504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe
Size

673KB
MD5

eef95824599c1dbe16300e150ad781ea
SHA1

1e1dfd666565885fba88c805aacaffe62075cbe7
SHA256

504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726
SHA512

a3d5d4557e8fc068a137ae7fd01feb304cc5d937c91b9b200908e70e522a5997876a1a0c347db26671cc2d53a928320da7b1ba60bbed756de420942d87c9da12
SSDEEP

6144:iTVfjmNintDDE565kzLGKlMy7j6soGtLEKyyK29PRgVIR:ip7+intHE565kzLGnAj9XLESn0VK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4388	Logo1_.exe
3284	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe
File created	C:\Windows\Logo1_.exe	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
4388	Logo1_.exe
3236	msedge.exe
3236	msedge.exe
3988	msedge.exe
3988	msedge.exe
3432	identity_helper.exe
3432	identity_helper.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 1312	4076	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	84
PID 4076 wrote to memory of 1312	4076	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	84
PID 4076 wrote to memory of 1312	4076	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	84
PID 4076 wrote to memory of 4388	4076	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	85
PID 4076 wrote to memory of 4388	4076	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	85
PID 4076 wrote to memory of 4388	4076	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	85
PID 4388 wrote to memory of 2944	4388	Logo1_.exe	86
PID 4388 wrote to memory of 2944	4388	Logo1_.exe	86
PID 4388 wrote to memory of 2944	4388	Logo1_.exe	86
PID 2944 wrote to memory of 3936	2944	net.exe	89
PID 2944 wrote to memory of 3936	2944	net.exe	89
PID 2944 wrote to memory of 3936	2944	net.exe	89
PID 1312 wrote to memory of 3284	1312	cmd.exe	90
PID 1312 wrote to memory of 3284	1312	cmd.exe	90
PID 4388 wrote to memory of 3420	4388	Logo1_.exe	56
PID 4388 wrote to memory of 3420	4388	Logo1_.exe	56
PID 3284 wrote to memory of 3988	3284	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	95
PID 3284 wrote to memory of 3988	3284	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	95
PID 3988 wrote to memory of 4412	3988	msedge.exe	96
PID 3988 wrote to memory of 4412	3988	msedge.exe	96
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 2064	3988	msedge.exe	97
PID 3988 wrote to memory of 3236	3988	msedge.exe	98
PID 3988 wrote to memory of 3236	3988	msedge.exe	98
PID 3988 wrote to memory of 3668	3988	msedge.exe	99
PID 3988 wrote to memory of 3668	3988	msedge.exe	99

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe
  "C:\Users\Admin\AppData\Local\Temp\504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3316.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe
      "C:\Users\Admin\AppData\Local\Temp\504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pc.weixin.qq.com/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3988
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffebb346f8,0x7fffebb34708,0x7fffebb34718
        6⤵
        
        PID:4412
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
        6⤵
        
        PID:2064
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3236
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
        6⤵
        
        PID:3668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
        6⤵
        
        PID:628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
        6⤵
        
        PID:4912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
        6⤵
        
        PID:3240
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
        6⤵
        
        PID:1988
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
        6⤵
        
        PID:2168
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
        6⤵
        
        PID:2408
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
        6⤵
        
        PID:3464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
        6⤵
        
        PID:3832
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5628 /prefetch:2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:468
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
88a7dac99617788a3f6e9e10f9ac447d

SHA1
c2adfcd7118facbf99366d28337665ce802baa1b

SHA256
284e0eb238a30fda222ad9ecd9f3dc0acd6aef33027562e0fa878e17d54a8d0b

SHA512
6fb722713b705434816e30bdd3e26a68553bf4ba184ca6d59e47e61dbfc2ae4b72833a573e5a263f33f183e0ad6f2ab3c7e0b6e84cacd49d08d5921f3ef1e156

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
722cf9e5bd73f652f0b9a4ec4ad5b98f

SHA1
2248f77bb2eae70eb326a1810cc29290c183f214

SHA256
603e85971f1fbad5d3ebddfe2b29226b657637ef52c51428143c9c9e6ea16f62

SHA512
244a333d1b800ef588ab504d8a2d6044781d5003ad3be20ae5209674bf2084d958eb6ee4c37995662d871a75edf3119b69ddc989583da42ab60d7415869b2e07

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
48cff1baabb24706967de3b0d6869906

SHA1
b0cd54f587cd4c88e60556347930cb76991e6734

SHA256
f6b5fbc610a71b3914753feb2bd4475a7c77d0d785cc36255bf93b3fe3ccb775

SHA512
fd0c848f3f9de81aca81af999262f96ea4c1cd1d1f32d304f56c7382f3b1bb604e5fbe9f209ad6e4b38988d92357ef82e9668806d0727f2856c7dc1f07aae2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
90e503421d1bc6c47de756dfbe7a1400

SHA1
4a47b32f491094044afa39b3d2a1930fc2d0cd34

SHA256
78075c2007b065b8feb6e64e30986eb6bb5e008a23ed227f00334217a3cd986c

SHA512
ef44b17d66267c5c9a4cfef0ee04e9f2b6b828a2872f266004f3a7b08b32a18f9e50d5293694944236568ea748b1e13cd42dd0f2d9d6aec98fe4144bd9a3c3a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
189B

MD5
c063919e7c7382bda77a8916da03d559

SHA1
f67f83ce3b2ceb7d8390f851697779f7fdf23d18

SHA256
e241c784ecae2e0a23b44103cfe34898bbd552626c98467015dbe8deb9f862d4

SHA512
3bacfb5c2d4e01ddf61d3aa08fce8d7ed5437037139bf015f03a80b761bb739b3fafab3e23996cbdfe4b1984a5ab3f80ab66a49001918dafaecca8376ed13a4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98efa786db01eb4b81a8021424ccbb51

SHA1
880484b8370ff312ec888da71353c68ed672e9e5

SHA256
fcb30777313b67b6611ff97041543059575c50132843ec9b40172be640a89116

SHA512
5f44a1b21fc1e4c74bad4d21630a7b6de816ab866c822eacee12f68090df1977333bbf3bf422e43dd4c0041ee3759c06031d770c0c39b64f1e70b548fe579c4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
abcc5468055615c4ed1be7c7b9773777

SHA1
a73d9cd0f53e2f086f7ef75d1c514a94751a96bb

SHA256
d7d7207a840442b2007e51ed991b3454c885877da90120e138d1fe0fcf5c62cf

SHA512
b71c1954c2d1ac240964982b664294b108abdb8381d88459285ed7a4bb1bdbba2430eb4c437d7c636321e5b3c1da31ccde16507180213407857c1c559f746ae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
70283cf096edba0f36d6db593a17b886

SHA1
19fdaf0b3972ac23a668d450935fdde0a0ae962f

SHA256
d714202a9143148705d842c5cd7e700cc7a928709b04c4040ac88ef6a57039d3

SHA512
83e4765e57a4e27eda1ff104ea83fbdaeed99d6afd566768a9d89bf6ec856f53356e7c38088d380ea525d2438b0a2fa486eab623af25b19a369a13622deb441e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3316.bat

Filesize
722B

MD5
cadfc3d569dc53fe73be5e4767fc85fd

SHA1
5908157bbd60a0e6297d7242b20cc07b6590be8b

SHA256
f32d02cf2bb1badc9f99b4c8a66f7c14b59096ed22f42c2e1be8775829c653ef

SHA512
303b0d810ee1e40c22ba59fe17fe302deea5475e0d31251828cab9f66a25326a0d7f7cc2f41d5e717dbcd8a7f947ad5309b4d2e5d8bddaafe2aafbb86be36f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe.exe

Filesize
647KB

MD5
4b7610b2ba975260a7b5dc7c75dbcf1c

SHA1
499bdffa3bf2e1bb491f779038fe00c7b490b006

SHA256
fa6547b900576cd637233033849f2467aa37c0b93b5e0daef977a90e6c242d58

SHA512
4f95407d83c781bd2a07286ce8c94531ffe7609bec62532d08760f0c2be63333f8d44bc5132cb386c0f018bff64667f4ee521e98cfee274738c0b533bcb9c507

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
033f832ce1346b7839ab0114b7d46349

SHA1
339553f046186e54c91ea18765bfef551701f37b

SHA256
771a6d5ca90b397c56e449ed8c2966364db1f6774dca74b74fe0f6eed8db4226

SHA512
e6a2ac92e6cac4774e5d3f8438388dacbc8359f60c40a6c76574d87de6da4ae65e06008c1d060f1c50a2804d432981105e71cb89a8ba65c2b1095da9eb951858

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-355664440-2199602304-1223909400-1000\_desktop.ini

Filesize
9B

MD5
27729a3995958245e2d6799df42e26e7

SHA1
dfe386f53277c8387b50122f3fda9bc2467815ba

SHA256
9313041e89d4585b2606afa4809b101e7e8a2c944d063a28c796b0c0f070b5f1

SHA512
ba9157cea7ca5c01b52e2a4a758f4e12e018990e49f1ece5fa6d83423f37a0a4dd5246d9b01e5e212d5e8c36a66a8d0e2645bc73753671295965a855a5028ec6

Download Submit
memory/4076-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-1350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-1394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-4913-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-5354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download