Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 18:18
Static task
static1
Behavioral task
behavioral1
Sample
2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe
Resource
win7-20240508-en
General
-
Target
2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe
-
Size
2.1MB
-
MD5
a2451516f8c8c1f5afdef7ad83cb4a75
-
SHA1
3fef57c0bd60ecad49e7cf6b6b4a1dd49e9d64ad
-
SHA256
2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9
-
SHA512
0c2c26fb6a8cc4511692f5b190d6f7788bbe33d92741456dae408b0c239d1e9ea86115a2abe044f635cb71b815ac2c7dc84a472902f68d25e7e3b47c7ab7c068
-
SSDEEP
24576:J09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+jYd3YA/qV05N:J09XJt4HIN2H2tFvduySBYNDCqb
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4660-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4660-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4660-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2268-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2268-20-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2268-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/980-27-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2268-29-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/980-48-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/980-77-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/980-30-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 11 IoCs
resource yara_rule behavioral2/memory/4660-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4660-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4660-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2268-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2268-20-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2268-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/980-27-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2268-29-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/980-48-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/980-77-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/980-30-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation HD_msedge.exe -
Executes dropped EXE 21 IoCs
pid Process 4660 RVN.exe 2268 TXPlatforn.exe 1948 HD_2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe 980 TXPlatforn.exe 900 msedge.exe 4360 RVN.exe 4304 TXPlatforn.exe 3828 TXPlatforn.exe 3568 HD_msedge.exe 2724 HD_msedge.exe 1536 HD_msedge.exe 3652 HD_msedge.exe 3052 HD_msedge.exe 5080 HD_msedge.exe 3596 HD_msedge.exe 4448 HD_msedge.exe 1956 HD_msedge.exe 4068 HD_msedge.exe 3092 HD_msedge.exe 2268 HD_msedge.exe 556 HD_msedge.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4660-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4660-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4660-4-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4660-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2268-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2268-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2268-20-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2268-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/980-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2268-29-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/980-48-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/980-77-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/980-30-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName HD_msedge.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName HD_msedge.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4984 PING.EXE 2908 PING.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2460 2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe 2460 2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe 900 msedge.exe 900 msedge.exe 3652 HD_msedge.exe 3652 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3940 identity_helper.exe 3940 identity_helper.exe 556 HD_msedge.exe 556 HD_msedge.exe 556 HD_msedge.exe 556 HD_msedge.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 980 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4660 RVN.exe Token: SeLoadDriverPrivilege 980 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4360 RVN.exe Token: 33 980 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 980 TXPlatforn.exe Token: 33 980 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 980 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe 3568 HD_msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2460 2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe 2460 2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe 900 msedge.exe 900 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2460 wrote to memory of 4660 2460 2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe 83 PID 2460 wrote to memory of 4660 2460 2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe 83 PID 2460 wrote to memory of 4660 2460 2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe 83 PID 4660 wrote to memory of 816 4660 RVN.exe 88 PID 4660 wrote to memory of 816 4660 RVN.exe 88 PID 4660 wrote to memory of 816 4660 RVN.exe 88 PID 2460 wrote to memory of 1948 2460 2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe 89 PID 2460 wrote to memory of 1948 2460 2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe 89 PID 2268 wrote to memory of 980 2268 TXPlatforn.exe 90 PID 2268 wrote to memory of 980 2268 TXPlatforn.exe 90 PID 2268 wrote to memory of 980 2268 TXPlatforn.exe 90 PID 816 wrote to memory of 4984 816 cmd.exe 92 PID 816 wrote to memory of 4984 816 cmd.exe 92 PID 816 wrote to memory of 4984 816 cmd.exe 92 PID 1948 wrote to memory of 900 1948 HD_2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe 100 PID 1948 wrote to memory of 900 1948 HD_2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe 100 PID 1948 wrote to memory of 900 1948 HD_2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe 100 PID 900 wrote to memory of 4360 900 msedge.exe 101 PID 900 wrote to memory of 4360 900 msedge.exe 101 PID 900 wrote to memory of 4360 900 msedge.exe 101 PID 4360 wrote to memory of 2676 4360 RVN.exe 103 PID 4360 wrote to memory of 2676 4360 RVN.exe 103 PID 4360 wrote to memory of 2676 4360 RVN.exe 103 PID 4304 wrote to memory of 3828 4304 TXPlatforn.exe 104 PID 4304 wrote to memory of 3828 4304 TXPlatforn.exe 104 PID 4304 wrote to memory of 3828 4304 TXPlatforn.exe 104 PID 900 wrote to memory of 3568 900 msedge.exe 106 PID 900 wrote to memory of 3568 900 msedge.exe 106 PID 3568 wrote to memory of 2724 3568 HD_msedge.exe 107 PID 3568 wrote to memory of 2724 3568 HD_msedge.exe 107 PID 2676 wrote to memory of 2908 2676 cmd.exe 108 PID 2676 wrote to memory of 2908 2676 cmd.exe 108 PID 2676 wrote to memory of 2908 2676 cmd.exe 108 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 PID 3568 wrote to memory of 1536 3568 HD_msedge.exe 109 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe"C:\Users\Admin\AppData\Local\Temp\2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:4984
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exeC:\Users\Admin\AppData\Local\Temp\HD_2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pc.weixin.qq.com/3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul5⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2908
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3568 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeba8b46f8,0x7ffeba8b4708,0x7ffeba8b47185⤵
- Executes dropped EXE
PID:2724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2104,3763171035984684534,7823488063629183162,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:25⤵
- Executes dropped EXE
PID:1536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,3763171035984684534,7823488063629183162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,3763171035984684534,7823488063629183162,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:85⤵
- Executes dropped EXE
PID:3052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2104,3763171035984684534,7823488063629183162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2104,3763171035984684534,7823488063629183162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2104,3763171035984684534,7823488063629183162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2104,3763171035984684534,7823488063629183162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:1956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,3763171035984684534,7823488063629183162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3556 /prefetch:85⤵PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,3763171035984684534,7823488063629183162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3556 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:3940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2104,3763171035984684534,7823488063629183162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2288 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2104,3763171035984684534,7823488063629183162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2104,3763171035984684534,7823488063629183162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:2268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2104,3763171035984684534,7823488063629183162,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1956 /prefetch:25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:556
-
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:980
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Executes dropped EXE
PID:3828
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1872
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
Filesize
4.7MB
MD5bcd52fbc6f223a0aa1809e8079140ecf
SHA1efb38b93646a494e9b84fb93d24cdca0858a40a2
SHA25675e07deffb63a443d6d01fa17b7e9f7b0c32add49a06b0c36494346f917245c6
SHA51284a6cb1694416a81026705f6d18d704e1d3ddcc12020389ca116c42b0bdac28325395ed0725f4651901fcd59c1a2f0058b292d1ee782362e770b7cfb26dd8baf
-
Filesize
152B
MD5c39b3aa574c0c938c80eb263bb450311
SHA1f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA25666f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232
-
Filesize
152B
MD5dabfafd78687947a9de64dd5b776d25f
SHA116084c74980dbad713f9d332091985808b436dea
SHA256c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b
-
Filesize
5KB
MD5a16c90a2490e680e68d2a06607815d45
SHA11aef48ae5da9a156dfba5f860829b63596f2a40b
SHA25607747f8cfc0327faa40c5219e1741e68c92a1be538c9bfecd4f595fd0e730e8e
SHA51268a6823183d6eff26a359062a03d1dcb1e58b6287cc274251ae1268452c958601ca16d13f031d6606792c79a46268014fea99b298317d9c8bb4e49aa04c53cfa
-
Filesize
6KB
MD5631c925e788e994b3997416d9ca94fb3
SHA157bc0a69275aa02afb1c9875eb9d84d253a76cd5
SHA256fa8b9801d98bc4d6f217fd13eddb5b1494adc943262668141fc6841c856aef5b
SHA512d102fc5a923fd9a8cdaf4c5049f5028f884113f194e040be6a8343fb14e240811ab247cfe46e8791962998a3c07250255569133f92e3f3eddfa6cf39d5ee44c8
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD575148636c2b3b9c0fa22ea368eb814f9
SHA1349a7051769f44af00037fe0e34f084b74fd20a5
SHA256aec17631b97adcfdd9748e91402dbf42bee22906100348fd9ac54e2b51b2b3c4
SHA5128819c4ba88ed8676b7e229dd31d9ff5616406daa347efe5a2369b6a3bca2eadaca8e5c64677d830183d129282477abf7eb4a310634fdd25376e2d1c456253daf
-
C:\Users\Admin\AppData\Local\Temp\HD_2d6c9dbadda80ddf66878970b32ebf4dcd5fd56dea30a59376339af1351bd4a9.exe
Filesize644KB
MD566eb21741ecfc2a8a53a24d65ec7a40a
SHA16d70532a0b9a1012da004bb78461fff8d9845253
SHA25664cd27f902fdf3e74c2ed74f7640ec000441ef46daffa20416da582e751b18a8
SHA51247289021ab9543a30a2ab647f42619cba048be9c03f4b8c6fbc888bb7167c0cd8868e482114874c0b6c8f02dc48b6e87d22b1c4f04e53a0d20b62897199955be
-
Filesize
1.5MB
MD578c18e00fd4b4a614e53a3954dd59f24
SHA1d5b0a6be5be18b812e64bce543f035d286acee59
SHA256eccf3a7068f3176ff6834c710944424879d34e649f46db6d11a84cdaee620810
SHA5128aaeff40f5e6e79eda6e6baab66595978e0f674da77d552f45a0c9a409f18b957007e87dd574fecfe84754f50f9f2c08da297b43c036dbe3447ff794c2ed8087
-
Filesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4