217c2d2da19684d59ca61bb6ce6032caffb899e006890ec946fba0f275dc73ce

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

993d70d947853967556274adc8f20e05.exe
Size

1.6MB
MD5

993d70d947853967556274adc8f20e05
SHA1

71ebe248007ff4ff38e71032685f37ee21342678
SHA256

217c2d2da19684d59ca61bb6ce6032caffb899e006890ec946fba0f275dc73ce
SHA512

28bdb57e6c6be63e03a784719f252d22c7fa0a32f2404fde01f9756f8893fb1f8795377150a31a4404feff613af26c596af671ed7c1c710669b1b144c6b3aecd
SSDEEP

49152:IfrxeAbi3bgkjfB6mII4hEfffJLa79qK2XfZ7HSbNuA9okDWsPqd6mxBcdiW5D5+:Ile/UyUKzHz0D2

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	bdg6D41.tmp

Executes dropped EXE 5 IoCs

pid	Process
2784	crp6458.exe
1532	uti6A06.exe
988	crp6D16.exe
3936	bdg6D41.tmp
1200	hao123.1.0.0.1106.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002324e-43.dat	upx
behavioral2/memory/988-45-0x0000000000400000-0x0000000000514000-memory.dmp	upx
behavioral2/memory/988-62-0x0000000000400000-0x0000000000514000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hao123Setting = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdg6D70.exe http://br.hao123.com/?tn=epom_pay_hp_01_hao123_br"	crp6D16.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hahpjplbmicfkmoccokbjejahjjpnena\1.2_0\manifest.json	uti6A06.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main	crp6D16.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://br.hao123.com/?tn=epom_pay_hp_01_hao123_br"	crp6D16.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bdg6D41.tmp

