a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
Size

2.2MB
MD5

276a186c8671f1348db97205dd28e874
SHA1

e88cb8f03005223dd2a007aafebca33fb4d26099
SHA256

a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166
SHA512

bc499ba71f599fc4dce5ec4c9296c731936e64bf81a18ce489c9fced72657dd91921c3a805f62b05c09a96469ef606c4e607cdccc48be188729a64cef81a216d
SSDEEP

49152:0Zrug17iugcy2JFUhn5GUcvawwzx48EbQDl2laGtY:00s2ug7uF+4iPEbQDopi

Score

5^/10

discovery upx

Malware Config

Signatures

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1312-0-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral2/memory/1312-17-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral2/memory/1312-46-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral2/memory/1312-128-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral2/memory/1312-132-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral2/memory/1312-143-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral2/memory/1312-144-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral2/memory/1312-157-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral2/memory/1312-166-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral2/memory/1312-187-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral2/memory/1312-188-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral2/memory/1312-189-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral2/memory/1312-190-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral2/memory/1312-200-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral2/memory/1312-205-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral2/memory/1312-208-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
1884	msedge.exe
1884	msedge.exe
216	identity_helper.exe
216	identity_helper.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
Token: SeDebugPrivilege	1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
Token: SeDebugPrivilege	1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
Token: SeDebugPrivilege	1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
Token: SeDebugPrivilege	1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
Token: 33	1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
Token: SeIncBasePriorityPrivilege	1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 1884	1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe	91
PID 1312 wrote to memory of 1884	1312	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe	91
PID 1884 wrote to memory of 1492	1884	msedge.exe	92
PID 1884 wrote to memory of 1492	1884	msedge.exe	92
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 412	1884	msedge.exe	93
PID 1884 wrote to memory of 4588	1884	msedge.exe	94
PID 1884 wrote to memory of 4588	1884	msedge.exe	94
PID 1884 wrote to memory of 4152	1884	msedge.exe	95
PID 1884 wrote to memory of 4152	1884	msedge.exe	95
PID 1884 wrote to memory of 4152	1884	msedge.exe	95
PID 1884 wrote to memory of 4152	1884	msedge.exe	95
PID 1884 wrote to memory of 4152	1884	msedge.exe	95
PID 1884 wrote to memory of 4152	1884	msedge.exe	95
PID 1884 wrote to memory of 4152	1884	msedge.exe	95
PID 1884 wrote to memory of 4152	1884	msedge.exe	95
PID 1884 wrote to memory of 4152	1884	msedge.exe	95
PID 1884 wrote to memory of 4152	1884	msedge.exe	95
PID 1884 wrote to memory of 4152	1884	msedge.exe	95
PID 1884 wrote to memory of 4152	1884	msedge.exe	95
PID 1884 wrote to memory of 4152	1884	msedge.exe	95
PID 1884 wrote to memory of 4152	1884	msedge.exe	95
PID 1884 wrote to memory of 4152	1884	msedge.exe	95
PID 1884 wrote to memory of 4152	1884	msedge.exe	95
PID 1884 wrote to memory of 4152	1884	msedge.exe	95
PID 1884 wrote to memory of 4152	1884	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
"C:\Users\Admin\AppData\Local\Temp\a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://lanseyou.top:6093/txt?&ys=0&lj=%E6%94%AF%E6%8C%81%E7%B9%81%E4%BD%93%E7%B3%BB%E7%BB%9F%E6%96%B9%E6%B3%95
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f76146f8,0x7ff8f7614708,0x7ff8f7614718
    3⤵
    PID:1492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,8316800915137243855,17437872459855540460,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
    3⤵
    PID:412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,8316800915137243855,17437872459855540460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,8316800915137243855,17437872459855540460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
    3⤵
    PID:4152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8316800915137243855,17437872459855540460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:2620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8316800915137243855,17437872459855540460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:3616
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,8316800915137243855,17437872459855540460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
    3⤵
    PID:1676
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,8316800915137243855,17437872459855540460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8316800915137243855,17437872459855540460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
    3⤵
    PID:2496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8316800915137243855,17437872459855540460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
    3⤵
    PID:1620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8316800915137243855,17437872459855540460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
    3⤵
    PID:2064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8316800915137243855,17437872459855540460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
    3⤵
    PID:3432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8316800915137243855,17437872459855540460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
    3⤵
    PID:1888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8316800915137243855,17437872459855540460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
    3⤵
    PID:3588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8316800915137243855,17437872459855540460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
    3⤵
    PID:5304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8316800915137243855,17437872459855540460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1676 /prefetch:1
    3⤵
    PID:3152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,8316800915137243855,17437872459855540460,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2748 /prefetch:2
    3⤵
    PID:4664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\3d3dfad6-8c08-4895-81d2-304de546fb90.tmp

Filesize
11KB

MD5
f72769b24a9d8b7cc480677f69453ef9

SHA1
b886c2aae1c126dcf463156209582ee412abedd1

SHA256
662934faf63fb2f8af56486468d40ea784e51b70192873db7c1ffbc59f2e3633

SHA512
ef104ee7a527834bdc43cde8701d268cb493073ef54c43dfdbc17a3badfd9a2f7d50acf15ffc0067e17ae69e2923bb7a227c7dcbaba67854d05a794ceaef3818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d85095b4896e925722d8cbfcd91ee204

SHA1
d5dffc803d10df79546f1dc69e5fc1fba650753f

SHA256
8869ec11935ec16feb60e4587c7a43539faa0b05edf94c7eb2a4036da871a1cf

SHA512
a4cf3caa363685961d419d3107df4ef000420522d1dc4892fc93d8d290ce6a0d7c399cf5cd1ce19b6c1509985b1bdd206b962c7216956d58c9166a9cfa61c882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d50e762ed8477d86bbf62ffa4e27c3a5

SHA1
b0f1780b23e529f264d88772a3b0e5420051fb7e

SHA256
99e2f365de8fad22f3a4172f9b203f75bcba6bef55811b890aac3e264573a61a

SHA512
d1799c3ffc9ff5b1c83ce2b2f1063c1f5300aa0e5085fa6659ca572d892025e8c9677bf33bae785bb39eb8f9fb626e95f90e53d7e429b06c787485964126f512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\fuwuqi.ini

Filesize
58B

MD5
6f9c67c0816152b42ef5c41a36d9b486

SHA1
bb94450dbb1c052c099564774558b0da38ad7469

SHA256
2f7b2a3999078c3481071c8c80084196fbc257dd3b651319766ec4126de70b2d

SHA512
7fbea66b6f4fdde9c4b220c233b7dad07d837f33d7e70fe5722672bbd44af1d0996a7f89670c94743f2dbe28c398bf421a01c3e5b4713b24de4ebcbeaa6f856d

Download Submit
memory/1312-144-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/1312-46-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/1312-17-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/1312-15-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/1312-16-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/1312-14-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/1312-1-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/1312-128-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/1312-143-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/1312-132-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/1312-166-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/1312-157-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/1312-0-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/1312-187-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/1312-188-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/1312-189-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/1312-190-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/1312-200-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/1312-205-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/1312-208-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download