b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2023, 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe
Size

623KB
MD5

3f904012111af03ae22495fbeef33362
SHA1

5f4f665e42329824daf0f72def4b887e78b1d6ae
SHA256

b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d
SHA512

e2460e9824f687a1003c3dbd81a49c142db1c5a5f54456df1847a65e0b056ed22254933d397394465988880480cb5c92aca5b0958e9235bec7beb4ec1458994b
SSDEEP

6144:aVfjmNoQt6XCjrKk096f1S8CRUnj7Z29PRUi4r:U7+1t6yjrKk096f1Kwi4r

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2660	Logo1_.exe
1832	b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe
File created	C:\Windows\Logo1_.exe	b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2660	Logo1_.exe
2528	msedge.exe
2528	msedge.exe
4500	msedge.exe
4500	msedge.exe
5112	identity_helper.exe
5112	identity_helper.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 3676	4160	b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe	82
PID 4160 wrote to memory of 3676	4160	b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe	82
PID 4160 wrote to memory of 3676	4160	b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe	82
PID 4160 wrote to memory of 2660	4160	b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe	84
PID 4160 wrote to memory of 2660	4160	b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe	84
PID 4160 wrote to memory of 2660	4160	b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe	84
PID 2660 wrote to memory of 1896	2660	Logo1_.exe	85
PID 2660 wrote to memory of 1896	2660	Logo1_.exe	85
PID 2660 wrote to memory of 1896	2660	Logo1_.exe	85
PID 1896 wrote to memory of 3456	1896	net.exe	87
PID 1896 wrote to memory of 3456	1896	net.exe	87
PID 1896 wrote to memory of 3456	1896	net.exe	87
PID 3676 wrote to memory of 1832	3676	cmd.exe	88
PID 3676 wrote to memory of 1832	3676	cmd.exe	88
PID 3676 wrote to memory of 1832	3676	cmd.exe	88
PID 2660 wrote to memory of 3152	2660	Logo1_.exe	55
PID 2660 wrote to memory of 3152	2660	Logo1_.exe	55
PID 1832 wrote to memory of 4500	1832	b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe	94
PID 1832 wrote to memory of 4500	1832	b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe	94
PID 4500 wrote to memory of 1972	4500	msedge.exe	95
PID 4500 wrote to memory of 1972	4500	msedge.exe	95
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 3828	4500	msedge.exe	96
PID 4500 wrote to memory of 2528	4500	msedge.exe	97
PID 4500 wrote to memory of 2528	4500	msedge.exe	97
PID 4500 wrote to memory of 1180	4500	msedge.exe	98

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3152
- C:\Users\Admin\AppData\Local\Temp\b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe
  "C:\Users\Admin\AppData\Local\Temp\b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD3DA.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe
      "C:\Users\Admin\AppData\Local\Temp\b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1832
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pc.weixin.qq.com/
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4500
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffed3d946f8,0x7ffed3d94708,0x7ffed3d94718
        6⤵
        
        PID:1972
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        6⤵
        
        PID:3828
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2528
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
        6⤵
        
        PID:1180
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
        6⤵
        
        PID:1312
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
        6⤵
        
        PID:4596
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        6⤵
        
        PID:3912
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
        6⤵
        
        PID:3740
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5112
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
        6⤵
        
        PID:3348
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
        6⤵
        
        PID:3540
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
        6⤵
        
        PID:2760
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
        6⤵
        
        PID:3120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3152 /prefetch:2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1496
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
c95de867eae6f63d4b88f646f5c5ce41

SHA1
5bc5aced580247634f7efe528c13366439500577

SHA256
f9beead09a4c506ba35cb3b7bbdf1092e6758cc1ab94824ad51b377a5c1d0273

SHA512
c1752ba054e5c8952b8d608d6f473c9d9a5f54359032c3bd0d8d4bacda2f1361ac1be3fb199dd5c1098169ba55e5d00b1e1c30b6932f5768deb3b378e70474f3

Download Submit
C:\Program Files\SuspendResolve.exe

Filesize
612KB

MD5
65e552ece63686721c53b66c27e1fe22

SHA1
bbf99bec7283dfef45e53b189129d456d4c76581

SHA256
03ed7876f41dfd9f115e35dd01bbb3d49d3d937bcc4a293b4565327ba113dd73

SHA512
90f61aaf31df16aece0521201f73982ad4b37f43825a7a0371e34fda773fe27f923d85e7ce0270609dd5c6a613d7600d8087b427646fa9ff1bc0e328f687a7cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
b29e6ec2a5932be4724cb93b5b1cb287

SHA1
ae130d06e719f0c6fba728dc29407d78f797719e

SHA256
2903b4955aa0c1c0e6058e333b07d0f024c7a187a0620d73b508900963a38390

SHA512
9c854f0e396c66d5419bacabbe92165a76c8b638f15c44634740194ac142313b94dbc6bf0fe5a1fba2538e1196e87571720a0076b49ca932c4b4d18e5842644b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
189B

MD5
c063919e7c7382bda77a8916da03d559

SHA1
f67f83ce3b2ceb7d8390f851697779f7fdf23d18

SHA256
e241c784ecae2e0a23b44103cfe34898bbd552626c98467015dbe8deb9f862d4

SHA512
3bacfb5c2d4e01ddf61d3aa08fce8d7ed5437037139bf015f03a80b761bb739b3fafab3e23996cbdfe4b1984a5ab3f80ab66a49001918dafaecca8376ed13a4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9e46a215ce3df27aeadf509cb9e9d00b

SHA1
1b2907a7daead08e23d4c21f499cab95e2594c2e

SHA256
3dd8acef9cfe4710e50d743615bba56556868f69d9b8747596e9bed64b2c7452

SHA512
7a242e3e5dbe674bc37baf53723f0ba9609710f3fdb48062be724470ebf0b349a8010923125197ea39fa349d6b054c0c0f52d80df18d1276bb0d28a71ef76df0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
95a192a02fcfb99c5fad7c36f5953229

SHA1
e18d55689a11346f150eae3cffcad90a7244a952

SHA256
efb2bb18d370d65f642f6ea61dbf34a0c818554143a21840234e6697b46347d2

SHA512
739efbf2a8f3f2513e6db894b5f145c5b63f39209ba476e3c4b07486e64d0e92dfe5dfa56e95be6096012f10665ace9d6c5d64e5174b741da0d446829e555087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ca36933e6dea7aa507a272121b34fdbb

SHA1
3b4741ca0308b345de5ecf6c3565b1dbacb0fb86

SHA256
fd14449eb781c58e6e7196a384caf25cba0c59ebdba3b10f8ca0ecfd0c076b5d

SHA512
5a9b186ecf085765caee97a2910008dda926ce412001042e165184083a52fb5fb70f05ca781cd2f7740ecbd938895c77c5aa0f9eb8d812b92f412f336212720e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3232f3769abbd1fcfd4fe6d5f97540fe

SHA1
4d3868671d6e29165bad41b913c5c66aea133538

SHA256
7cb136ede5dcf0289d96bcd28dcf30a7242f936085c6a3984f40c3cc24cd3fd1

SHA512
c97a4b52e8ee6ebb4a8c7851cc9fded1e0d58c24af2843a5e82c4f452049b04563c18913cd213abaf585aa27cd844f0ec3ec767f47a7753c250794736677c1ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD3DA.bat

Filesize
722B

MD5
55e8a3ac86395b319d86d92d2a87bc9c

SHA1
8ebe832c98f50ae3af9b4c38e2fbb2b182f7f0d8

SHA256
e72f2dd93e468c778497c7c206038efdfbaee1ad7b9ee6220bfb8bb05d39664c

SHA512
7fb1d80a2af686436748228a323a2f2ee6c86e3fe5a3be77b6b42605d44281b075ebd3c0961b81dcf6f90cf048c81855189a6a8db362111763c186f3cb40c98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe

Filesize
596KB

MD5
edb2b8b3092a88af851bc559c23ff061

SHA1
78829606624dcc6770c3b6737466f2f5625bc171

SHA256
8c72d6aafd3d0359d70a59fae538ecf74b2b48a356587c2ceef9e7be5b8f377b

SHA512
03d15c1bcd068cfbd9829f2eff5ec94065b3b6a2024ac47526e7ccd348fa223ae2c75c721ec77ab48c2f1ffa96ecd5542d9a939d481bb69a209e5616770df0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe.exe

Filesize
596KB

MD5
edb2b8b3092a88af851bc559c23ff061

SHA1
78829606624dcc6770c3b6737466f2f5625bc171

SHA256
8c72d6aafd3d0359d70a59fae538ecf74b2b48a356587c2ceef9e7be5b8f377b

SHA512
03d15c1bcd068cfbd9829f2eff5ec94065b3b6a2024ac47526e7ccd348fa223ae2c75c721ec77ab48c2f1ffa96ecd5542d9a939d481bb69a209e5616770df0e8

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
faaa1287ab2f03dda558a8c036df9a3a

SHA1
ebce114a13f3f73d9470669b12256745b67d5963

SHA256
3bb531515b6756e9a2015af551948e1809fc59c00eaa9e21fbe882944ef17d00

SHA512
7e203707ce20eebbfe64ebe6cd41034e7bfa5f99db34ec8a553068c5da12971ed0d153f926e5172ba2c5e7460037fe7240d48bde36f7fbdc3688f2257aaad414

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
faaa1287ab2f03dda558a8c036df9a3a

SHA1
ebce114a13f3f73d9470669b12256745b67d5963

SHA256
3bb531515b6756e9a2015af551948e1809fc59c00eaa9e21fbe882944ef17d00

SHA512
7e203707ce20eebbfe64ebe6cd41034e7bfa5f99db34ec8a553068c5da12971ed0d153f926e5172ba2c5e7460037fe7240d48bde36f7fbdc3688f2257aaad414

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
faaa1287ab2f03dda558a8c036df9a3a

SHA1
ebce114a13f3f73d9470669b12256745b67d5963

SHA256
3bb531515b6756e9a2015af551948e1809fc59c00eaa9e21fbe882944ef17d00

SHA512
7e203707ce20eebbfe64ebe6cd41034e7bfa5f99db34ec8a553068c5da12971ed0d153f926e5172ba2c5e7460037fe7240d48bde36f7fbdc3688f2257aaad414

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4176143399-3250363947-192774652-1000\_desktop.ini

Filesize
9B

MD5
4a4922bdf377baedb0460540a7e52405

SHA1
82789c7c3ee038da34ac62e38ddde0fe667d52ac

SHA256
589848447b17adf03dfa9db6e17b5ec00d1fabf203fa496bae29ed64764a052f

SHA512
fe635f97709f5f3df9290c6c53a374351481f13aa45105f48fe3709c15532313eb4d032eed20f2a278b9837c84bba9ba7a7fa2d83cd2a1e3adc0bc930d40c2a1

Download Submit
memory/2660-1413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-2828-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-86-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-4955-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download