265a317c4e628b521aee99acb63880c4a551b09ea9489f04ea4a43066d0c5101

Analysis

max time kernel
146s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 23:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

66587f744315f3cb4726151123ef1a21.exe
Size

107KB
MD5

66587f744315f3cb4726151123ef1a21
SHA1

3bdbd84b30a22df634c9bdbc2aa7cbf3edae07ee
SHA256

265a317c4e628b521aee99acb63880c4a551b09ea9489f04ea4a43066d0c5101
SHA512

02743e87bab7563e3a8ad52131ac7782de2f9c4505e53132647ffc355bbd9d3c38870075c27584256cd228d1fc9814a0ae6a0a4796699e8f264c758347c26993
SSDEEP

3072:p4eYZ4+1JXJJ7Jl4Nf1siyUpUWJZQSAsDYNE0D+:S5O8b4NfSiX284yn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4948	Installer.exe

Loads dropped DLL 57 IoCs

pid	Process
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe
4176	66587f744315f3cb4726151123ef1a21.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\taobao.ico	66587f744315f3cb4726151123ef1a21.exe
File created	\??\c:\windows\xyx.ico	66587f744315f3cb4726151123ef1a21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\DefaultIcon\ = "c:\\windows\\taobao.ico"	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\Shell	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\Shell\Internet Explorer	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\TypeLib	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64E17DA5-8F8C-471C-AB02-652ADA143F2A}\DefaultIcon	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64E17DA5-8F8C-471C-AB02-652ADA143F2A}\Shell	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64E17DA5-8F8C-471C-AB02-652ADA143F2A}\Shell\Internet Explorer	66587f744315f3cb4726151123ef1a21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64E17DA5-8F8C-471C-AB02-652ADA143F2A}\TypeLib\ = "{64E17DA5-8F8C-471C-AB02-652ADA143F2A}"	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\Shell\Internet Explorer	66587f744315f3cb4726151123ef1a21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\ShellFolder\Attributes = "0"	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	66587f744315f3cb4726151123ef1a21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64E17DA5-8F8C-471C-AB02-652ADA143F2A}\Shell\Internet Explorer\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.pp2345.com"	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64E17DA5-8F8C-471C-AB02-652ADA143F2A}\ShellFolder	66587f744315f3cb4726151123ef1a21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64E17DA5-8F8C-471C-AB02-652ADA143F2A}\ShellFolder\Attributes = "0"	66587f744315f3cb4726151123ef1a21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64E17DA5-8F8C-471C-AB02-652ADA143F2A}\InfoTip = "Internet Explorer"	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\DefaultIcon	66587f744315f3cb4726151123ef1a21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\InfoTip = "¾\u00adµäÐ¡ÓÎÏ·"	66587f744315f3cb4726151123ef1a21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\TypeLib\ = "{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}"	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64E17DA5-8F8C-471C-AB02-652ADA143F2A}	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64E17DA5-8F8C-471C-AB02-652ADA143F2A}\Shell\Internet Explorer\Command	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\ShellFolder	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\Shell\Internet Explorer\Command	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\ShellFolder	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\DefaultIcon	66587f744315f3cb4726151123ef1a21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\DefaultIcon\ = "c:\\windows\\xyx.ico"	66587f744315f3cb4726151123ef1a21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\InfoTip = "ÌÔ±¦-ÌØ¼Û"	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\Shell	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\TypeLib	66587f744315f3cb4726151123ef1a21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\TypeLib\ = "{DBEEC126-4924-49C0-9872-B2B57FCBC94B}"	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	66587f744315f3cb4726151123ef1a21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64E17DA5-8F8C-471C-AB02-652ADA143F2A}\DefaultIcon\ = "C:\\Windows\\SysWow64\\SHELL32.DLL,220"	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64E17DA5-8F8C-471C-AB02-652ADA143F2A}\TypeLib	66587f744315f3cb4726151123ef1a21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\ = "ÌÔ±¦-ÌØ¼Û"	66587f744315f3cb4726151123ef1a21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\ShellFolder\Attributes = "0"	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}	66587f744315f3cb4726151123ef1a21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\Shell\Internet Explorer\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.131.net"	66587f744315f3cb4726151123ef1a21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64E17DA5-8F8C-471C-AB02-652ADA143F2A}\ = "Internet Explorer"	66587f744315f3cb4726151123ef1a21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\Shell\Internet Explorer\Command	66587f744315f3cb4726151123ef1a21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\Shell\Internet Explorer\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.toulema.net/taobao/taobao.html"	66587f744315f3cb4726151123ef1a21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\ = "¾\u00adµäÐ¡ÓÎÏ·"	66587f744315f3cb4726151123ef1a21.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3424	msedge.exe
3424	msedge.exe
952	msedge.exe
952	msedge.exe
1704	identity_helper.exe
1704	identity_helper.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
4948	Installer.exe
4948	Installer.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
4948	Installer.exe
4948	Installer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4948	Installer.exe
4948	Installer.exe
4948	Installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 4948	4176	66587f744315f3cb4726151123ef1a21.exe	88
PID 4176 wrote to memory of 4948	4176	66587f744315f3cb4726151123ef1a21.exe	88
PID 4176 wrote to memory of 4948	4176	66587f744315f3cb4726151123ef1a21.exe	88
PID 4176 wrote to memory of 952	4176	66587f744315f3cb4726151123ef1a21.exe	90
PID 4176 wrote to memory of 952	4176	66587f744315f3cb4726151123ef1a21.exe	90
PID 952 wrote to memory of 2576	952	msedge.exe	91
PID 952 wrote to memory of 2576	952	msedge.exe	91
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 4808	952	msedge.exe	93
PID 952 wrote to memory of 3424	952	msedge.exe	92
PID 952 wrote to memory of 3424	952	msedge.exe	92
PID 952 wrote to memory of 852	952	msedge.exe	94
PID 952 wrote to memory of 852	952	msedge.exe	94
PID 952 wrote to memory of 852	952	msedge.exe	94
PID 952 wrote to memory of 852	952	msedge.exe	94
PID 952 wrote to memory of 852	952	msedge.exe	94
PID 952 wrote to memory of 852	952	msedge.exe	94
PID 952 wrote to memory of 852	952	msedge.exe	94
PID 952 wrote to memory of 852	952	msedge.exe	94
PID 952 wrote to memory of 852	952	msedge.exe	94
PID 952 wrote to memory of 852	952	msedge.exe	94
PID 952 wrote to memory of 852	952	msedge.exe	94
PID 952 wrote to memory of 852	952	msedge.exe	94
PID 952 wrote to memory of 852	952	msedge.exe	94
PID 952 wrote to memory of 852	952	msedge.exe	94
PID 952 wrote to memory of 852	952	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\66587f744315f3cb4726151123ef1a21.exe
"C:\Users\Admin\AppData\Local\Temp\66587f744315f3cb4726151123ef1a21.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pp2345.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9510446f8,0x7ff951044708,0x7ff951044718
    3⤵
    PID:2576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,10509698012725193264,8624250887606900622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,10509698012725193264,8624250887606900622,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
    3⤵
    PID:4808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,10509698012725193264,8624250887606900622,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8
    3⤵
    PID:852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10509698012725193264,8624250887606900622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10509698012725193264,8624250887606900622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:1684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10509698012725193264,8624250887606900622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
    3⤵
    PID:3660
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,10509698012725193264,8624250887606900622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
    3⤵
    PID:4700
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,10509698012725193264,8624250887606900622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10509698012725193264,8624250887606900622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
    3⤵
    PID:2384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10509698012725193264,8624250887606900622,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2288 /prefetch:1
    3⤵
    PID:4032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10509698012725193264,8624250887606900622,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
    3⤵
    PID:972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10509698012725193264,8624250887606900622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
    3⤵
    PID:2592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,10509698012725193264,8624250887606900622,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4944 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
21KB

MD5
f7a51c19125e62196887df7905d9dae6

SHA1
a72e52017d27132cd1defda4ceabe1bf064811d4

SHA256
ad143763be9d6b24b7fe5b7643e47a01ecf683c938d7f3e9b4103eedf9b4b753

SHA512
4cd1d0f74638be653e2f40ef024e673660d8b3d6cffcdc6d46838aae6339c9101969552808db1f31711b66384a5f6588a2a4a178d2e24dbc63df7eb82f929c63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
fd0c0bc5e10002420609c08bb1ec777b

SHA1
c64f2dfb4436929ed83a036faad0739935aee3d9

SHA256
7c88aff5d8af026c4d9d76875b89206b9cde06a26a11d45f9f1d9759aacbc6b2

SHA512
7aec3bb23bd1091e49ab9c4d514df6b84c6ccc74014a77e873c8c588ac3a95fbba987dd5931ece2d6747499220d6de5914559d6107a8d1be679c46e2753eddcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
1aaf20c0a2d0e273780e852ea2832b7c

SHA1
224038c0ad1a368555bf00561532e1ac207ab664

SHA256
d0b80b853ff82f55ffa89d1089a1eade56fe8ca8d81c08041c6734fa942d55dd

SHA512
0cf2b649a204fcb717e2015fcc19f936427b607aa834b9f19fa03e3d2027fb1e893290578df063de1529ba05323b5d5718bc5a00cbe1b80fc639114f138a3f5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
255B

MD5
4e1b1e8fec349a576bcba68cc9e3b27a

SHA1
8171cdb41b8059436da6c09696b1df988ceafe8a

SHA256
d6627d77038ae153b11aa3f1f37f72e99a14752503e7d02a3489afb3b38c2b62

SHA512
745597ce716954047f12a6a7f5a14cd5500e10b53dbfc30338dfd230d8c8ba970b2028c33f217a248a5ab9d461b53b5f02f25bd06985b6110ecaab4ac0a994af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e3fb11630742ec55f9c4bf378dbe4d5b

SHA1
142cc24bc95485f7df345500cb9f22afc5c2f147

SHA256
642818f8f83807c8411f289e650de43600ecff8ab5d997cd259730b3cba81067

SHA512
be949045e26d76b32dbfbc3875cae8e3b7e7065e97908c50364b6eed49e555eb4bd31e5d8e7eb675b4be9c93c544875499b10281c8f59d00033335c0ae299c04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f100744f68273b9128773d29094fb859

SHA1
52676650bcb083430fb90f38339e1b427f879e2c

SHA256
a59997a6281dc705f63c55f1d925b8f4206f69bb173d6e511964628f9fb6a974

SHA512
3bf7812af91862182a7df65fdc2afb0efbb59198438ad97b4861b48fa5ab7c8615fc00d6a00e85250456840eaa8adc0904a01ebbcf708ca8c4825370352d1d81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c1b13977d120125b9680a27158539949

SHA1
39ee497f9739cdd4853889ed80334e408e4be57e

SHA256
d0af954d6562e5f707162d158a8eed491c1d19d9aac70051b294c1508714a4ad

SHA512
64d7ec3df20b5028e485e174f1181d300d973cdb5d4a013dda04bc222ce51fb5e33df3b2b962fecce56e509506b2321fa0ffc66b8baedeecce92b636a8c9303c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1b1b142e24215f033793d1311e24f6e6

SHA1
74e23cffbf03f3f0c430e6f4481e740c55a48587

SHA256
3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1

SHA512
a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
3960c4fdb3e7df24d34f1986ba809ac4

SHA1
8a2563a72c7433b8d0c6d51d7a26fef9bb8aba30

SHA256
b38b4053e39fe88845f4d0c3b029195c59e289256f21966a224fd5565bc24eee

SHA512
7d6e1ac85df9f722f8a522c575c7b04df4b0f2a46b771b8d3c2ab895478fc9f89aa97a57660146f0064447c1363a5a0a42133e67b2305614ffd7568a9bf6d3a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c9b8.TMP

Filesize
372B

MD5
a86a22afeb91962b0d4a3d4d644596b7

SHA1
c104675e3d831f882413788795e79be3ba1eb9ff

SHA256
cf621bb1c7aec115ad53f4280a7fa35858c90cae2f9c8a927bfcf64071f04294

SHA512
4e95eade2a7ceb19f12c193f82d21ca2f20e0274cf330e4acd581f0bcd6be5f60cc08a925384bd87e21a4512deb7cb1047aa58123b919cff1c9d4e41ddb4a6e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
649eb6574477f35bc79184269a1998dc

SHA1
4869ea8d1a1c6b84c649bf1db91dab0778372e47

SHA256
2d5030f0a304f39c49a3345e3a99250ae0661067b99b232143922ba9b25cca55

SHA512
985dbeaed305cfa675aeba2e6eb5b1af0da0b258dc4af732d9cad556503dcae3c27ad5c44bec95d7f064b16fecfeaa43757553cb90d4d14f960e1b6932783673

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
69KB

MD5
9b5f63a5a82feee60abaea148379f9bf

SHA1
b0b188b4240845d5ea2af151e359a14a41644cf8

SHA256
c8771d74481412d09d2f3dd6373e7345822f079b21821cbc694d334a7a76229a

SHA512
3d0fcba84561e3f82c4143827d133df8b4e9e5e26460521df4848df20c01de61b1b68bf733381ec6f98f6e1a214bc0352890fc07b9210c2cdd78730bb8fe8a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3F6B.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3F6B.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3F6B.tmp\inetc.dll

Filesize
20KB

MD5
8d8fdad7e153d6b82913f6fdc407d12c

SHA1
aabbeed33cd5221e4cb22aab6e48310df94facfd

SHA256
e727c8bba6686c4814602f2bc089af4b4cf3498d1dbe1a08d8c4732da5ba046b

SHA512
42bc0ce1aca63904c34025307fd4b1d9f480ae47e42e7dfa48bbbf8286d947de2989435ad7a748951291307949217afeebcd31d10a1356c9366d3187085773a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3F6B.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit