hxxps://drive[.]google[.]com/file/d/1hGajepUQaCAHoaRWIAjZIKMvLSQ9WCSK/view

Analysis

max time kernel
92s
max time network
103s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04-08-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1hGajepUQaCAHoaRWIAjZIKMvLSQ9WCSK/view

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3608	Smart Q Setup 1.2.1.exe
660	Smart Q.exe

Loads dropped DLL 9 IoCs

pid	Process
3608	Smart Q Setup 1.2.1.exe
3608	Smart Q Setup 1.2.1.exe
3608	Smart Q Setup 1.2.1.exe
3608	Smart Q Setup 1.2.1.exe
3608	Smart Q Setup 1.2.1.exe
3608	Smart Q Setup 1.2.1.exe
3608	Smart Q Setup 1.2.1.exe
660	Smart Q.exe
660	Smart Q.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
1	drive.google.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Smart Q Setup 1.2.1.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Smart Q Setup 1.2.1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 561779.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Smart Q Setup 1.2.1.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\smartq-updater\installer.exe\:SmartScreen:$DATA	Smart Q Setup 1.2.1.exe
File created	C:\Users\Admin\AppData\Local\smartq-updater\installer.exe\:Zone.Identifier:$DATA	Smart Q Setup 1.2.1.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1036	msedge.exe
1036	msedge.exe
1492	msedge.exe
1492	msedge.exe
460	msedge.exe
460	msedge.exe
1664	identity_helper.exe
1664	identity_helper.exe
2512	msedge.exe
2512	msedge.exe
3608	Smart Q Setup 1.2.1.exe
3608	Smart Q Setup 1.2.1.exe
3608	Smart Q Setup 1.2.1.exe
3608	Smart Q Setup 1.2.1.exe
3608	Smart Q Setup 1.2.1.exe
3608	Smart Q Setup 1.2.1.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3608	Smart Q Setup 1.2.1.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1668	1492	msedge.exe	78
PID 1492 wrote to memory of 1668	1492	msedge.exe	78
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 868	1492	msedge.exe	79
PID 1492 wrote to memory of 1036	1492	msedge.exe	80
PID 1492 wrote to memory of 1036	1492	msedge.exe	80
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81
PID 1492 wrote to memory of 2344	1492	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1hGajepUQaCAHoaRWIAjZIKMvLSQ9WCSK/view
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb8fa23cb8,0x7ffb8fa23cc8,0x7ffb8fa23cd8
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,9619795270149501810,5904961028188422799,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,9619795270149501810,5904961028188422799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,9619795270149501810,5904961028188422799,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9619795270149501810,5904961028188422799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9619795270149501810,5904961028188422799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9619795270149501810,5904961028188422799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,9619795270149501810,5904961028188422799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9619795270149501810,5904961028188422799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,9619795270149501810,5904961028188422799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9619795270149501810,5904961028188422799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,9619795270149501810,5904961028188422799,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9619795270149501810,5904961028188422799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9619795270149501810,5904961028188422799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9619795270149501810,5904961028188422799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9619795270149501810,5904961028188422799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9619795270149501810,5904961028188422799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,9619795270149501810,5904961028188422799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2512
- C:\Users\Admin\Downloads\Smart Q Setup 1.2.1.exe
  "C:\Users\Admin\Downloads\Smart Q Setup 1.2.1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4908

C:\Users\Admin\AppData\Local\Programs\SmartQ\Smart Q.exe
"C:\Users\Admin\AppData\Local\Programs\SmartQ\Smart Q.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:660
- C:\Users\Admin\AppData\Local\Programs\SmartQ\Smart Q.exe
  "C:\Users\Admin\AppData\Local\Programs\SmartQ\Smart Q.exe" --type=renderer --no-sandbox --primordial-pipe-token=CF19256C09E148265281130ED9FC969E --lang=en-US --node-integration=true --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --mojo-channel-token=5F6286072CF7A5A73F67E8AE19212C31 --mojo-application-channel-token=CF19256C09E148265281130ED9FC969E --channel="660.0.152053632\1465144318" --mojo-platform-channel-handle=1908 /prefetch:1
  2⤵
  PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
083f68e6ee0579bf9f99dc0bbba53b7b

