gh0strat | a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3

Modify Registry

T1112

Processes:

svchos.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240596625.txt"	svchos.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

HD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	HD_msedge.exe

Executes dropped EXE 24 IoCs

Processes:

svchost.exeTXPlatforn.exesvchos.exeTXPlatforn.exeHD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exemsedge.exesvchost.exeTXPlatforn.exesvchos.exeTXPlatforn.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exe

pid	process
2100	svchost.exe
1664	TXPlatforn.exe
4036	svchos.exe
664	TXPlatforn.exe
5872	HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
5680	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
3960	msedge.exe
3992	svchost.exe
1364	TXPlatforn.exe
2820	svchos.exe
5252	TXPlatforn.exe
5372	HD_msedge.exe
5160	HD_msedge.exe
1584	HD_msedge.exe
5156	HD_msedge.exe
876	HD_msedge.exe
2032	HD_msedge.exe
5036	HD_msedge.exe
5968	HD_msedge.exe
2840	HD_msedge.exe
1704	HD_msedge.exe
5760	HD_msedge.exe
1696	HD_msedge.exe
212	HD_msedge.exe

Loads dropped DLL 3 IoCs

Processes:

svchos.exesvchost.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exe

pid process

4036 svchos.exe
712 svchost.exe
5680 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4036	svchos.exe
712	svchost.exe
5680	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2100-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2100-4-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2100-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2100-10-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1664-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1664-32-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/664-38-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/664-42-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/664-28-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/664-43-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1664-19-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1664-16-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1664-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

HD_msedge.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HD_msedge.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

HD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	HD_msedge.exe

Drops file in System32 directory 6 IoCs

Processes:

svchost.exesvchos.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File created	C:\Windows\SysWOW64\240596625.txt	svchos.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	svchos.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe

Drops file in Program Files directory 7 IoCs

Processes:

a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exemsedge.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

HD_msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	HD_msedge.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1640 PING.EXE
3972 PING.EXE

pid	process
1640	PING.EXE
3972	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exemsedge.exeHD_msedge.exeHD_msedge.exeidentity_helper.exeHD_msedge.exe

pid	process
1240	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
1240	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
3960	msedge.exe
3960	msedge.exe
5156	HD_msedge.exe
5156	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
2104	identity_helper.exe
2104	identity_helper.exe
212	HD_msedge.exe
212	HD_msedge.exe
212	HD_msedge.exe
212	HD_msedge.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

664 TXPlatforn.exe

pid	process
664	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

svchost.exeTXPlatforn.exesvchost.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2100	svchost.exe
Token: SeLoadDriverPrivilege	664	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	3992	svchost.exe
Token: 33	664	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	664	TXPlatforn.exe
Token: 33	664	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	664	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

HD_msedge.exe

pid	process
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

HD_msedge.exe

pid	process
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe
5372	HD_msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exeHD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exemsedge.exe

pid	process
1240	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
1240	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
5872	HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
5872	HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
3960	msedge.exe
3960	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exesvchost.exeTXPlatforn.execmd.exesvchost.exeHD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exemsedge.exesvchost.exeTXPlatforn.exeHD_msedge.execmd.exe

description	pid	process	target process
PID 1240 wrote to memory of 2100	1240	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe	svchost.exe
PID 1240 wrote to memory of 2100	1240	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe	svchost.exe
PID 1240 wrote to memory of 2100	1240	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe	svchost.exe
PID 2100 wrote to memory of 64	2100	svchost.exe	cmd.exe
PID 2100 wrote to memory of 64	2100	svchost.exe	cmd.exe
PID 2100 wrote to memory of 64	2100	svchost.exe	cmd.exe
PID 1240 wrote to memory of 4036	1240	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe	svchos.exe
PID 1240 wrote to memory of 4036	1240	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe	svchos.exe
PID 1240 wrote to memory of 4036	1240	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe	svchos.exe
PID 1664 wrote to memory of 664	1664	TXPlatforn.exe	TXPlatforn.exe
PID 1664 wrote to memory of 664	1664	TXPlatforn.exe	TXPlatforn.exe
PID 1664 wrote to memory of 664	1664	TXPlatforn.exe	TXPlatforn.exe
PID 64 wrote to memory of 1640	64	cmd.exe	PING.EXE
PID 64 wrote to memory of 1640	64	cmd.exe	PING.EXE
PID 64 wrote to memory of 1640	64	cmd.exe	PING.EXE
PID 1240 wrote to memory of 5872	1240	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe	HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
PID 1240 wrote to memory of 5872	1240	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe	HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
PID 1240 wrote to memory of 5872	1240	a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe	HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
PID 712 wrote to memory of 5680	712	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 712 wrote to memory of 5680	712	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 712 wrote to memory of 5680	712	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 5872 wrote to memory of 3960	5872	HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe	msedge.exe
PID 5872 wrote to memory of 3960	5872	HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe	msedge.exe
PID 5872 wrote to memory of 3960	5872	HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe	msedge.exe
PID 3960 wrote to memory of 3992	3960	msedge.exe	svchost.exe
PID 3960 wrote to memory of 3992	3960	msedge.exe	svchost.exe
PID 3960 wrote to memory of 3992	3960	msedge.exe	svchost.exe
PID 3992 wrote to memory of 4428	3992	svchost.exe	cmd.exe
PID 3992 wrote to memory of 4428	3992	svchost.exe	cmd.exe
PID 3992 wrote to memory of 4428	3992	svchost.exe	cmd.exe
PID 3960 wrote to memory of 2820	3960	msedge.exe	svchos.exe
PID 3960 wrote to memory of 2820	3960	msedge.exe	svchos.exe
PID 3960 wrote to memory of 2820	3960	msedge.exe	svchos.exe
PID 1364 wrote to memory of 5252	1364	TXPlatforn.exe	TXPlatforn.exe
PID 1364 wrote to memory of 5252	1364	TXPlatforn.exe	TXPlatforn.exe
PID 1364 wrote to memory of 5252	1364	TXPlatforn.exe	TXPlatforn.exe
PID 3960 wrote to memory of 5372	3960	msedge.exe	HD_msedge.exe
PID 3960 wrote to memory of 5372	3960	msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 5160	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 5160	5372	HD_msedge.exe	HD_msedge.exe
PID 4428 wrote to memory of 3972	4428	cmd.exe	PING.EXE
PID 4428 wrote to memory of 3972	4428	cmd.exe	PING.EXE
PID 4428 wrote to memory of 3972	4428	cmd.exe	PING.EXE
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe
PID 5372 wrote to memory of 1584	5372	HD_msedge.exe	HD_msedge.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

HD_msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	HD_msedge.exe

C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
"C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:1640

C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4036

C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://support.qq.com/products/285647/faqs/88645
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
5⤵
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
6⤵
- Runs ping.exe
PID:3972

C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
4⤵
- Executes dropped EXE
PID:2820

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa67ff46f8,0x7ffa67ff4708,0x7ffa67ff4718
5⤵
- Executes dropped EXE
PID:5160

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
5⤵
- Executes dropped EXE
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5156

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
5⤵
- Executes dropped EXE
PID:876

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:5968

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:2840

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:8
5⤵
PID:5124

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:5760

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2776 /prefetch:2
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:212

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:4296

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:712

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240596625.txt",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5680

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Executes dropped EXE
PID:5252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery