8bd05c7e27e65b921ae28194857ff2769f249dd942342a70ff0878e678a3ed22

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2025, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/hao123inst-taiwan.exe
Size

305KB
MD5

efd47a079976283cde2a1f9547689cde
SHA1

9f90940372c37d7d4125774190efcd5c8263a2c6
SHA256

4c52fc7d54f3b4cb1b4e7bcc66a778e9c704211f8406f382cfbb541db42398a1
SHA512

47fac55eb2bd937692048ceebaf5da8d1b72e9d7e6954c51082d2b753039a2c00a82c5db04d7216c412b4376e6da7126662e3f7e6734008333d6840b28301a53
SSDEEP

6144:gjbTUh/hQXxBvQ0utY3jNp1NZEE/1rEpYANhWx:gzGQXDo0utIjNHNqGrEKChc

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	hao123inst-taiwan.exe

Executes dropped EXE 2 IoCs

pid	Process
808	hao123.1.0.0.1100.exe
2192	hao123.1.0.0.1100.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral24/memory/3576-0-0x0000000000400000-0x0000000000534000-memory.dmp	upx
behavioral24/memory/3576-40-0x0000000000400000-0x0000000000534000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hao123inst-taiwan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hao123.1.0.0.1100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hao123.1.0.0.1100.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Internet Explorer\Main	hao123inst-taiwan.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://tw.hao123.com/?tn=forf_hp_hao123_tw"	hao123inst-taiwan.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	hao123inst-taiwan.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
808	hao123.1.0.0.1100.exe
808	hao123.1.0.0.1100.exe
3576	hao123inst-taiwan.exe
3576	hao123inst-taiwan.exe
3576	hao123inst-taiwan.exe
3576	hao123inst-taiwan.exe
2192	hao123.1.0.0.1100.exe
2192	hao123.1.0.0.1100.exe
808	hao123.1.0.0.1100.exe
808	hao123.1.0.0.1100.exe
808	hao123.1.0.0.1100.exe
808	hao123.1.0.0.1100.exe
808	hao123.1.0.0.1100.exe
808	hao123.1.0.0.1100.exe
1564	msedge.exe
1564	msedge.exe
808	hao123.1.0.0.1100.exe
808	hao123.1.0.0.1100.exe
3932	msedge.exe
3932	msedge.exe
808	hao123.1.0.0.1100.exe
808	hao123.1.0.0.1100.exe
808	hao123.1.0.0.1100.exe
808	hao123.1.0.0.1100.exe
4896	identity_helper.exe
4896	identity_helper.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 808	3576	hao123inst-taiwan.exe	87
PID 3576 wrote to memory of 808	3576	hao123inst-taiwan.exe	87
PID 3576 wrote to memory of 808	3576	hao123inst-taiwan.exe	87
PID 3576 wrote to memory of 2192	3576	hao123inst-taiwan.exe	88
PID 3576 wrote to memory of 2192	3576	hao123inst-taiwan.exe	88
PID 3576 wrote to memory of 2192	3576	hao123inst-taiwan.exe	88
PID 808 wrote to memory of 3932	808	hao123.1.0.0.1100.exe	90
PID 808 wrote to memory of 3932	808	hao123.1.0.0.1100.exe	90
PID 3932 wrote to memory of 4900	3932	msedge.exe	92
PID 3932 wrote to memory of 4900	3932	msedge.exe	92
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 4416	3932	msedge.exe	94
PID 3932 wrote to memory of 1564	3932	msedge.exe	95
PID 3932 wrote to memory of 1564	3932	msedge.exe	95
PID 3932 wrote to memory of 1588	3932	msedge.exe	96
PID 3932 wrote to memory of 1588	3932	msedge.exe	96
PID 3932 wrote to memory of 1588	3932	msedge.exe	96
PID 3932 wrote to memory of 1588	3932	msedge.exe	96
PID 3932 wrote to memory of 1588	3932	msedge.exe	96
PID 3932 wrote to memory of 1588	3932	msedge.exe	96
PID 3932 wrote to memory of 1588	3932	msedge.exe	96
PID 3932 wrote to memory of 1588	3932	msedge.exe	96
PID 3932 wrote to memory of 1588	3932	msedge.exe	96
PID 3932 wrote to memory of 1588	3932	msedge.exe	96
PID 3932 wrote to memory of 1588	3932	msedge.exe	96
PID 3932 wrote to memory of 1588	3932	msedge.exe	96

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3552
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\hao123inst-taiwan.exe
  "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\hao123inst-taiwan.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Users\Admin\AppData\Roaming\baidu\hao123-tw\hao123.1.0.0.1100.exe
    "C:\Users\Admin\AppData\Roaming\baidu\hao123-tw\hao123.1.0.0.1100.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tw.hao123.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa15c646f8,0x7ffa15c64708,0x7ffa15c64718
        5⤵
        
        PID:4900
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,11662626966532270876,7310213954192260198,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
        5⤵
        
        PID:4416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,11662626966532270876,7310213954192260198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1564
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,11662626966532270876,7310213954192260198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
        5⤵
        
        PID:1588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11662626966532270876,7310213954192260198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
        5⤵
        
        PID:4508
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11662626966532270876,7310213954192260198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
        5⤵
        
        PID:3528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11662626966532270876,7310213954192260198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
        5⤵
        
        PID:1960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,11662626966532270876,7310213954192260198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
        5⤵
        
        PID:4228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,11662626966532270876,7310213954192260198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11662626966532270876,7310213954192260198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
        5⤵
        
        PID:1112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11662626966532270876,7310213954192260198,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
        5⤵
        
        PID:664
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11662626966532270876,7310213954192260198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
        5⤵
        
        PID:4336
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11662626966532270876,7310213954192260198,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
        5⤵
        
        PID:3624
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11662626966532270876,7310213954192260198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        5⤵
        
        PID:4200
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11662626966532270876,7310213954192260198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
        5⤵
        
        PID:5104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,11662626966532270876,7310213954192260198,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2756 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4248
- - C:\Users\Admin\AppData\Roaming\baidu\hao123-tw\hao123.1.0.0.1100.exe
    first_exec_from_inst
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a4852fc46a00b2fbd09817fcd179715d

SHA1
b5233a493ea793f7e810e578fe415a96e8298a3c

SHA256
6cbb88dea372a5b15d661e78a983b0c46f7ae4d72416978814a17aa65a73079f

SHA512
38972cf90f5ca9286761280fcf8aa375f316eb59733466375f8ba055ce84b6c54e2297bad9a4212374c860898517e5a0c69343190fc4753aafc904557c1ea6dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d6b4373e059c5b1fc25b68e6d990827

SHA1
b924e33d05263bffdff75d218043eed370108161

SHA256
fafcaeb410690fcf64fd35de54150c2f9f45b96de55812309c762e0a336b4aa2

SHA512
9bffd6911c9071dd70bc4366655f2370e754274f11c2e92a9ac2f760f316174a0af4e01ddb6f071816fdcad4bb00ff49915fb18fde7ee2dabb953a29e87d29e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
41bc2e880cc1155ab991ae1c6ac82d45

SHA1
a970300ea863b853361042f0e9a950df0090bd6e

SHA256
6eb2bcc40052ae311db6992ea79ccc00115d4611b94d259dc70f8c1f305b0aea

SHA512
f9bcc525b3ecf581a414dfb57f231c13562bf40649ae5f2adc78a90067a4da211aaae2b8c1f3b81bad85ccd70bb33ab3b93f58d41f5a512a65a33922ff2e24e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e164b79ac56669beb2a58fd0fe9a829b

SHA1
63a3376cae3936eab8b346cb60fef565383552f3

SHA256
2ed6833c5313d7fca9bd5a1175016c0efc397b514157102cd222753798da69da

SHA512
5442608cd3e784d35cb1024fcd180505e31db80e6c7274fc2b0147c14fd3e147e5ea752373c9ed2caad4a7bec7567ff2cb5602d6a124309e292ea6a0963b5a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
49596a9cb5c210857ed54469418d1ef6

SHA1
f7d025542a3270261319d385f1c9e4b1ba2b4dd9

SHA256
79aeceae14d89a78d74064de8110e7f5f61d4dcfdcadfd9706e6274d71c237b2

SHA512
6faa6d8b444dee4d7681b23107d735b015aee00ed207d94778fa515f77dd308c6a3f59f2cf9e3651385a2943e2c8eb389799b58dfe581310492a38b95c8ceafb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
eb5e175e407733f1eb3277754de81172

SHA1
280333a72cd154e4180ce0d84316c48d23b0cacf

SHA256
17e5c2e2dc2d5e1c0d10301a28b48e205a623fe04d5d8ffa5593ebf03f62cc97

SHA512
07cd6cf20eb7d2d8478feff194729cb647247f81a71c807b882d53e117ec3797cd05d51e5cf3fd0d9683139f96cad4310d725abde8265f89ff37eca9ce3b0ce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
963ce9c9af5155ad019c7d4d5c0a16a4

SHA1
73729efa4ae8b3af33190c2d41ad13585ed26d09

SHA256
b4a0751a10b04803063f0f143f539287a25712a53aa4377edef8e85ec37c50f5

SHA512
dc3fbf52bce0897d17ed56348bc94d4be35cb380de52787797ca1124a12f5eed9c070cb10d592a267725a1d6b6619e2b064e6b12c639aebf136f665d00581fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58fb14.TMP

Filesize
706B

MD5
38f9c0a5725624323222166cd3a71c99

SHA1
437254b028357a3bfc61c2fc8da244159a0da7bd

SHA256
695a7762c96bae0bbf785a89b730c6cffb1c793728c712896ba7358a85b17da1

SHA512
5d53fc7511ca9c9730e7e761c137cc47a1fc0e74be35244d14c0dc93689ef93440ac947b30b47ed917cad6d51edf39d8e9f3986144e1e52588666349d030e134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c998d2de-8233-4cf8-bede-2ebf80c5a16f.tmp

Filesize
6KB

MD5
0a3bfc7e58d85a4afaf514425b5255a6

SHA1
14f3b90165bf937b8d6244ea765fb93055b9fbdd

SHA256
0cf82b55b00214df141e36f2982e0e35faee491223ebd0a1250ed6a29fba798f

SHA512
7e95c9b0d01fc671d5e27479fd1d63bafc5484d39dfe26ad9c9039d1d1ec8e40cba01e085a7f8053f8ec9d3641fa9e6d3a813d7f39508c7b3c83325f05dd5b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4e3dc967ee60cdf1739ce3a138e78a72

SHA1
8b25f3af1f7bcb3529f399f77e4c3d1c0ade2a6d

SHA256
ce388216216f4b0cff240fb3ee5d8539b6b098cee37aa674b6cc7bfeb0966f82

SHA512
2f515fc6059a94a9676a7075394553bdb032546c9a636ff6b97c924a28873efa02df7786ab600d112baa051052a6d959e3170cc4c0367abbd755fea5cc68d9e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\hao123.lnk

Filesize
1KB

MD5
4c0f77f4b7899ce2af9124d7b7ae23b4

SHA1
bad149489ac94e86ed33f413c1de60e5bda38e7a

SHA256
d83a54a76250d50a4644a9ee4e24a985ea357ba561a38bc3792b0dae5da5869e

SHA512
350c0fb1426a2bd81732c4f5a686d050af58ec47923cafbf4943cea3e8700cb8ffb7a0e3ea62f05b8be4ae851fe7271cbd5feb14decb35c67d7307aa67638805

Download Submit
C:\Users\Admin\AppData\Roaming\baidu\hao123-tw\hao123.1.0.0.1100.exe

Filesize
536KB

MD5
2d70d95d5aa1027ad772a35d2a95fe2c

SHA1
f2c05d81c507d29473bcd84a1b0ddaf12022d1db

SHA256
7fa96f4fdff5abb39587b3be3e969c1c0188a75cd9871ef25351c2becd1c1724

SHA512
e48e73984644f1a8095fc90fc1fc719fc9b07ccfa0ff1ae9a92f7a73cbe4f99b9c72912f7f1b0c4bd44b9ecc0f3d868d3cccfe6f9a74483feed2f582aacf6991

Download Submit
C:\Users\Admin\Desktop\hao123.lnk

Filesize
1KB

MD5
e32960ba0740d5f3c7bff400a6f60619

SHA1
9894bb7bad12819dd86567dd22462e463037deb5

SHA256
410d52d968367ff46ebf30b38efed7d4c49630276a4026ce4e57932badf4c80e

SHA512
c2c7cf012a693ddd86147bdc07ee9257c736d0e5e9a9032b787243d6d66ae64b305b6697772bdb2ff9b8d37661d687de5180db8acb34f4f62bf006d57ea8cb2f

Download Submit
memory/808-71-0x0000000076D80000-0x0000000076F20000-memory.dmp

Filesize
1.6MB

Download
memory/808-26-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2192-105-0x0000000076D80000-0x0000000076F20000-memory.dmp

Filesize
1.6MB

Download
memory/3576-0-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3576-40-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download