hxxps://samples[.]vx-underground[.]org/Samples/Families/zxShell/1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0[.]7z

Analysis

max time kernel
138s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://samples.vx-underground.org/Samples/Families/zxShell/1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.7z

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\autochk.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\autochk.sys	Explorer.EXE

Executes dropped EXE 1 IoCs

pid	Process
4848	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe

Loads dropped DLL 2 IoCs

pid	Process
412	rundll32.exe
3388	Explorer.EXE

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e000000023182-205.dat	upx
behavioral1/memory/4848-206-0x0000000000200000-0x000000000085C000-memory.dmp	upx
behavioral1/files/0x000e000000023182-207.dat	upx
behavioral1/memory/4848-208-0x0000000000200000-0x000000000085C000-memory.dmp	upx
behavioral1/files/0x000d00000002312d-251.dat	upx
behavioral1/files/0x000d00000002312d-252.dat	upx
behavioral1/memory/412-253-0x00007FF9D2FD0000-0x00007FF9D3435000-memory.dmp	upx
behavioral1/memory/412-254-0x00007FF9D2FD0000-0x00007FF9D3435000-memory.dmp	upx
behavioral1/files/0x000d00000002312d-257.dat	upx
behavioral1/memory/3388-258-0x00007FF9D2FD0000-0x00007FF9D3435000-memory.dmp	upx
behavioral1/memory/3388-259-0x00007FF9D2FD0000-0x00007FF9D3435000-memory.dmp	upx
behavioral1/memory/4848-268-0x0000000000200000-0x000000000085C000-memory.dmp	upx
behavioral1/memory/3388-270-0x00007FF9D2FD0000-0x00007FF9D3435000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\imseo21.ime	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4848	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe
412	rundll32.exe
3388	Explorer.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PROPSYS.dll	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe
File created	C:\Windows\Help\DirectX.msc	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe
File opened for modification	C:\Windows\Help\DirectX.msc	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe
File opened for modification	C:\Windows\Help\	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
856	msedge.exe
856	msedge.exe
264	msedge.exe
264	msedge.exe
904	identity_helper.exe
904	identity_helper.exe
3064	msedge.exe
3064	msedge.exe
412	rundll32.exe
412	rundll32.exe
3388	Explorer.EXE
3388	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1552	7zFM.exe
5660	7zFM.exe
3388	Explorer.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeRestorePrivilege	1552	7zFM.exe
Token: 35	1552	7zFM.exe
Token: SeSecurityPrivilege	1552	7zFM.exe
Token: SeRestorePrivilege	5660	7zFM.exe
Token: 35	5660	7zFM.exe
Token: SeSecurityPrivilege	5660	7zFM.exe
Token: SeDebugPrivilege	412	rundll32.exe
Token: SeShutdownPrivilege	3388	Explorer.EXE
Token: SeCreatePagefilePrivilege	3388	Explorer.EXE
Token: SeShutdownPrivilege	3388	Explorer.EXE
Token: SeCreatePagefilePrivilege	3388	Explorer.EXE
Token: SeShutdownPrivilege	3388	Explorer.EXE
Token: SeCreatePagefilePrivilege	3388	Explorer.EXE
Token: SeShutdownPrivilege	3388	Explorer.EXE
Token: SeCreatePagefilePrivilege	3388	Explorer.EXE
Token: SeShutdownPrivilege	3388	Explorer.EXE
Token: SeCreatePagefilePrivilege	3388	Explorer.EXE

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
1552	7zFM.exe
1552	7zFM.exe
1552	7zFM.exe
5660	7zFM.exe
856	msedge.exe
5660	7zFM.exe
5660	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 4164	856	msedge.exe	88
PID 856 wrote to memory of 4164	856	msedge.exe	88
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 4536	856	msedge.exe	89
PID 856 wrote to memory of 264	856	msedge.exe	90
PID 856 wrote to memory of 264	856	msedge.exe	90
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91
PID 856 wrote to memory of 2432	856	msedge.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://samples.vx-underground.org/Samples/Families/zxShell/1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.7z
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e26046f8,0x7ff9e2604708,0x7ff9e2604718
    3⤵
    PID:4164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,5418001320877032624,4094262103334357944,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
    3⤵
    PID:4536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,5418001320877032624,4094262103334357944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,5418001320877032624,4094262103334357944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
    3⤵
    PID:2432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,5418001320877032624,4094262103334357944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
    3⤵
    PID:2596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,5418001320877032624,4094262103334357944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:2972
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,5418001320877032624,4094262103334357944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
    3⤵
    PID:2560
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,5418001320877032624,4094262103334357944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,5418001320877032624,4094262103334357944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
    3⤵
    PID:4920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,5418001320877032624,4094262103334357944,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
    3⤵
    PID:3120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,5418001320877032624,4094262103334357944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
    3⤵
    PID:1908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,5418001320877032624,4094262103334357944,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    PID:1524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2024,5418001320877032624,4094262103334357944,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5820 /prefetch:8
    3⤵
    PID:1492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,5418001320877032624,4094262103334357944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
    3⤵
    PID:4248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,5418001320877032624,4094262103334357944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3064
- - C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.7z"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1552
- - C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.7z"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:5660
- C:\Users\Admin\Desktop\1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe
  "C:\Users\Admin\Desktop\1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  PID:4848
- - C:\Windows\system32\Cacls.exe
    C:\Windows\system32\Cacls.exe "C:\Windows\PROPSYS.dll" /E /G everyone:F
    3⤵
    PID:2056
- - C:\Windows\system32\Cacls.exe
    C:\Windows\system32\Cacls.exe "C:\Windows\system32\imseo21.ime" /E /G everyone:F
    3⤵
    PID:3380
- - C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe "C:\Windows\system32\imseo21.ime",ProxyDll
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\\51FADBE.bat
    3⤵
    PID:5568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\257cd728-a6c1-43ee-ac89-566b8b080176.tmp

Filesize
11KB

MD5
e52b810863e32db996a11fac23b61650

SHA1
85e5492c41067f90b640312f1849f4dcce0cb59e

SHA256
7084256abc32a5cca5394ec6f285af81c977a048bbebad42b7c7369a9add56a9

SHA512
68ee0c1442f601f9cc3be4b8295e3cce131f272de3e2de20f8222d2563571ae1e8a034c350825124f0fc44946cb8b57f9bde866c871d337abd8df6035993ed55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
73c8d54f775a1b870efd00cb75baf547

SHA1
33024c5b7573c9079a3b2beba9d85e3ba35e6b0e

SHA256
1ce86be0476a2a9e409fcb817126285bc4ad83efd03ee06a2f86910fe18d4d94

SHA512
191344f5830cfea68499bd49073ffa7215a42265a9629d203d07849b2417c0ffdbdbf288bf2c669e91009a0d7e8bd6a6b378c92fc283049141231ca7bf4da3b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b206e54d55dcb61072236144d1f90f8

SHA1
c2600831112447369e5b557e249f86611b05287d

SHA256
87bf9a4c3564eb3d8bef70450da843ae6003271222734c4d28d9961c52782e0b

SHA512
c9e8d2452368873e0622b002a0c2f8a2714b5897a09475738a9f9740122d716a9f0d3841725230d58e039564c820d32a6f3a675a7bb04bd163bab53dcb4e22f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
194B

MD5
c753a51b344f5e0b7614e6b335efce1a

SHA1
ecab6c44f7f65a04b594d3c1f5ccc151e1fbbea5

SHA256
b9be628c5d1925240917e40326ded59765a86dfc8580b59d2e51f9925f3fc494

SHA512
c579bb93537ef2b84bf17b99354eaf60da7719432451d916f15084675ab7fa9c5b24c8e370108b0fec1244d2a8ff44e1ace16fca9abf18c5a12f91f8801a68c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8660e7ca74e8ca07d8410f4fd67b38aa

SHA1
f21bc26c8edd89aaaa0de2de3c415f80cce9f544

SHA256
84519788af8c57847cf1d7a7d90a2c0f893c2d9bd154b7e597519a578f430801

SHA512
2fca808e7309fda6cf80fd4695295b2009913e21f362bfd8a8947b1a252bf663a6f09efc142de552259643ad55906349e394c83beaddae2adaa5c313d50231c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1429565a10e85d3825154f6d981559a2

SHA1
bbee805b87b8be6090dc425222e8157dc51ae5bd

SHA256
6b5f9e28038a438e58779b5353d3729a1511d5b6587511ff58a332c932ded0db

SHA512
4cd0cf789d21c031fe49444466d827180cb79a0f6477ae9876d089cfaa5faffa00a45fafe0e478c225ddaed70b4669641e64e9bf4bf81e01cc72bab5eac951ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fbc2c77757bf14d79c7ff902f1620491

SHA1
e06973df8d2b3734933252c71650cf462005910b

SHA256
90064aa4a4424414455f7248c4fb436092a455bb759aa111fcecc620a7513ae2

SHA512
4f779569da6c468f2e3923e4c07f80c9816f48bb4437860bd7a0237974f4789be65f5d3297cc748f9fc17a9ff01eba573cf5c6e0abf8844844ec54f048997ab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
78660a60baeb011743172de2d1709236

SHA1
2a8f5f698581c1b588c56c722be23bbe31542c07

SHA256
34ef70813c318e4ebfd737fb428295497acea79e4489453f0d037eb7bd708715

SHA512
eb3e92f5380b2da180a2a305cabc585b431c30f2a20aaed1a6cbe921877d0376a44c8147a8f44132ed4cf7293f000b726ef32caf27203bdde7dc3e1177615c5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
700bf72ea3b3d6a8f00a31495912211e

SHA1
5dbdbbc8ed7bc00cbb863ec83495941713f0dcba

SHA256
747d50f4b10a498ac4885da41decfece6bea1c559102884dbe98bb42e8b146e1

SHA512
f348f49a78625e5fa1846baef3a94796a6cababe11951fb5c06e68e9b9c6438e3382f41e4cea787e4e0da4665726158dff6fcaf286217bcf6c084494e984b081

Download Submit
C:\Users\Admin\Desktop\1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe

Filesize
2.0MB

MD5
48b7436b0d04935485a0412af6d6625f

SHA1
675e28e922c4f7840359278bba38a14ce29567a7

SHA256
e2fd346b134b10ea5d6a0dcc3fe00c199b57ae287655187b807455318900d97e

SHA512
4c1a4838887da4bb7722812ce9d92a526b55356e5a84e1d61f34c08e05c7500f6b2bde1c65a478f88ec42f7f7b0eadfedc236ffb4187609cb5e0d54fd92423fb

Download Submit
C:\Users\Admin\Desktop\1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe

Filesize
384KB

MD5
5dc184fc1b3c3dc473172f2f4bd71bd8

SHA1
4d1756e38a48f461dd6f2a9cadea8362a8051104

SHA256
459d3d19222501507f736a7e13b329e6b4cba04f45ddd9232180421a151ca047

SHA512
0dae5ba2538bc02c696e792a0510361c478db476cb14bb04fde7d4d9a0a696f0724849e5115b9bd51b80c2f3b8c1576905eb40ebf2192e4e4efa8712c2a4b20a

Download Submit
C:\Users\Admin\Desktop\51FADBE.bat

Filesize
289B

MD5
bde818c4ae35778b22034c69b8b2e23f

SHA1
fb0687925b20a0a51ea478da9e9894ea433e0662

SHA256
05c11a2055a654f03e871fac651b8a2e3f07ca7ed552eb4716dc890ef4e89497

SHA512
0eb7f1c51236bc9e97e8518ef913623e3fa29c2391c04788fc4162ac14cf8b89927a27fe2d41b5fb6c13b220b7d191ba16677a0cc514b6d839c36d470eb8b0a8

Download Submit
C:\Users\Admin\Downloads\1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.7z

Filesize
3.2MB

MD5
e80b50b290df97eec4786a76f6ed0075

SHA1
5d618418a91d3fce4102cc9d52238a179457dc31

SHA256
c8c06de370235b03aea619e5e5511e181052a2141a2af6451a845acff064042b

SHA512
0c281bf664912b8f29c326da9585d67d4ac2af57e77c0907c67328ccd9c86de29a9f072eaf6b75d0ebb3332040a8a3d78764472d4306c7d6f7599cb3ecd57bb2

Download Submit
C:\Users\Admin\Downloads\1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.7z

Filesize
640KB

MD5
e72718d2c7a817b73ea0ab1905f919df

SHA1
b47f3113dc99a88e1be4f1ecbaee19e824b77ccf

SHA256
09dde89828f13446cf5ec8a1e1dd9f48c74dc63ffc2d2d792f316eddefdc7309

SHA512
f3dfa2a5de5be269c4c233461f198f8d631f4a6abb4f1eece1f2a9f982f0016457358f92ae81c20c49fe7f7b495faaace2211b2a82e92f8642b36a5882b1f5e8

Download Submit
C:\Windows\PROPSYS.dll

Filesize
993KB

MD5
11b4750d0fed37aa033d1ee90e2ddd98

SHA1
b902d59c6b54ae5ce2ce01047f9ec41d66dcea2c

SHA256
9fce144ebe9234cfcd8281601db34ea4ec6d617f920ea0bd8916e4224f3ee9f8

SHA512
665a3ecc2a45f9311885026da62d90049d468e5049ee05ec03e21ac54dbe0a1c09f323af9575bf321237f4c6b59b55b42d1c28d68f62f75acd8496e180a1069a

Download Submit
C:\Windows\System32\imseo21.ime

Filesize
1.1MB

MD5
9395e76af95eb6555b37afd9be1eb1e1

SHA1
1e838c3844676192c896c66cd3068fd47e0355cb

SHA256
86bcb436f55e8110bd47abcd8397828ee645860f25c87b5d914867eecccfd0d7

SHA512
d8b676a36a82eadd8b1dc58a42649937a7c53473f05cb68462701862ecc3526100a8accef7c53789f89c4e198b86b33afe4b6093fe853885b79d4abd4adc449b

Download Submit
C:\Windows\System32\imseo21.ime

Filesize
192KB

MD5
0b809e359699ae4a055ad4efe41b10eb

SHA1
833bb89d1fa3b6b67752fb24683634d9a7dbeffc

SHA256
b357e25bcadea558e24eb3d14e54b7b40e0dc02e8774aecf327d71d1da65ad7b

SHA512
c998f2e7a305e18d050d9c4435cc08bd0a18da291c3fbf6db849ed9c5cf7ae3ea2666a8ddac46d5f2c7cae03f3aa91eef84a26606c51bf6af0652965ac200889

Download Submit
C:\Windows\system32\imseo21.ime

Filesize
1.6MB

MD5
6d0c009eaa7925a99c1e1ab448e4fb23

SHA1
83fc0adf38ee9803fa545fc2e9989df81b22cc3f

SHA256
68357137268cf5bd92362e315f8a3fac91982bbcff167ef64a1c099441973bf8

SHA512
dc6fae8d7b9cd2b7cba1219b11541e6cb0f0656bf1e95fc76ffa968845a8a78499e4ca78a1d8786763f1c7bccf5d9babb72e9d03c4e1373dadaa39ad526a5d51

Download Submit
memory/412-254-0x00007FF9D2FD0000-0x00007FF9D3435000-memory.dmp

Filesize
4.4MB

Download
memory/412-253-0x00007FF9D2FD0000-0x00007FF9D3435000-memory.dmp

Filesize
4.4MB

Download
memory/3388-258-0x00007FF9D2FD0000-0x00007FF9D3435000-memory.dmp

Filesize
4.4MB

Download
memory/3388-259-0x00007FF9D2FD0000-0x00007FF9D3435000-memory.dmp

Filesize
4.4MB

Download
memory/3388-270-0x00007FF9D2FD0000-0x00007FF9D3435000-memory.dmp

Filesize
4.4MB

Download
memory/4848-206-0x0000000000200000-0x000000000085C000-memory.dmp

Filesize
6.4MB

Download
memory/4848-210-0x00000000011A0000-0x00000000011A7000-memory.dmp

Filesize
28KB

Download
memory/4848-208-0x0000000000200000-0x000000000085C000-memory.dmp

Filesize
6.4MB

Download
memory/4848-268-0x0000000000200000-0x000000000085C000-memory.dmp

Filesize
6.4MB

Download
memory/4848-217-0x00000000011B0000-0x00000000011C5000-memory.dmp

Filesize
84KB

Download