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 5c000000010000000400000000080000190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4668000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d86200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703080b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a00650063007400290000000f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb040000000100000010000000a7f2e41606411150306b9ce3b49cb0c920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	hao123.1.0.0.1106.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	bdg6D41.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	bdg6D41.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	bdg6D41.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	bdg6D41.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb0b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a0065006300740029000000090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703086200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d81d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67087e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d901030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	bdg6D41.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	hao123.1.0.0.1106.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb0b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a0065006300740029000000090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703086200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d81d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67087e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d901030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	hao123.1.0.0.1106.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1532	uti6A06.exe
1532	uti6A06.exe
1532	uti6A06.exe
1532	uti6A06.exe
1532	uti6A06.exe
1532	uti6A06.exe
988	crp6D16.exe
988	crp6D16.exe
988	crp6D16.exe
988	crp6D16.exe
3936	bdg6D41.tmp
3936	bdg6D41.tmp
1200	hao123.1.0.0.1106.exe
1200	hao123.1.0.0.1106.exe
3936	bdg6D41.tmp
3936	bdg6D41.tmp
1200	hao123.1.0.0.1106.exe
1200	hao123.1.0.0.1106.exe
1200	hao123.1.0.0.1106.exe
1200	hao123.1.0.0.1106.exe
1200	hao123.1.0.0.1106.exe
1200	hao123.1.0.0.1106.exe
3680	msedge.exe
3680	msedge.exe
1200	hao123.1.0.0.1106.exe
1200	hao123.1.0.0.1106.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
1200	hao123.1.0.0.1106.exe
1200	hao123.1.0.0.1106.exe
1200	hao123.1.0.0.1106.exe
1200	hao123.1.0.0.1106.exe
3432	identity_helper.exe
3432	identity_helper.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2784	crp6458.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2784	crp6458.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2784	crp6458.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2264	msedge.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe
2784	crp6458.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2784	crp6458.exe
2784	crp6458.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 2784	3536	993d70d947853967556274adc8f20e05.exe	89
PID 3536 wrote to memory of 2784	3536	993d70d947853967556274adc8f20e05.exe	89
PID 3536 wrote to memory of 2784	3536	993d70d947853967556274adc8f20e05.exe	89
PID 3536 wrote to memory of 1532	3536	993d70d947853967556274adc8f20e05.exe	90
PID 3536 wrote to memory of 1532	3536	993d70d947853967556274adc8f20e05.exe	90
PID 3536 wrote to memory of 1532	3536	993d70d947853967556274adc8f20e05.exe	90
PID 3536 wrote to memory of 988	3536	993d70d947853967556274adc8f20e05.exe	92
PID 3536 wrote to memory of 988	3536	993d70d947853967556274adc8f20e05.exe	92
PID 3536 wrote to memory of 988	3536	993d70d947853967556274adc8f20e05.exe	92
PID 988 wrote to memory of 3936	988	crp6D16.exe	93
PID 988 wrote to memory of 3936	988	crp6D16.exe	93
PID 988 wrote to memory of 3936	988	crp6D16.exe	93
PID 3936 wrote to memory of 1200	3936	bdg6D41.tmp	96
PID 3936 wrote to memory of 1200	3936	bdg6D41.tmp	96
PID 3936 wrote to memory of 1200	3936	bdg6D41.tmp	96
PID 1200 wrote to memory of 2264	1200	hao123.1.0.0.1106.exe	98
PID 1200 wrote to memory of 2264	1200	hao123.1.0.0.1106.exe	98
PID 2264 wrote to memory of 4108	2264	msedge.exe	100
PID 2264 wrote to memory of 4108	2264	msedge.exe	100
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 428	2264	msedge.exe	102
PID 2264 wrote to memory of 3680	2264	msedge.exe	101
PID 2264 wrote to memory of 3680	2264	msedge.exe	101
PID 2264 wrote to memory of 4756	2264	msedge.exe	103
PID 2264 wrote to memory of 4756	2264	msedge.exe	103
PID 2264 wrote to memory of 4756	2264	msedge.exe	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3336
- C:\Users\Admin\AppData\Local\Temp\993d70d947853967556274adc8f20e05.exe
  "C:\Users\Admin\AppData\Local\Temp\993d70d947853967556274adc8f20e05.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Users\Admin\AppData\Local\Temp\crp6458.exe
    "C:\Users\Admin\AppData\Local\Temp\crp6458.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2784
- - C:\Users\Admin\AppData\Local\Temp\uti6A06.exe
    -home -home2 -et -channel 169741 -spff
    3⤵
    - Executes dropped EXE
    - Drops Chrome extension
    - Suspicious behavior: EnumeratesProcesses
    PID:1532
- - C:\Users\Admin\AppData\Local\Temp\crp6D16.exe
    "C:\Users\Admin\AppData\Local\Temp\crp6D16.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Users\Admin\AppData\Local\Temp\bdg6D41.tmp
      -install -tn=tn=epom_pay_sc_01_hao123_br
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Users\Admin\AppData\Roaming\baidu\hao123-br\hao123.1.0.0.1106.exe
        
        "C:\Users\Admin\AppData\Roaming\baidu\hao123-br\hao123.1.0.0.1106.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1200
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://br.hao123.com/
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff119546f8,0x7fff11954708,0x7fff11954718
        7⤵
        
        PID:4108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,17026341116887663466,1537581258807063337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,17026341116887663466,1537581258807063337,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        7⤵
        
        PID:428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,17026341116887663466,1537581258807063337,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
        7⤵
        
        PID:4756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17026341116887663466,1537581258807063337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        7⤵
        
        PID:3944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17026341116887663466,1537581258807063337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        7⤵
        
        PID:1412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17026341116887663466,1537581258807063337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
        7⤵
        
        PID:216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17026341116887663466,1537581258807063337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
        7⤵
        
        PID:2260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,17026341116887663466,1537581258807063337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
        7⤵
        
        PID:1648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,17026341116887663466,1537581258807063337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17026341116887663466,1537581258807063337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
        7⤵
        
        PID:2252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17026341116887663466,1537581258807063337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1
        7⤵
        
        PID:720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17026341116887663466,1537581258807063337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
        7⤵
        
        PID:4924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17026341116887663466,1537581258807063337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
        7⤵
        
        PID:2740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17026341116887663466,1537581258807063337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
        7⤵
        
        PID:1968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17026341116887663466,1537581258807063337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
        7⤵
        
        PID:1492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,17026341116887663466,1537581258807063337,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4968 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_CEF628ACFBFEA6E54853F1D16F4B912D

Filesize
1KB

MD5
6651c4575c85acfcd9c249f63321da1e

SHA1
b1fc2aa2c4091273e1db8bbee98978635d30841c

SHA256
5f39a09a8c329b85cc56c113238ceb170d55d7e75ae614e8d1b1e444c3e9147b

SHA512
7224457bb237058628ff3117e7b1f4928b5fe8d4bfadd27811d0bdcd764f69d0422a612324e984b743990e2c1b8718bfb18f29579d5d11841bfae46932024f5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_CEF628ACFBFEA6E54853F1D16F4B912D

Filesize
412B

MD5
e581c7fde12887a91089f2b3769bd5c6

SHA1
38e6468a7c34b32171b78af454277150debd0759

SHA256
0ca66a97066fea2cc6ab554eb8bdadced059f8cede43f8a52215491627b72c76

SHA512
490a0d78919d1339e728fdf4748bd18009a5e0c9f0caebfbd5f30ac1c0e6d524094c45be5f99eafe5354b5b1122a4c8b7309f41c79e62fbef025e89770e24b90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
68834177f4a9c9e3462654a5dcc9f34e

SHA1
2ed2f40239d0f81966782bbe9a4bf4055ea26a1e

SHA256
98430260d5c7d2a4a8976c793f5b1d3a73d5652f9069bfdd454213f38a71aabe

SHA512
458051229ceca87e6f4277c4e7fb66724749e4cf833f52d754e3fe0120600cda23fd80c0b7158ebf8f375239fc7a7bab71ebeb15cf4bebcb1bd535cc1f0a026d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d8b1f5ccda95258a5cc92197c68a6a90

SHA1
a56b2f2f14b6583ec032b9efb895c5487002ef52

SHA256
610332415e9ab4500599a09b34955b910edf076908d15cf6e11a6c856eb9154f

SHA512
1bc3e82bde4bdf9fdb2c49596d8a3132d1251d117b6875d19f1bf8c12c1e865dbfdbc3b4fa83da6b40491c5fa763b945bcc62fbff177755868777f627e91b443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9cc3d3c2f7a7fdc561a3c1b424ea20c6

SHA1
04053d745a90bf8a97eb4bc0583cf76c2198ffe7

SHA256
60e4019c389ef8662a28d2985260a49089cdbedb41e1af884810cae6980cf1cf

SHA512
4eec739ef81ad43796ab8330749595cd6c08807dadedd8932e868d4d5568350d6dc7bf262d19c2e82402676382232e4fb904916373614d6e40ffb15d59b4a8fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1b1b142e24215f033793d1311e24f6e6

SHA1
74e23cffbf03f3f0c430e6f4481e740c55a48587

SHA256
3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1

SHA512
a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2e0da55657fab52bbde8a6ff39778fbb

SHA1
1a3af57099dc69de0c815e3ed0035c876a51fea6

SHA256
b902fc8e776af7821d584a7391a9b612b061c1273aabc1b6fffa21a9c5c5964d

SHA512
ebae602cf1c564de7677dec4044556fd1d3b4e9bd253fdc102946efbd48b99de3158717a809679b0f1beea7240e0d08e3557d8f59aeafcdce776d0fbcafe4ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdg6D41.tmp

Filesize
565KB

MD5
0f584cb3450521550b9deaef6b9b5f30

SHA1
cedaa4dfcd6b915dc39f3bb8d6fba4aa904077cc

SHA256
2d8d18711fdb516c4dcca60aa8437b127416ac0cd0f0caa089f8b9699f4ac167

SHA512
b584fe9ba75dd8eddb3fc82472f01677b47663631fae51f995c78c140410e017ef37741a15f75ca473892dc015cbd62ffb283718bddbf148fec1324f837949a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdg6D41.tmp

Filesize
64KB

MD5
8a0b301f24ad8966ac344d514d229283

SHA1
4f194f22f65535d4f896be1744b9f35fbf2c3992

SHA256
ed653ba50aa336f8798b61a28925405f69ae4ed6c46a94d78d7c842b72efd20d

SHA512
e48e84f9bd72f738948c5c1295522963f575593757847e05ee4c8d1acbe1ec3bfcf22c5cf3cee99147959dd987c386e8b258e453bd4e694b42b8da2a3d28c963

Download Submit
C:\Users\Admin\AppData\Local\Temp\crp6458.exe

Filesize
805KB

MD5
9426b74223a014f2c2fe014a552fa09d

SHA1
1e9a21843930d02da8a47123d6441cf17917630f

SHA256
5d0eca3977574fe7e996e59ca0419189b313bce57e70bd0374bfd428a580d7f0

SHA512
8dfa2cfbb017ac7148e3d4a5ce73a813d78834b6029a81a7051e98a187bd5747d1b4b16f4c02d92816efc4c32e5b389839bd03c2547bdad1707badd01dbbe265

Download Submit
C:\Users\Admin\AppData\Local\Temp\crp6D16.exe

Filesize
292KB

MD5
8ae4de4f26110ebd2d82c93583000135

SHA1
162c4e83dd5f1e8a3791e1362fd8dee31af974f3

SHA256
55afdb0a55f2e910d0f0ceeab863a27b6b290529e634a9d4f309d1b0d09d6971

SHA512
12a7b321fc749647e3b0d35801be00d0c8a3a4498e084dddf21fbcfdf05af4c8e701a8160296f524f86f5fc3805b3432cbe8146c5247c9e76fa23ffcff728308

Download Submit
C:\Users\Admin\AppData\Local\Temp\hao123Config.xml

Filesize
362B

MD5
3b7815c41e181da969e7291394a05921

SHA1
e06652c6943f276190407020f17e898c8faea74f

SHA256
ba6f5e311e458f0946905cbda15724acbc4f611a8d59d3ae3767e7461bf1bb3b

SHA512
538a73b8b00decb3564bae86f0bdb1d7de91dffc7cf578fb6052b8be33d518a210c78e10f87f0dcab51eae1ba0d609f3974b404ac0ad4331ab0a88f2c0f675d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uti6A06.exe

Filesize
331KB

MD5
a3e93460c26e27a69594dc44eb58e678

SHA1
a615a8a12aa4e01c2197f4f0d78605a75979a048

SHA256
3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6

SHA512
39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Hao123.lnk

Filesize
1KB

MD5
7a1d7fe8e69ce0161f6cccb48bd487ab

SHA1
f20f38369792a761ca0e9048aea86bdf05962862

SHA256
8a30f81cb053663c54cff495a5fc425f86cd20d3b4c567d036b60398188a0e5b

SHA512
f55b91eef146596c7f3eee566567b9494696aec933ac3b683ba3ce2a8fdbb17f7e3a82350af8d9ee683e908da9ab8d4689bc7370a4ce6e5b86997d4a08d401b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\prefs.js

Filesize
6KB

MD5
6d684b124291e0022e3ee960dc9f84ea

SHA1
68adbe22e3157fa3e27a2625ce32343722c62845

SHA256
d8833f574a71dd40e7b61a80a6aa30319018236e5ec2a9e1ef12a1900a910e2b

SHA512
2dbb776b942e298197861c44b8851bc7951a5c509f27e2749dcdd4b1a0510434c8f0c7954fc66407ab47e5f9bd2470e0c2af43831318e923df6d2d86db5efded

Download Submit
C:\Users\Admin\Desktop\Hao123.lnk

Filesize
1KB

MD5
0d2b43d7c1a682d2702fe0e275f9ed58

SHA1
0695a144a89131cae48405066a283b90e89eaffb

SHA256
6eb068ab51c091795086f146b6cb6719cae94f22b61ffc8e3405205512c48635

SHA512
e3e35f770717b4a540636c953c3bfb767962c2c1c01cd95d9cfba9118c4f1592fbc8d10ed361096afa7a41c5dfba6397e7c11dd52a84bda1bd2bbebc36166735

Download Submit
memory/988-62-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/988-45-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1200-139-0x0000000076C70000-0x0000000076E10000-memory.dmp

Filesize
1.6MB

Download
memory/3936-63-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3936-175-0x0000000076C70000-0x0000000076E10000-memory.dmp

Filesize
1.6MB

Download