7da0e6be54be9f804b289c2b722381c5376a30e1582c9216984b2a5ae8de6b04

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	AvxExternalCRACKEDBYFANTOM.exe

Executes dropped EXE 3 IoCs

pid	Process
2956	xraul23p.exe
3736	chromedriver.exe
3652	msedgedriver.exe

Loads dropped DLL 1 IoCs

pid	Process
3592	AvxExternalCRACKEDBYFANTOM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
17	raw.githubusercontent.com
24	discord.com
25	discord.com
78	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
74	checkip.amazonaws.com

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedgedriver.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedgedriver.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\scoped_dir3736_1285914123\Default\Cache\Cache_Data\data_3	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\Default\LOCK	msedge.exe
File created	C:\Program Files\scoped_dir3652_1906780200\Default\Session Storage\MANIFEST-000001	msedge.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\77e25c57-49ca-4fc1-9686-0761888add1d.tmp	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\Default\coupon_db\LOCK	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\Default\Cache\Cache_Data\index	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\Default\Extension State\MANIFEST-000001	msedge.exe
File created	C:\Program Files\scoped_dir3652_1906780200\Default\Extension State\000003.log	msedge.exe
File created	C:\Program Files\scoped_dir3652_1906780200\GrShaderCache\GPUCache\data_0	msedge.exe
File created	C:\Program Files\scoped_dir3736_1285914123\Default\Local Storage\leveldb\000001.dbtmp	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\Default\Local Storage\leveldb\CURRENT	chrome.exe
File created	C:\Program Files\scoped_dir3652_1906780200\Default\Sync Data\LevelDB\000001.dbtmp	msedge.exe
File created	C:\Program Files\scoped_dir3736_1285914123\Last Version	chrome.exe
File created	C:\Program Files\scoped_dir3736_1285914123\Default\8596e7a2-78c0-44bf-aae5-6e2567550df2.tmp	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\debug.log	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\Default\load_statistics.db	msedge.exe
File created	C:\Program Files\scoped_dir3652_1906780200\Default\shared_proto_db\000001.dbtmp	msedge.exe
File created	C:\Program Files\scoped_dir3652_1906780200\Default\Code Cache\js\index	msedge.exe
File created	C:\Program Files\scoped_dir3736_1285914123\Default\commerce_subscription_db\LOG	chrome.exe
File created	C:\Program Files\scoped_dir3736_1285914123\Default\Sync Data\LevelDB\000003.log	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\ShaderCache\GPUCache\index	msedge.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\Default\Safe Browsing Network\Safe Browsing Cookies-journal	chrome.exe
File created	C:\Program Files\scoped_dir3652_1906780200\Crashpad\settings.dat	msedge.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\Default\Sync Data\LevelDB\LOCK	chrome.exe
File created	C:\Program Files\scoped_dir3736_1285914123\Default\Code Cache\wasm\index	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\debug.log	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\Default\Local Storage\leveldb\MANIFEST-000001	msedge.exe
File created	C:\Program Files\scoped_dir3652_1906780200\Default\shared_proto_db\metadata\LOG	msedge.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\Default\DawnCache\data_3	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\Default\shared_proto_db\metadata\CURRENT	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\Default\Session Storage\LOCK	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\GrShaderCache\data_3	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\chrome_debug.log	msedge.exe
File created	C:\Program Files\scoped_dir3736_1285914123\ShaderCache\data_2	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\Default\8596e7a2-78c0-44bf-aae5-6e2567550df2.tmp	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\Default\Favicons	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\chrome_debug.log	msedge.exe
File created	C:\Program Files\scoped_dir3736_1285914123\Default\Code Cache\js\index	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\Default\Top Sites-journal	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\Default\shared_proto_db\metadata\LOCK	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\Default\Session Storage\MANIFEST-000001	chrome.exe
File created	C:\Program Files\scoped_dir3652_1906780200\Default\b0c35559-2281-44fc-ae82-079849b63290.tmp	msedge.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\GrShaderCache\GPUCache	msedge.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\GrShaderCache\GPUCache\data_0	msedge.exe
File created	C:\Program Files\scoped_dir3736_1285914123\Default\Session Storage\000003.log	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\ShaderCache\GPUCache\data_3	msedge.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\Default\Session Storage\LOCK	msedge.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\Default\Local Storage\leveldb\CURRENT	msedge.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\Default\Secure Preferences	msedge.exe
File created	C:\Program Files\scoped_dir3652_1906780200\Default\Extension State\LOG	msedge.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\Default\Login Data For Account-journal	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\Default\Network\Reporting and NEL	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\CrashpadMetrics.pma	msedge.exe
File created	C:\Program Files\scoped_dir3652_1906780200\First Run	msedgedriver.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\Crashpad\throttle_store.dat	msedge.exe
File created	C:\Program Files\scoped_dir3652_1906780200\Last Version	msedge.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\Default\shared_proto_db\CURRENT	msedge.exe
File created	C:\Program Files\scoped_dir3736_1285914123\Default\DawnCache\data_2	chrome.exe
File created	C:\Program Files\scoped_dir3736_1285914123\Default\Session Storage\MANIFEST-000001	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3736_1285914123\Default\Network\Cookies-journal	chrome.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\SmartScreen\local\cache	msedge.exe
File opened for modification	C:\Program Files\scoped_dir3652_1906780200\Default\Web Data-journal	msedge.exe
File created	C:\Program Files\scoped_dir3652_1906780200\GrShaderCache\GPUCache\data_3	msedge.exe
File created	C:\Program Files\scoped_dir3736_1285914123\Variations	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
468	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\pearchina7246273.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\ms-settings\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\ms-settings\shell\open\command	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
2956	xraul23p.exe
2956	xraul23p.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe
3592	AvxExternalCRACKEDBYFANTOM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4772	chrome.exe
4772	chrome.exe
2276	msedge.exe
2276	msedge.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	3592	AvxExternalCRACKEDBYFANTOM.exe
Token: SeDebugPrivilege	2956	xraul23p.exe
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4772	chrome.exe
4772	chrome.exe
2276	msedge.exe
3472	Explorer.EXE
2276	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3592	AvxExternalCRACKEDBYFANTOM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 2180	3592	AvxExternalCRACKEDBYFANTOM.exe	84
PID 3592 wrote to memory of 2180	3592	AvxExternalCRACKEDBYFANTOM.exe	84
PID 3592 wrote to memory of 2180	3592	AvxExternalCRACKEDBYFANTOM.exe	84
PID 3592 wrote to memory of 1140	3592	AvxExternalCRACKEDBYFANTOM.exe	86
PID 3592 wrote to memory of 1140	3592	AvxExternalCRACKEDBYFANTOM.exe	86
PID 3592 wrote to memory of 1140	3592	AvxExternalCRACKEDBYFANTOM.exe	86
PID 3592 wrote to memory of 1232	3592	AvxExternalCRACKEDBYFANTOM.exe	88
PID 3592 wrote to memory of 1232	3592	AvxExternalCRACKEDBYFANTOM.exe	88
PID 3592 wrote to memory of 1232	3592	AvxExternalCRACKEDBYFANTOM.exe	88
PID 1232 wrote to memory of 4528	1232	cmd.exe	90
PID 1232 wrote to memory of 4528	1232	cmd.exe	90
PID 1232 wrote to memory of 4528	1232	cmd.exe	90
PID 4528 wrote to memory of 1404	4528	ComputerDefaults.exe	91
PID 4528 wrote to memory of 1404	4528	ComputerDefaults.exe	91
PID 4528 wrote to memory of 1404	4528	ComputerDefaults.exe	91
PID 1404 wrote to memory of 1736	1404	wscript.exe	92
PID 1404 wrote to memory of 1736	1404	wscript.exe	92
PID 1404 wrote to memory of 1736	1404	wscript.exe	92
PID 3592 wrote to memory of 3584	3592	AvxExternalCRACKEDBYFANTOM.exe	94
PID 3592 wrote to memory of 3584	3592	AvxExternalCRACKEDBYFANTOM.exe	94
PID 3592 wrote to memory of 3584	3592	AvxExternalCRACKEDBYFANTOM.exe	94
PID 3584 wrote to memory of 468	3584	cmd.exe	96
PID 3584 wrote to memory of 468	3584	cmd.exe	96
PID 3584 wrote to memory of 468	3584	cmd.exe	96
PID 3592 wrote to memory of 2956	3592	AvxExternalCRACKEDBYFANTOM.exe	99
PID 3592 wrote to memory of 2956	3592	AvxExternalCRACKEDBYFANTOM.exe	99
PID 2956 wrote to memory of 3472	2956	xraul23p.exe	74
PID 2956 wrote to memory of 3472	2956	xraul23p.exe	74
PID 2956 wrote to memory of 3472	2956	xraul23p.exe	74
PID 2956 wrote to memory of 3472	2956	xraul23p.exe	74
PID 2956 wrote to memory of 3472	2956	xraul23p.exe	74
PID 2956 wrote to memory of 3472	2956	xraul23p.exe	74
PID 2956 wrote to memory of 3472	2956	xraul23p.exe	74
PID 2956 wrote to memory of 3472	2956	xraul23p.exe	74
PID 2956 wrote to memory of 3472	2956	xraul23p.exe	74
PID 2956 wrote to memory of 3472	2956	xraul23p.exe	74
PID 2956 wrote to memory of 3472	2956	xraul23p.exe	74
PID 2956 wrote to memory of 3472	2956	xraul23p.exe	74
PID 2956 wrote to memory of 3472	2956	xraul23p.exe	74
PID 3592 wrote to memory of 3736	3592	AvxExternalCRACKEDBYFANTOM.exe	105
PID 3592 wrote to memory of 3736	3592	AvxExternalCRACKEDBYFANTOM.exe	105
PID 3736 wrote to memory of 4772	3736	chromedriver.exe	107
PID 3736 wrote to memory of 4772	3736	chromedriver.exe	107
PID 4772 wrote to memory of 2308	4772	chrome.exe	108
PID 4772 wrote to memory of 2308	4772	chrome.exe	108
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109
PID 4772 wrote to memory of 3312	4772	chrome.exe	109

