512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750

Analysis

max time kernel
151s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 01:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
Size

183KB
MD5

ad263cb24bd45f358afdae1af924b88a
SHA1

60c7db5c7df0e77a8f38228d6d6c1dd87ffc57ab
SHA256

512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750
SHA512

7e6b06cbe6acfc51451f953fd396d1290c472d78547a1bf61279b50400a55b9ad7812bf3b376ad44fd069662ad2d022d4434ac431615194b3715fd1fc7c1b76d
SSDEEP

3072:qecVOv+Kq7XRdEQ0FJ1ppM48XjyN8PtySC5bsOynXacwoge1i2qZgzoI7h+aS1GI:IKq7hd2b/b2yGPteb5KqcX1+Zgzo0naD

Score

7^/10

microsoft phishing

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1972	Logo1_.exe
1804	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\rundl132.exe	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1464	1972	WerFault.exe	89

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
4552	msedge.exe
4552	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 468	1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe	88
PID 1388 wrote to memory of 468	1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe	88
PID 1388 wrote to memory of 468	1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe	88
PID 1388 wrote to memory of 1972	1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe	89
PID 1388 wrote to memory of 1972	1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe	89
PID 1388 wrote to memory of 1972	1388	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe	89
PID 1972 wrote to memory of 2124	1972	Logo1_.exe	90
PID 1972 wrote to memory of 2124	1972	Logo1_.exe	90
PID 1972 wrote to memory of 2124	1972	Logo1_.exe	90
PID 2124 wrote to memory of 2852	2124	net.exe	93
PID 2124 wrote to memory of 2852	2124	net.exe	93
PID 2124 wrote to memory of 2852	2124	net.exe	93
PID 468 wrote to memory of 1804	468	cmd.exe	94
PID 468 wrote to memory of 1804	468	cmd.exe	94
PID 468 wrote to memory of 1804	468	cmd.exe	94
PID 1972 wrote to memory of 772	1972	Logo1_.exe	46
PID 1972 wrote to memory of 772	1972	Logo1_.exe	46
PID 1804 wrote to memory of 1912	1804	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe	107
PID 1804 wrote to memory of 1912	1804	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe	107
PID 1912 wrote to memory of 2024	1912	msedge.exe	108
PID 1912 wrote to memory of 2024	1912	msedge.exe	108
PID 1804 wrote to memory of 532	1804	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe	109
PID 1804 wrote to memory of 532	1804	512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe	109
PID 532 wrote to memory of 2508	532	msedge.exe	110
PID 532 wrote to memory of 2508	532	msedge.exe	110
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111
PID 532 wrote to memory of 4964	532	msedge.exe	111

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:772
- C:\Users\Admin\AppData\Local\Temp\512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
  "C:\Users\Admin\AppData\Local\Temp\512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4253.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Users\Admin\AppData\Local\Temp\512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe
      "C:\Users\Admin\AppData\Local\Temp\512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffe458c46f8,0x7ffe458c4708,0x7ffe458c4718
        6⤵
        
        PID:2024
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,1348828036005188622,4387434953981162253,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
        6⤵
        
        PID:3276
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,1348828036005188622,4387434953981162253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2616 /prefetch:3
        6⤵
        
        PID:5020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe458c46f8,0x7ffe458c4708,0x7ffe458c4718
        6⤵
        
        PID:2508
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,12274160692561759719,8976819738425622812,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1460 /prefetch:2
        6⤵
        
        PID:4964
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,12274160692561759719,8976819738425622812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4552
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,12274160692561759719,8976819738425622812,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
        6⤵
        
        PID:4544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12274160692561759719,8976819738425622812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
        6⤵
        
        PID:3440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12274160692561759719,8976819738425622812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
        6⤵
        
        PID:5000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12274160692561759719,8976819738425622812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
        6⤵
        
        PID:4420
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12274160692561759719,8976819738425622812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
        6⤵
        
        PID:3556
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12274160692561759719,8976819738425622812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
        6⤵
        
        PID:1128
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12274160692561759719,8976819738425622812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
        6⤵
        
        PID:5196
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12274160692561759719,8976819738425622812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
        6⤵
        
        PID:5216
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12274160692561759719,8976819738425622812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4296 /prefetch:1
        6⤵
        
        PID:5360
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12274160692561759719,8976819738425622812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:1
        6⤵
        
        PID:5372
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12274160692561759719,8976819738425622812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
        6⤵
        
        PID:5620
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12274160692561759719,8976819738425622812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
        6⤵
        
        PID:5628
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 564
      4⤵
      Program crash
      PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1972 -ip 1972
1⤵
PID:1888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
18a74ef7429732b7772515661efbfa69

SHA1
85d71b31ca54f63c5d3830a77c87c2f29ef2cf95

SHA256
f521f493a8aeb02be53f32a3407899f798269e0d2e37ed69a780ba40b6019778

SHA512
ff7343f6d429a2afda62324513490e78c19331cec28cdadbdab99c3424baa14a1810e0258c5c28776578b7620b1044fd538912eed8468e944cdbe78022b9da99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
268B

MD5
e0c32170e0b9d1adcd719c99d4657a9b

SHA1
fe41f67ac662bb44eba6b649912242a590281c42

SHA256
4814019e9178b288e334328b0703109ff98194c243d79d99b6518e537579ade4

SHA512
be15082a268ad82986dcc998135c5430ab0c1f6b2e3957d5235693d6f88265fb63a7072d4a9ba5447728a08e57c4c6f1207d34630d2bb520d341ae0e84cf881a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6427a7fef53ca79f7353f43aa585fdc8

SHA1
0d3f399d1ba66c6570282fc0b34003cdf0ac3ff6

SHA256
9825582cf31aac3dbc69e30d745c2a77fc4bfa74fc4ef5933a2cc8be18966e26

SHA512
e9fd351626ed4608c3e88dd2ad47fbc6c3b2ba2e865ae41fdc4edd3233656abe8d8317e5ab6df4cd1aef722101f0a3fb9ca8717a77c3d852f18fb36855706b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6392b358608cf1efa3272b63edc08ee7

SHA1
9329c1927acaee43acdbc6a9eb7d590522d8e92d

SHA256
bca289889dc51d6e4eb60d6e3f875b320f6dc99c9f9c33602d6046bc2ca784a3

SHA512
4e2646f5e8df5982428606e40d0d2a91842c405d5aa11dc680c900bf0bd598374c4d7c51a5c8c696cca0d4c6422e71035bbfb938257f77f452b8508998fe960d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
25ac77f8c7c7b76b93c8346e41b89a95

SHA1
5a8f769162bab0a75b1014fb8b94f9bb1fb7970a

SHA256
8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b

SHA512
df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eadb36b29b802befd69cb021ec295424

SHA1
5194d271e825e5d4a23782dcb75c74ee3338ac68

SHA256
6772c06d8849db68f1b1de51f329d56d50c05fc647e007d095016cb9fb03f630

SHA512
3c0bab1e022e78f9020b86cbf154a55590f37b923b865337d63f5c29f9b1bc97e371ee58e1e3bf407b1293973a757d999860d65b3a45714d20abab4cc7b2d423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f305b1f438b58b5b053f4fcadbe46a84

SHA1
87ed66d89dc7e2951bc0e9743f41816e07389a89

SHA256
b2ba9ba42fea05d26a6d9e80be8ca41bab3133e5e0d8500863ea6dece7be55e9

SHA512
a5a121c43be6a7b19e93a20acc97963544568f82e842fd2b5a67dafb9b89b1b2a72c1ab59755d83336f9d1fcdfe0c322248aa72e25a2afa3eeb54d7db07a7e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
4388db202ce3267e21f18b215d7dce1b

SHA1
103644315563775049a98d72380ffb1b62f0dca4

SHA256
5182c78e26f7aadf4d6a90daf48b9c1820be375604f31d6304d8d18718f3aa31

SHA512
246af35d0d8f0673eb512b34389be562b406685184fd64f9fab4b0e0e68b39f0528e5136d356ddef945581638567d4c7bfdcb66ba82629f435063c992483d8eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
4388db202ce3267e21f18b215d7dce1b

SHA1
103644315563775049a98d72380ffb1b62f0dca4

SHA256
5182c78e26f7aadf4d6a90daf48b9c1820be375604f31d6304d8d18718f3aa31

SHA512
246af35d0d8f0673eb512b34389be562b406685184fd64f9fab4b0e0e68b39f0528e5136d356ddef945581638567d4c7bfdcb66ba82629f435063c992483d8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4253.bat

Filesize
722B

MD5
4ee4e1742fe4a534c1defaef5fed15c6

SHA1
72d6633d4825d77278238c55aa4ef781e8904667

SHA256
7baf0180019f937bf07a888fec2a09295c7ebd5a5a27cc4b380c998a14819293

SHA512
78faf2417c447cd60e06b3a55bc544454c545a50c7cdf90c6bae99033d5e7168fac5b2611a518f2a17374879a96fba99aac2015b2f833175b9669bbf7433c720

Download Submit
C:\Users\Admin\AppData\Local\Temp\512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe

Filesize
152KB

MD5
f3ab2989a77729bfa6cbf11d2a57b77e

SHA1
c6e99fc37c912abfd2809444cbb0ea49187f00ac

SHA256
9d3b0fcde1054ac1669e601790a465f4589eff7cfe90484af155f33b439f8149

SHA512
20f859965e0112179d4dc4d5faa1518d6ef6d470a0cd94cf1f361921349d30ce1f261438fc198749d847590b810fba560157d5a8759eddd86de049674ae81dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\512e5f13abc1a98f84dd6e9ec4a9b5a85e8ad1136be7b7b048814c22ccce2750.exe.exe

Filesize
152KB

MD5
f3ab2989a77729bfa6cbf11d2a57b77e

SHA1
c6e99fc37c912abfd2809444cbb0ea49187f00ac

SHA256
9d3b0fcde1054ac1669e601790a465f4589eff7cfe90484af155f33b439f8149

SHA512
20f859965e0112179d4dc4d5faa1518d6ef6d470a0cd94cf1f361921349d30ce1f261438fc198749d847590b810fba560157d5a8759eddd86de049674ae81dab

Download Submit
C:\Windows\Logo1_.exe

Filesize
31KB

MD5
0de7c1f6eef5c04adc7e5798c070340b

SHA1
bd3bb0fd8d69544d4fb159a6ff809745445b79c3

SHA256
5d2f3ff50e87673f5526096cdf528994900d37892a50ea94265ec3f0f1b04a7c

SHA512
7ad05217f2563e2cc46b4b91187a9fe8614724e94be17716843f8c351a4cbef8737445e1c64fc9fb2d4df23ae6abda6d5b84d978af5da533244078fc39b3752f

Download Submit
C:\Windows\Logo1_.exe

Filesize
31KB

MD5
0de7c1f6eef5c04adc7e5798c070340b

SHA1
bd3bb0fd8d69544d4fb159a6ff809745445b79c3

SHA256
5d2f3ff50e87673f5526096cdf528994900d37892a50ea94265ec3f0f1b04a7c

SHA512
7ad05217f2563e2cc46b4b91187a9fe8614724e94be17716843f8c351a4cbef8737445e1c64fc9fb2d4df23ae6abda6d5b84d978af5da533244078fc39b3752f

Download Submit
C:\Windows\rundl132.exe

Filesize
31KB

MD5
0de7c1f6eef5c04adc7e5798c070340b

SHA1
bd3bb0fd8d69544d4fb159a6ff809745445b79c3

SHA256
5d2f3ff50e87673f5526096cdf528994900d37892a50ea94265ec3f0f1b04a7c

SHA512
7ad05217f2563e2cc46b4b91187a9fe8614724e94be17716843f8c351a4cbef8737445e1c64fc9fb2d4df23ae6abda6d5b84d978af5da533244078fc39b3752f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3027552071-446050021-1254071215-1000\_desktop.ini

Filesize
10B

MD5
b00c1a89b15effd3d1fb2de4fdc7bee5

SHA1
0c3a4f06bcd397d1d3a63ab2ca05e64cc7ae554d

SHA256
0767fccea7e57d6427b0a9b440f28687f4b835409c5dcdeb337a479009222cd9

SHA512
b50a3c1df331ecd7dbbd88c202c7b7b8fe6ece8df96249d88f40138952fb3c523f6f133a2d12daa2fd892643b53e4c19b39bcb16ef810f789c996e00bad03bc0

Download Submit
memory/1388-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1388-8-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1804-98-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/1804-18-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/1972-54-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1972-9-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1972-57-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download