Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 18:30
Static task
static1
Behavioral task
behavioral1
Sample
aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe
Resource
win7-20240611-en
General
-
Target
aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe
-
Size
2.5MB
-
MD5
df6e20a3b560561073b83bc05cbeb887
-
SHA1
9339e837a6d81aad730e65d248158bac1230525b
-
SHA256
aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3
-
SHA512
cde38d8eebda77d2c1ca24e60326726a7d6385a898bbcbda7f86a43e499dc8c2f64ef6d012587c0413f37f2cfbcfa2aad08260ea156e22a170068fd14b0350bd
-
SSDEEP
24576:eQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVPJtq4CdEXMdIQweYA/qV05N:eQZAdVyVT9n/Gg0P+WhoS9CdEXreDCqb
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3688-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3688-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3688-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3268-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3268-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3268-17-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3268-24-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3772-28-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3772-37-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3772-29-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3772-38-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 12 IoCs
resource yara_rule behavioral2/memory/3688-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3688-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3688-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3268-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3268-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3268-17-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3268-24-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3772-28-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/files/0x0008000000023424-32.dat family_gh0strat behavioral2/memory/3772-37-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3772-29-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3772-38-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240602250.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HD_msedge.exe -
Executes dropped EXE 24 IoCs
pid Process 3688 svchost.exe 3268 TXPlatforn.exe 3772 TXPlatforn.exe 224 svchos.exe 948 HD_aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 2752 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe 1876 msedge.exe 2980 svchost.exe 1608 TXPlatforn.exe 2344 svchos.exe 3744 TXPlatforn.exe 4612 HD_msedge.exe 1760 HD_msedge.exe 2340 HD_msedge.exe 3444 HD_msedge.exe 864 HD_msedge.exe 2520 HD_msedge.exe 2072 HD_msedge.exe 1032 HD_msedge.exe 3296 HD_msedge.exe 2928 HD_msedge.exe 3084 HD_msedge.exe 3276 HD_msedge.exe 324 HD_msedge.exe -
Loads dropped DLL 3 IoCs
pid Process 224 svchos.exe 4104 svchost.exe 2752 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3688-4-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3688-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3688-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3688-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3268-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3268-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3268-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3268-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3268-24-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3772-28-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3772-37-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3772-29-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3772-38-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName HD_msedge.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\240602250.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName HD_msedge.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1812 PING.EXE 2672 PING.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4480 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 4480 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 1876 msedge.exe 1876 msedge.exe 3444 HD_msedge.exe 3444 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4500 identity_helper.exe 4500 identity_helper.exe 324 HD_msedge.exe 324 HD_msedge.exe 324 HD_msedge.exe 324 HD_msedge.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3772 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3688 svchost.exe Token: SeLoadDriverPrivilege 3772 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2980 svchost.exe Token: 33 3772 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 3772 TXPlatforn.exe Token: 33 3772 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 3772 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe 4612 HD_msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4480 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 4480 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 1876 msedge.exe 1876 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4480 wrote to memory of 3688 4480 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 81 PID 4480 wrote to memory of 3688 4480 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 81 PID 4480 wrote to memory of 3688 4480 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 81 PID 3688 wrote to memory of 1732 3688 svchost.exe 83 PID 3688 wrote to memory of 1732 3688 svchost.exe 83 PID 3688 wrote to memory of 1732 3688 svchost.exe 83 PID 3268 wrote to memory of 3772 3268 TXPlatforn.exe 84 PID 3268 wrote to memory of 3772 3268 TXPlatforn.exe 84 PID 3268 wrote to memory of 3772 3268 TXPlatforn.exe 84 PID 4480 wrote to memory of 224 4480 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 85 PID 4480 wrote to memory of 224 4480 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 85 PID 4480 wrote to memory of 224 4480 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 85 PID 1732 wrote to memory of 1812 1732 cmd.exe 89 PID 1732 wrote to memory of 1812 1732 cmd.exe 89 PID 1732 wrote to memory of 1812 1732 cmd.exe 89 PID 4480 wrote to memory of 948 4480 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 90 PID 4480 wrote to memory of 948 4480 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 90 PID 4104 wrote to memory of 2752 4104 svchost.exe 91 PID 4104 wrote to memory of 2752 4104 svchost.exe 91 PID 4104 wrote to memory of 2752 4104 svchost.exe 91 PID 948 wrote to memory of 1876 948 HD_aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 92 PID 948 wrote to memory of 1876 948 HD_aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 92 PID 948 wrote to memory of 1876 948 HD_aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 92 PID 1876 wrote to memory of 2980 1876 msedge.exe 93 PID 1876 wrote to memory of 2980 1876 msedge.exe 93 PID 1876 wrote to memory of 2980 1876 msedge.exe 93 PID 2980 wrote to memory of 4956 2980 svchost.exe 95 PID 2980 wrote to memory of 4956 2980 svchost.exe 95 PID 2980 wrote to memory of 4956 2980 svchost.exe 95 PID 1608 wrote to memory of 3744 1608 TXPlatforn.exe 97 PID 1608 wrote to memory of 3744 1608 TXPlatforn.exe 97 PID 1608 wrote to memory of 3744 1608 TXPlatforn.exe 97 PID 1876 wrote to memory of 2344 1876 msedge.exe 96 PID 1876 wrote to memory of 2344 1876 msedge.exe 96 PID 1876 wrote to memory of 2344 1876 msedge.exe 96 PID 1876 wrote to memory of 4612 1876 msedge.exe 98 PID 1876 wrote to memory of 4612 1876 msedge.exe 98 PID 4612 wrote to memory of 1760 4612 HD_msedge.exe 100 PID 4612 wrote to memory of 1760 4612 HD_msedge.exe 100 PID 4956 wrote to memory of 2672 4956 cmd.exe 101 PID 4956 wrote to memory of 2672 4956 cmd.exe 101 PID 4956 wrote to memory of 2672 4956 cmd.exe 101 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 PID 4612 wrote to memory of 2340 4612 HD_msedge.exe 102 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe"C:\Users\Admin\AppData\Local\Temp\aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:1812
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:224
-
-
C:\Users\Admin\AppData\Local\Temp\HD_aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exeC:\Users\Admin\AppData\Local\Temp\HD_aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pc.weixin.qq.com/3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul5⤵
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2672
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe4⤵
- Executes dropped EXE
PID:2344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4612 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3b1046f8,0x7ffa3b104708,0x7ffa3b1047185⤵
- Executes dropped EXE
PID:1760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2036,9728984171224948373,12350219616838327918,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:25⤵
- Executes dropped EXE
PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,9728984171224948373,12350219616838327918,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,9728984171224948373,12350219616838327918,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:85⤵
- Executes dropped EXE
PID:864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2036,9728984171224948373,12350219616838327918,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:2520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2036,9728984171224948373,12350219616838327918,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:2072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2036,9728984171224948373,12350219616838327918,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2036,9728984171224948373,12350219616838327918,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:1032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2036,9728984171224948373,12350219616838327918,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2036,9728984171224948373,12350219616838327918,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:2928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,9728984171224948373,12350219616838327918,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4284 /prefetch:85⤵PID:3924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,9728984171224948373,12350219616838327918,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4284 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2036,9728984171224948373,12350219616838327918,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2036,9728984171224948373,12350219616838327918,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1928 /prefetch:25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:324
-
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:1684
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240602250.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Executes dropped EXE
PID:3744
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2356
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
Filesize
5.0MB
MD54e71d20028422f852cb2dc2eb6362d18
SHA18cda077418f0299046376680efe78bc87c8a8fcb
SHA25621062a9c50f2145d3c2c3d3dabb1df99aee16619ce9d4c2d603c4a5491ef5458
SHA5125abe1f669943d7acb8b789b3693895bd6485fc25fcd78035db4d08830eba913e5537edf045aff37356fd30f337b2c75f4e956ff5277b327c6ce4a6cb92ecb335
-
Filesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
Filesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
Filesize
5KB
MD5cdbc1381e60ea1468ffe64776a08fdca
SHA11a57a8fa6f475aea60d7ee6c35237c1014393431
SHA25629420678f3e8c8a17bd42d4592f55d0e475b9a90162c5e3fb8762d7d2df390b0
SHA512b28580f097d88a3fe42c42fd09fbab050c3aa4e9c287d92e013960df4d60803637969ff6b0a330f8226bae05171680be12fd925b95ff50b7b026ede0297c13a1
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5713e6a1097f5a2897085d564eee44d14
SHA1f00199b137176900fc07476111f25aabc9615a75
SHA256bce39c13b162e8c3f321fe9f140389213c4456e28a1237e3f9bafd46d55bfc70
SHA512f841d7b7b366fb8dbeebe2fb491a0d6966cc58e3e2ed4ce01262ee5deb4c15e3a78b62388619139b40c19fe1834491d1acf4279ddc4316f5afac728c317db841
-
Filesize
1.9MB
MD521d3b31ce900a5efab1edc2f6c0b716c
SHA1158f042106662d40d24632183d64b2ca4f65b044
SHA2568a525fded0f15ea9c0931db151db2d5a8973cf895ee788e31ea95d2390509568
SHA512f6f27fabdc567a17c0fe768c9f49b68e7f60092e8058c94e92baee98bbe2d768fd117e7327887714669c76430df5e395480946b92fe0ca5b1ea5cf17e6892b72
-
C:\Users\Admin\AppData\Local\Temp\HD_aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe
Filesize644KB
MD566eb21741ecfc2a8a53a24d65ec7a40a
SHA16d70532a0b9a1012da004bb78461fff8d9845253
SHA25664cd27f902fdf3e74c2ed74f7640ec000441ef46daffa20416da582e751b18a8
SHA51247289021ab9543a30a2ab647f42619cba048be9c03f4b8c6fbc888bb7167c0cd8868e482114874c0b6c8f02dc48b6e87d22b1c4f04e53a0d20b62897199955be
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD5ffa7ae80adab65018ba485e5380ac4a9
SHA1951abc7f0a22299d3869ed9210c94dab84109d11
SHA256215dfca5e51916fb3977bcfc5ae9bca1e50392a48e28a16ee3ef0950b28601a0
SHA51211238ea671a52dc1fb95a9d0db3d3746e255816f1c918fea8567029cf0e1a678399440786f63302dc00b4a084de9997a0b057b6eacfbab15fcf179586bcf4af2
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641