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3472
- C:\Users\Admin\AppData\Local\Temp\AvxExternalCRACKEDBYFANTOM.exe
  "C:\Users\Admin\AppData\Local\Temp\AvxExternalCRACKEDBYFANTOM.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\pearchina7246273.vbs" /f
    3⤵
    - Modifies registry class
    PID:2180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
    3⤵
    - Modifies registry class
    PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C computerdefaults.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\SysWOW64\ComputerDefaults.exe
      computerdefaults.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4528
    - - C:\Windows\SysWOW64\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\pearchina7246273.vbs
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1404
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
        6⤵
        
        PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN EdgeBrowserTaskUpdater_TduHD00Su1ipGcLhdJ1p040MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\TduHD00Su1ipGcLhdJ1p040MX.exe" /RL HIGHEST /IT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC ONLOGON /TN EdgeBrowserTaskUpdater_TduHD00Su1ipGcLhdJ1p040MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\TduHD00Su1ipGcLhdJ1p040MX.exe" /RL HIGHEST /IT
      4⤵
      Creates scheduled task(s)
      PID:468
- - C:\Users\Admin\AppData\Local\Temp\xraul23p.exe
    "C:\Users\Admin\AppData\Local\Temp\xraul23p.exe" explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2956
- - C:\Users\Admin\AppData\Local\Temp\chromedriver-win64\chromedriver.exe
    "C:\Users\Admin\AppData\Local\Temp\chromedriver-win64\chromedriver.exe" --port=58931
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --allow-pre-commit-input --disable-background-networking --disable-backgrounding-occluded-windows --disable-client-side-phishing-detection --disable-default-apps --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-logging --log-level=0 --no-first-run --no-service-autorun --password-store=basic --remote-debugging-port=0 --test-type=webdriver --use-mock-keychain --user-data-dir="C:\Program Files\scoped_dir3736_1285914123" --window-position=-32000,-32000 data:,
      4⤵
      Drops file in Program Files directory
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Program Files\scoped_dir3736_1285914123" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\scoped_dir3736_1285914123\Crashpad" "--metrics-dir=C:\Program Files\scoped_dir3736_1285914123" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffcec049758,0x7ffcec049768,0x7ffcec049778
        5⤵
        
        PID:2308
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --enable-logging --log-level=0 --user-data-dir="C:\Program Files\scoped_dir3736_1285914123" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --enable-logging --log-level=0 --mojo-platform-channel-handle=1696 --field-trial-handle=1924,i,6232230573037622725,7279730948375896205,131072 /prefetch:2
        5⤵
        
        PID:3312
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --enable-logging --log-level=0 --user-data-dir="C:\Program Files\scoped_dir3736_1285914123" --enable-logging --log-level=0 --mojo-platform-channel-handle=2136 --field-trial-handle=1924,i,6232230573037622725,7279730948375896205,131072 /prefetch:8
        5⤵
        Drops file in Program Files directory
        
        PID:2524
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --enable-logging --log-level=0 --user-data-dir="C:\Program Files\scoped_dir3736_1285914123" --enable-logging --log-level=0 --mojo-platform-channel-handle=2280 --field-trial-handle=1924,i,6232230573037622725,7279730948375896205,131072 /prefetch:8
        5⤵
        Drops file in Program Files directory
        
        PID:2236
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Program Files\scoped_dir3736_1285914123" --display-capture-permissions-policy-allowed --enable-automation --enable-logging --log-level=0 --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2916 --field-trial-handle=1924,i,6232230573037622725,7279730948375896205,131072 /prefetch:1
        5⤵
        Drops file in Program Files directory
        
        PID:4604
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Program Files\scoped_dir3736_1285914123" --display-capture-permissions-policy-allowed --first-renderer-process --enable-automation --enable-logging --log-level=0 --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2908 --field-trial-handle=1924,i,6232230573037622725,7279730948375896205,131072 /prefetch:1
        5⤵
        
        PID:4672
- - C:\Users\Admin\AppData\Local\Temp\msedgedriver.exe
    "C:\Users\Admin\AppData\Local\Temp\msedgedriver.exe" --port=59104
    3⤵
    - Executes dropped EXE
    - Checks system information in the registry
    - Drops file in Program Files directory
    PID:3652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --allow-pre-commit-input --disable-background-networking --disable-backgrounding-occluded-windows --disable-client-side-phishing-detection --disable-default-apps --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-logging --log-level=0 --no-first-run --no-service-autorun --password-store=basic --remote-debugging-port=0 --test-type=webdriver --use-mock-keychain --user-data-dir="C:\Program Files\scoped_dir3652_1906780200" --window-position=-32000,-32000 data:,
      4⤵
      Drops file in Program Files directory
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:2276
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Program Files\scoped_dir3652_1906780200" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\scoped_dir3652_1906780200\Crashpad" "--metrics-dir=C:\Program Files\scoped_dir3652_1906780200" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffcebf046f8,0x7ffcebf04708,0x7ffcebf04718
        5⤵
        Drops file in Program Files directory
        
        PID:1272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,7385535389054494102,17713940126641132505,131072 --enable-logging --log-level=0 --user-data-dir="C:\Program Files\scoped_dir3652_1906780200" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --enable-logging --log-level=0 --mojo-platform-channel-handle=2128 /prefetch:2
        5⤵
        Drops file in Program Files directory
        
        PID:4856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,7385535389054494102,17713940126641132505,131072 --lang=en-US --service-sandbox-type=none --enable-logging --log-level=0 --user-data-dir="C:\Program Files\scoped_dir3652_1906780200" --enable-logging --log-level=0 --mojo-platform-channel-handle=2500 /prefetch:3
        5⤵
        
        PID:4248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,7385535389054494102,17713940126641132505,131072 --lang=en-US --service-sandbox-type=utility --enable-logging --log-level=0 --user-data-dir="C:\Program Files\scoped_dir3652_1906780200" --enable-logging --log-level=0 --mojo-platform-channel-handle=2856 /prefetch:8
        5⤵
        
        PID:4220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-automation --enable-logging --log-level=0 --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --field-trial-handle=2116,7385535389054494102,17713940126641132505,131072 --lang=en-US --user-data-dir="C:\Program Files\scoped_dir3652_1906780200" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        Drops file in Program Files directory
        
        PID:3968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-automation --enable-logging --log-level=0 --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --field-trial-handle=2116,7385535389054494102,17713940126641132505,131072 --lang=en-US --user-data-dir="C:\Program Files\scoped_dir3652_1906780200" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
        5⤵
        
        PID:1312

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery