf14f9c31bc07064ece1a62828714170e863b56498b7d1e17c13c14df4154e8cd5621e73bc0489517f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c7fc3c95f01cf2de5d0004c2dde77146

SHA1
8fcd6730d30800e732cae1d9c3fc068b54cacad3

SHA256
78e2ffdc7732dcc8ba33c22d6ae787ade9074fb3b41a4f604b5e7518a1b6a5c4

SHA512
5021bf8ffb9c1b3e568f6673c13ed82de93fb80471f65f303c1cfd7a2e32a988046061a86cfb03f8a0199fc6e2bc71b01387f88c633db027f563edd9d5985378

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ff68de71132ddcbe77baa8a65de48eb7

SHA1
c57d8f94c2cddd470df2c83a54d59dda76ea8853

SHA256
211f101894f672090e72be9e7c6ae493d83f3285f31bcd2e2edec61d747896c5

SHA512
d254ae351f733b9fcb0deb62ecf7cadd97b6827f8522bc55f6357a44f0fa212c38d9cf6ba9a7d44290855c5fd66e01e5d71deddb93207cdde63de5fc721a58ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
81a9467e390e85e326afcf60d75415a6

SHA1
5fad477b0e961afec8c0aa4f7092cdda81bd8ac1

SHA256
924959a7834f149734123312d3a0712e0843ac0272f707767593b3ce9339c6f9

SHA512
18b86d98bbc91e63ff38b5996350e000a3bc4375f18e5ef4d4b00e9f7c683c153adad21c20bd1d84e58a7eb54a7b95f29f111e8e69da019d35bf44c47c85439f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
5KB

MD5
285cf790cf1d2d13c3cd6768157421f9

SHA1
56644af33965c0abba47c88327285f93bc88d396

SHA256
7438bc3fcc2c81bfaa1207c12d56b4bc8d0236bef98477a8f5adad05fdf67010

SHA512
1726a48bb84d80b128ebbffb23b1e1009a9093e0955bfc1ad0cec4e48c3b39401c7845d231e48331a339aff4d27ce42b3bf4a36b9b51ab2f38d87eb59439a8a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
53d6ea1a4fe83ca0a8b38f87c19ad842

SHA1
6710262acc059d7dd6ce07d27ecc109e667ef96d

SHA256
6f1aab0e69814c829907d539f7523202a467581f936562a5a9101436d1ed0e39

SHA512
bf457bd448d5a159ae8a1e76dd7235113a2a738875161500465711247f760bf2978c09762317fcbf4cc77920f9b7ccdbe62f453e2714ba2a660c8e77f332b7a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
fcba593f3c0c3620fd7699302e2bca89

SHA1
4626507f9917e828b09d38d2432de478a923446d

SHA256
2903d6164b71ed9e67b031128494f805cabeb98b5be8e1be57321e337082cbbd

SHA512
b49941776d9b4ce76c5a1a2449f2c7d6b6f55176b8d2e8467d687ba18ff447c1d5054b72d7104ec148f687c1130a8e89d02267d8df77e4e88ce3d4de246b636a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
fb7e2c6a4900fedf1b7372b901934bfe

SHA1
92ee28d85f29b726dd114eaa8637d5c133711b18

SHA256
db5cce95caa4586e61c0bdd5dab24e74abd00d165152ddb9f23ea35ddbe4c9af

SHA512
2a536f5801cc77970bd7427750ca4b71f53deb7f521cd022c82924e70ec989b40c6770faa677dedc4978494ca50a372f692e4cc35a85136ee54fe848d21a68ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
6c4611acd5d42c5730c0fded749e4973

SHA1
6472d46fd9ea1b0d1c08227b3fd1ce3b6f1af6bd

SHA256
21ff081b57352a55118c2608cbff7403aed9ab0a72133503be287b84be721798

SHA512
6d64e912d96085748062778a95b0ff6705c8a72a573d7de8ae908ac773e132721bfd3230cce3688c6cf90f6cb637dd4f1471e13cd4dd9df0339d9285f931d0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1JIIR.tmp\206f8cc5d4d8b7419d84535b3d96ecce.tmp

Filesize
158KB

MD5
080aa1eaca1cfcaebf01e5ff6dd53a88

SHA1
cb22167c533cd9c65864b70a7f23aed028f79a7d

SHA256
a295268467e82ebc1e7a6d9400c8027de4c4fbfca55e5a956d36777e56c55d02

SHA512
a45fcce7b759d80c561a5b7df560a2dacba66b5ad55746d89bb19e2cb8fe3d3c90902290af1a8e77dda91f8cba484c06f130b2d303c6afe8bf9622a0b11fa3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1JIIR.tmp\206f8cc5d4d8b7419d84535b3d96ecce.tmp

Filesize
108KB

MD5
4fe9502931484d4ad8bbcde7b8c35855

SHA1
b2a734e39c3225451d2980f3eb0ce74787c49012

SHA256
11474ff1fec73bd628cdd5c7d7e5be228278c07b9275f4af977df732d641884e

SHA512
5c3e2a904570e6e780f35dbea5cd1bab6b6671b45eaad3d9414a30026d0239bcdcc8f728d52add90ba41f47efc8539fe8d48164c5895179c7995aa164055c09f

Download Submit
memory/484-7-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/484-19-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3244-84-0x00007FF9F0229000-0x00007FF9F022A000-memory.dmp

Filesize
4KB

Download
memory/5116-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5116-21-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5116-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download