SHA1
267c786d0ca696e314046c7d1d966a6423ac79a2

SHA256
3c775a8448ecb92ebff3aaa5487c58c3f94f19ff4dcaf179b1df589ec8a97698

SHA512
5fac35f60ec27b3ae0fc7d7edd270143d0b7515c4555edab88cd2f3d7ca300144c4d7dbd9a772063f6d9d01702b40be1e681b613573af5147d0ca81c67b0466b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
0c0eb321269cf91bfd1415454b453453

SHA1
d74a62b7f9352a944f7774f5d37f9ea950d9be4b

SHA256
97340743666043d7838f0b7a54d50a5ca6201b843ba9dce0e92538b29ab95285

SHA512
083b8d3c745130bc62d382e3eac6be4d1532c2fdedd4293c3017bea453fdc4bb63bfd8f2902795bea4cdfbcfd747da6d95b2924762b1e87514a435778d5778f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
623f78671063b4c121869b0986b99fef

SHA1
c7dd173e595962107de674a2622db468d8a3ae6c

SHA256
05fa1cae350d461e97adf24891ccc07b0692093e41dd3ae5bc2f46b43a658112

SHA512
1b29a421b88d14f491f9056f37941c74e8e2cc85e6ec3bbf433427fbaf6ebd95b1f0bd0de105785fb6ce5c09d756c4fedefe78ebfae190a1690b8f286c835187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
39893f273e6413732d01d99519aee182

SHA1
39254fd6e6b935fab2ee27bf50acc7855259c115

SHA256
52ccca472d7b309d0e7cf2dd515c6cfea1b63009f13efdb14bf627ea5dab1f42

SHA512
6c3081491921c87770c26f1fcbf6c438a67cf627af6146f28a7458c37c8f27a428a59c3e502d54c7c4135bac715a27a2cd750c44ccf517c4198114c9dfeefccd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
023b4a68ef67d572b2f8837e19a46c65

SHA1
92ada0768932c7d8fb9b65fc2c6182beb28be8a0

SHA256
9ab55d525ac359ed4eb4803203765aaa9df799103273cc52fb4f80b457723c65

SHA512
cb83c8a2f6bf6e6c0a5646e0d5b2752ad0a46ded8b59eadd647cb02fa3ddabcaa28b28e2f2b7ec7b554c931f162bb59639d2d74a95dd1874aee501cf46b89525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e953759a99e0bac9f37a4a3acfd31a87

SHA1
bfa301bf08d3202e1243479793d80f69098e36fe

SHA256
fcbed7a4b2d98c1e55c7e622371db67e5743c69dd7e941bde38de888f2da01fa

SHA512
f712d4bd6495a87f8ff679667be5e5b1026af2cdbb690cea803e17209fda6cfaef59bc425805ee87dae0c325916437f92e8ee16570959fc538bb12cb42e4b1b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\d3ae476b-2625-4201-a1f5-b669d7091505.tmp

Filesize
10KB

MD5
5919662fe77559ae9f17961099b792e1

SHA1
b3a22278ba600a7beb47b7f3338a9c9443d701b6

SHA256
63b9fb6f84d0b8ef6bbbee62bf5ef768bd37d7bdfd882d016cf6012af2cf2835

SHA512
832e2a49db4650e2a122b9fedb85f8659d0b8cf63ed168d9f8a35c56a03de498c2cf95aef2c769f3849b731ef0cbb5d017f484da8ddbe1c0aa7626f08b6e9249

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\blink_image_resources_200_percent.pak

Filesize
54KB

MD5
2a8646401e34a9ad258b09cff76d498c

SHA1
7a59d4dd5e9f5ad3e6efce654621a71ad3456ee4

SHA256
38f5acd24b037f39d17a8f3c6c935cd709a2cd84e9e8dd175c04bd1d2dd24407

SHA512
8a3f1abd2d113a928cd003e15332da8b7886834426f20aceb619ce1e397adad7de863079d91c71d2429ddd89bbf88aa56df121b8f2f81102b42aba6b83b96277

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\content_resources_200_percent.pak

Filesize
15B

MD5
7c321056f805aabd5a503821fa1994cd

SHA1
9c690875c9189c66c93ebd4c0971739653bccd19

SHA256
261e6aad3ad0a5f608b5694919ee39026c4c3eb4256540068f7c1aa46be9315a

SHA512
8a5f4b3726e4513251475ac470f86f0daa0d5ae42bb750019ce96ed871cb04a7391cea2cef79e67c585e3a982041575e60d0f79b3a5bb9ad09be53362787f090

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\content_shell.pak

Filesize
9.4MB

MD5
bfdb450e909347096bea8f6427c3d960

SHA1
9b72d27d7db3721841630fefa879d7ada7794422

SHA256
ad62b146780f67c3bc35dd53eff33ef1cbd9f9351b8ecdfe2fd74555479e0f30

SHA512
8f666a9d5087213a1405cb040dcc2653fea4c4cc0a694d37093ab977eada1d52734949883d5699013f1d943f1b19511a3dead15842164f77dfe5d7f0b64bdf2b

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\ffmpeg.dll

Filesize
2.2MB

MD5
8c0576bb699509ee6e7688b93989b2a5

SHA1
785e84a4d013ad43e5e6988a70d14a31afe7733a

SHA256
549dc9535b6f8c071a976d4efb20039585627aa819c2b68b0d5a7deb73bdaa47

SHA512
9fc734fccac6f5cd4a4bd611b757a32d8d72400eefe236bdcb73b8338fe7953380ec14a1736a371de939a9d099b14822147ef6364e2b2e2f0235c3c84b6608e1

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\icudtl.dat

Filesize
9.7MB

MD5
3ed56e55ff45ab973ffc483e5d483a5a

SHA1
5d9d39c80054ed315fa4cac23cd956e3121ce5d0

SHA256
22b4b162fa9c1a35d086df4b2532485c0ddfee4649de8519cfc52a09f749b8ea

SHA512
b8998b76b2691941ea724f404c9b95bfb1593e6fb17d0d7fd57d04069b180a01eec82934357c2dfd48958b6d3d4e3489b111f7c0078134d300710d76f9ee3daf

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\locales\en-US.pak

Filesize
3KB

MD5
b591250d8394daa523ec24b83bd43ca3

SHA1
b399eda262b00e10ffc71f0dc08902219ff13106

SHA256
6f74af607a77ef220421888adc1edec46a60acc759480efa7adc3496d6b08bcf

SHA512
795d5254a8285ed4faa79dc5b126f6bad817397ec3123f0f2825580f8a21d43f4ded1d49f1cb87d89344df633f6953502dd6f14c7ea149bf688206189ac4461b

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\natives_blob.bin

Filesize
358KB

MD5
16a819fdcc843cddfaa0f1d4c7d143bd

SHA1
48d700ab8c8f22aef074d0a3c9f2b40a84a412d5

SHA256
35d85320e2908240da1dc8a577da3aad702936999336a3dcc0576b00c13e9756

SHA512
571f47911441ac31cea080a5d24a38351331dc5d8c9a09ef0ed7f61d439c4f81b27d4e25d73dbc64e192658d3e5415c42026e64cfd0885fb15cdea17cafdd9de

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\node.dll

Filesize
14.0MB

MD5
fed6acaee86ed7aeb736570ee5cde733

SHA1
875e9aef43412ec62df9b0914d1c0a850f4d7377

SHA256
359fb6ed3457460576f3bae37451c42bbea411b17135c944222ea232fec8d4e3

SHA512
ea54b315f8a0650f3eb594d5aa3fbb788d1b44e4b011d8df38c33dae7ef763d72f9e477d79cb719eb97e8d0e20ee46a278d65ee1d4d5e54d6c780149c4c124ea

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\node.dll

Filesize
15.6MB

MD5
55bb18ad8e65d5678a39c95b206977f7

SHA1
78676362d2679c0351bc373b4f7fffc57bc68a99

SHA256
cec3a353f0c94ddb9844087a94bc39c16af3b10bf508b861cefa1955e5ac4d2e

SHA512
ac14ec8c9d91206ff68d5ad73a37e846d5015877e4eeffe94f8ae15d44d49c2a0f84f7274bb2bef31277753d1c2dc812f29225e5ba0c1d74e5bb7ed53b480aab

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\node.dll

Filesize
14.6MB

MD5
7a6618eb2e8f8e6e09460e78597632ca

SHA1
b135e10f94950ce7d89a04a27f999d71bbfabe29

SHA256
7669176e763e0979a440e68b6a104b1c6dd396b25baa8458824bee209def3b22

SHA512
e255e4d0cd939fefd8feccb0997c61778134b195e803d4d3f17f89c6e06398bb98613e5aa5559defd96aa06f92d6a55023bddf34b3f66f7ac62ac0c7f940b335

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\resources\app.asar

Filesize
14.9MB

MD5
664706f0a1c61e3bda1c598659984c24

SHA1
41b79296dfc05ec5ddaa725fd7caf881742fca57

SHA256
733d972319d469d4150e5e82cfe13f14f20aaa32f6fe9ba8dffb856122768dc8

SHA512
5e6245b744c369c68150b680cc1a3c3ba632ccb7ce24aac2e1d4eba4a2b51557f9d84d479bf20bc41c08db63d231ac5bf6796fe80731c5f0cd7b55f735cd75d0

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\resources\electron.asar

Filesize
218KB

MD5
360e7ea118f6328e5b848aa38d4be36d

SHA1
883f3c0d8957a773b53a10999b5b92cc48f9501c

SHA256
62a1a3ff912a627537915a89ce6b8e9b184b69fea86912e8e751952a481abc54

SHA512
d8b35cdd1bbf3ff27206118c4ce9f17464f569d2f5f1ebd6662ecccc137d9e9fd5c4a9b8339a584248ad3fd46ed69df88575c49d20a587ae017f855ddc4654d4

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\resources\wcjs-prebuilt\WebChimera.js.node

Filesize
467KB

MD5
2f688722ba2a2e74eedda4540a4fed71

SHA1
1ba757adf336cacae7f93f98d913413bb04956c8

SHA256
85be7b2aae1a67ab5e611dfa364f98bb3565bf6e4a160182ea7a73a93a13bc14

SHA512
154815de038f629114b847093d4e32a91ab5200728d231b63f1dc4731006a81d340a997f14f080e252755dec3b69063ab97664fa41fc69f2887425d210663420

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\resources\wcjs-prebuilt\index.js

Filesize
50B

MD5
8ec2168ee5748f58ed5c9f5bf12e622a

SHA1
ccb68eb409e610332cfd2608c54d6269685ae942

SHA256
4ecbe8ece258439902e1e51bf25431fb13d2d88e360dd14045d7e6f1bb4ab05b

SHA512
57fc020395c88c45e81a4ccdc513692cf9acd72a9ded6803dd35807832ebfc9e72b33a9fc59bc532c450b0ba343005ee6ec1c08c64ded46778e615b28f58e0e2

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\resources\wcjs-prebuilt\libvlc.dll

Filesize
148KB

MD5
6611170457d3906ccd615f58c4c347c2

SHA1
81c2b81836cad87d1e2c6668ab6f624f86e8281b

SHA256
a9704ab856da74ea75fa024ff0ac1eb91b7c632649cf195437603af43c03a807

SHA512
0115a3392e7b95035279f9f3f24f63fb754708cdc9d13ce4055877745d18c7d6f92eb86593088d515ca5d1191764f5cf5631ecf0e993bc04cf049e392f35b602

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\resources\wcjs-prebuilt\libvlccore.dll

Filesize
2.6MB

MD5
f2cc731f9c326c49aaf51857c1f81d84

SHA1
aaa37dead4316a26955575be17dc1ce3a3e96334

SHA256
6fb53a2d94371c68b071765b37bcce0023015c524e296eb1b36725af1151b802

SHA512
cd44cd8c034f805aec3e06c1bd00cdd74edcfc01fca9665d5fbfd186c945a81c207c1ad6eab9afc5ad7378bfeff777d56f7f60a7041600be502f0d56d190f41c

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\snapshot_blob.bin

Filesize
798KB

MD5
afbd0030e302852245bbeec7ce2f9851

SHA1
1c3b85d097c0ec87ed9919303b630bad7cdbb8a4

SHA256
c67771768256d97c7e7c22d51d77633aa62aafc2a5328b6aa1d77ea1672c6898

SHA512
9530ab250ddac9ec982ce973f58c8b48efc56ddf8ce37279f07db14951df19d9615db9f794756d4840c38a26ee9d3bf0da175ce51a88e2f706e5931d69d3d6f0

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\ui_resources_200_percent.pak

Filesize
82KB

MD5
7a662d039d00e1f17778700fe84d6033

SHA1
fb2c2ab437400e7dc6517d5cc4dc4b78035bbf38

SHA256
d6130c8ffad8e50588aa8d67ad6b17e6bd5c302b96b127918447f3467823979e

SHA512
1bce59ec7f7d129b9d1da87e42af95c91f1a8cfb66e467957451ca80b5966aaea39e558d81b62063a69d1c448e2468b5ac5d483c7187ce1a3389c2e1e695861f

Download Submit
C:\Users\Admin\AppData\Local\Programs\SmartQ\views_resources_200_percent.pak

Filesize
58KB

MD5
33bfef730b188ba8e055bffbce21e3bd

SHA1
d45712e6306a98daba38af821670565761fb414e

SHA256
1fdfb1282c34ad7e4752a8fbbf096a3b5c8e25dbc8e15c27ff9dfd3588b989a3

SHA512
d3da472546bc25184401d0584bc8f2247b1f0ab60473e61cd34b96c7b0648355314490ba622749635f4be50fa152953e42b38fef959fd2ba5b0210e6021594c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjF420.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjF420.tmp\StdUtils.dll

Filesize
101KB

MD5
33b4e69e7835e18b9437623367dd1787

SHA1
53afa03edaf931abdc2d828e5a2c89ad573d926c

SHA256
72d38ef115e71fc73dc5978987c583fc8c6b50ff12e4a5d30649a4d164a8b6ae

SHA512
ca890e785d1a0a7e0b4a748416fba417826ae66b46e600f407d4e795b444612a8b830f579f2cf5b6e051bea800604f34f8801cc3daf05c8d29ad05bcda454a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjF420.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjF420.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjF420.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjF420.tmp\nsis7z.dll

Filesize
391KB

MD5
c6a070b3e68b292bb0efc9b26e85e9cc

SHA1
5a922b96eda6595a68fd0a9051236162ff2e2ada

SHA256
66ac8bd1f273a73e17a3f31d6add739d3cb0330a6417faeda11a9cae00b62d8b

SHA512
8eff8fc16f5bb574bd9483e3b217b67a8986e31497368c06fdaa3a1e93a40aee94a5b31729d01905157b0ae1e556a402f43cd29a4d30a0587e1ec334458a44e8

Download Submit
C:\Users\Admin\Downloads\Smart Q Setup 1.2.1.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit