gh0strat | 508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96

Modify Registry

T1112

Processes:

svchos.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240598640.txt"	svchos.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

HD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	HD_msedge.exe

Executes dropped EXE 24 IoCs

Processes:

svchost.exeTXPlatforn.exeTXPlatforn.exesvchos.exeHD_508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exemsedge.exesvchost.exeTXPlatforn.exesvchos.exeTXPlatforn.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exe

pid	process
1236	svchost.exe
5184	TXPlatforn.exe
4728	TXPlatforn.exe
608	svchos.exe
5116	HD_508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe
3908	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
452	msedge.exe
4408	svchost.exe
1900	TXPlatforn.exe
6052	svchos.exe
5016	TXPlatforn.exe
624	HD_msedge.exe
5804	HD_msedge.exe
2144	HD_msedge.exe
2236	HD_msedge.exe
3948	HD_msedge.exe
5416	HD_msedge.exe
2296	HD_msedge.exe
3988	HD_msedge.exe
5204	HD_msedge.exe
5732	HD_msedge.exe
2152	HD_msedge.exe
4380	HD_msedge.exe
4064	HD_msedge.exe

Loads dropped DLL 3 IoCs

Processes:

svchos.exesvchost.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exe

pid process

608 svchos.exe
4056 svchost.exe
3908 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
608	svchos.exe
4056	svchost.exe
3908	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1236-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1236-4-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1236-10-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1236-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/5184-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/5184-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/5184-17-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/5184-16-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1236-19-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4728-28-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/5184-35-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4728-33-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4728-37-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4728-43-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

HD_msedge.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HD_msedge.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

HD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	HD_msedge.exe

Drops file in System32 directory 6 IoCs

Processes:

svchost.exesvchost.exesvchos.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File created	C:\Windows\SysWOW64\240598640.txt	svchos.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	svchos.exe

Drops file in Program Files directory 7 IoCs

Processes:

msedge.exe508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

HD_msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	HD_msedge.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3424 PING.EXE
5040 PING.EXE

pid	process
3424	PING.EXE
5040	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exemsedge.exeHD_msedge.exeHD_msedge.exeidentity_helper.exeHD_msedge.exe

pid	process
1524	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe
1524	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe
452	msedge.exe
452	msedge.exe
2144	HD_msedge.exe
2144	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
1136	identity_helper.exe
1136	identity_helper.exe
4064	HD_msedge.exe
4064	HD_msedge.exe
4064	HD_msedge.exe
4064	HD_msedge.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

4728 TXPlatforn.exe

pid	process
4728	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

svchost.exeTXPlatforn.exesvchost.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1236	svchost.exe
Token: SeLoadDriverPrivilege	4728	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	4408	svchost.exe
Token: 33	4728	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	4728	TXPlatforn.exe
Token: 33	4728	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	4728	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

HD_msedge.exe

pid	process
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

HD_msedge.exe

pid	process
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe
624	HD_msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exeHD_508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exemsedge.exe

pid	process
1524	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe
1524	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe
5116	HD_508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe
5116	HD_508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe
452	msedge.exe
452	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exesvchost.exeTXPlatforn.execmd.exesvchost.exeHD_508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exemsedge.exesvchost.exeTXPlatforn.exeHD_msedge.execmd.exe

description	pid	process	target process
PID 1524 wrote to memory of 1236	1524	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe	svchost.exe
PID 1524 wrote to memory of 1236	1524	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe	svchost.exe
PID 1524 wrote to memory of 1236	1524	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe	svchost.exe
PID 1236 wrote to memory of 4212	1236	svchost.exe	cmd.exe
PID 1236 wrote to memory of 4212	1236	svchost.exe	cmd.exe
PID 1236 wrote to memory of 4212	1236	svchost.exe	cmd.exe
PID 5184 wrote to memory of 4728	5184	TXPlatforn.exe	TXPlatforn.exe
PID 5184 wrote to memory of 4728	5184	TXPlatforn.exe	TXPlatforn.exe
PID 5184 wrote to memory of 4728	5184	TXPlatforn.exe	TXPlatforn.exe
PID 1524 wrote to memory of 608	1524	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe	svchos.exe
PID 1524 wrote to memory of 608	1524	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe	svchos.exe
PID 1524 wrote to memory of 608	1524	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe	svchos.exe
PID 4212 wrote to memory of 3424	4212	cmd.exe	PING.EXE
PID 4212 wrote to memory of 3424	4212	cmd.exe	PING.EXE
PID 4212 wrote to memory of 3424	4212	cmd.exe	PING.EXE
PID 1524 wrote to memory of 5116	1524	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe	HD_508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe
PID 1524 wrote to memory of 5116	1524	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe	HD_508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe
PID 1524 wrote to memory of 5116	1524	508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe	HD_508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe
PID 4056 wrote to memory of 3908	4056	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 4056 wrote to memory of 3908	4056	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 4056 wrote to memory of 3908	4056	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 5116 wrote to memory of 452	5116	HD_508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe	msedge.exe
PID 5116 wrote to memory of 452	5116	HD_508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe	msedge.exe
PID 5116 wrote to memory of 452	5116	HD_508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe	msedge.exe
PID 452 wrote to memory of 4408	452	msedge.exe	svchost.exe
PID 452 wrote to memory of 4408	452	msedge.exe	svchost.exe
PID 452 wrote to memory of 4408	452	msedge.exe	svchost.exe
PID 4408 wrote to memory of 1424	4408	svchost.exe	cmd.exe
PID 4408 wrote to memory of 1424	4408	svchost.exe	cmd.exe
PID 4408 wrote to memory of 1424	4408	svchost.exe	cmd.exe
PID 452 wrote to memory of 6052	452	msedge.exe	svchos.exe
PID 452 wrote to memory of 6052	452	msedge.exe	svchos.exe
PID 452 wrote to memory of 6052	452	msedge.exe	svchos.exe
PID 1900 wrote to memory of 5016	1900	TXPlatforn.exe	TXPlatforn.exe
PID 1900 wrote to memory of 5016	1900	TXPlatforn.exe	TXPlatforn.exe
PID 1900 wrote to memory of 5016	1900	TXPlatforn.exe	TXPlatforn.exe
PID 452 wrote to memory of 624	452	msedge.exe	HD_msedge.exe
PID 452 wrote to memory of 624	452	msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 5804	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 5804	624	HD_msedge.exe	HD_msedge.exe
PID 1424 wrote to memory of 5040	1424	cmd.exe	PING.EXE
PID 1424 wrote to memory of 5040	1424	cmd.exe	PING.EXE
PID 1424 wrote to memory of 5040	1424	cmd.exe	PING.EXE
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe
PID 624 wrote to memory of 2236	624	HD_msedge.exe	HD_msedge.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

HD_msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	HD_msedge.exe

C:\Users\Admin\AppData\Local\Temp\508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe
"C:\Users\Admin\AppData\Local\Temp\508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:3424

C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:608

C:\Users\Admin\AppData\Local\Temp\HD_508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe
C:\Users\Admin\AppData\Local\Temp\HD_508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://support.qq.com/products/285647/faqs/88645
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
5⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
6⤵
- Runs ping.exe
PID:5040

C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
4⤵
- Executes dropped EXE
PID:6052

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9959646f8,0x7ff995964708,0x7ff995964718
5⤵
- Executes dropped EXE
PID:5804

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2068,16227433847376806347,15110188686340735441,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
5⤵
- Executes dropped EXE
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,16227433847376806347,15110188686340735441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2144

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,16227433847376806347,15110188686340735441,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
5⤵
- Executes dropped EXE
PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,16227433847376806347,15110188686340735441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,16227433847376806347,15110188686340735441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,16227433847376806347,15110188686340735441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,16227433847376806347,15110188686340735441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1928 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,16227433847376806347,15110188686340735441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 /prefetch:8
5⤵
PID:5648

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,16227433847376806347,15110188686340735441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,16227433847376806347,15110188686340735441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:5732

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,16227433847376806347,15110188686340735441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,16227433847376806347,15110188686340735441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4380

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2068,16227433847376806347,15110188686340735441,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2324 /prefetch:2
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4064

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5184

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:5060

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240598640.txt",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3908

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Executes dropped EXE
PID:5016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery