hxxps://drive[.]google[.]com/file/d/1d4LQnDC4qpmhpEaMyI9nmjFIG6rsNRKX/view?usp=sharing

Resubmissions

21-10-2024 02:26

241021-cw4gcstfje 7

21-10-2024 02:20

241021-csf7nawakr 6

21-10-2024 02:14

241021-cpawgatdja 7

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1d4LQnDC4qpmhpEaMyI9nmjFIG6rsNRKX/view?usp=sharing

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4140	KontaktPortable_v801.exe
5808	KontaktPortable_v801.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
12	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KontaktPortable_v801.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KontaktPortable_v801.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 248835.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
980	msedge.exe
980	msedge.exe
1952	msedge.exe
1952	msedge.exe
4104	identity_helper.exe
4104	identity_helper.exe
4188	msedge.exe
4188	msedge.exe
1256	msedge.exe
1256	msedge.exe
1256	msedge.exe
1256	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4140	KontaktPortable_v801.exe
4140	KontaktPortable_v801.exe
5808	KontaktPortable_v801.exe
5808	KontaktPortable_v801.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 4808	1952	msedge.exe	84
PID 1952 wrote to memory of 4808	1952	msedge.exe	84
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 4892	1952	msedge.exe	85
PID 1952 wrote to memory of 980	1952	msedge.exe	86
PID 1952 wrote to memory of 980	1952	msedge.exe	86
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87
PID 1952 wrote to memory of 3296	1952	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1d4LQnDC4qpmhpEaMyI9nmjFIG6rsNRKX/view?usp=sharing
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98b4246f8,0x7ff98b424708,0x7ff98b424718
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4016 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6900 /prefetch:8
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7060 /prefetch:8
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1944 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,15650203511310472062,1569955557755514460,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5436 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1256
- C:\Users\Admin\Downloads\KontaktPortable_v801.exe
  "C:\Users\Admin\Downloads\KontaktPortable_v801.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4140
- C:\Users\Admin\Downloads\KontaktPortable_v801.exe
  "C:\Users\Admin\Downloads\KontaktPortable_v801.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
672B

MD5
15f26be6837fd4f7aad13a56467abc4f

SHA1
9b3d4c0a2a8951bba94097dbbc1aacd5da51a78a

SHA256
45f0c4e132432bb18ec9b3467bbedcd84da308aa19d0426b1fcaafae1dee5298

SHA512
23fda084de58c56d7f6494912ba57e9cdbdbd3b217b5151706bbfc5190feb18b5883274743a64ff6bcd4d4bd6e078d9cbf737f69557d970ddb8def08bf242092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
246a21530d5625d17f994db00917c414

SHA1
cfa93442e0b3dd6271e833159a3c4a82a6b7f1ca

SHA256
54c0119ea32a5b332d795f49cc1e0f7ff9f1de483573e4489a8beb5d993f2049

SHA512
68cad163d3497c976c876a8374eff054167f6266be4ea448f3c33998cf9738554fca888e3362ef2d3bba4d70fadae78c75d5be8c04826ec1be66ccc572025186

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
39dcf5b1f0dc006398444e2c482923c6

SHA1
7672ab940de44dc915add9630c45f579167cd588

SHA256
49623f8ea496def8700d33bceb2fa2f5172c6460f3dc3473b15aced2108c6de3

SHA512
78c2f9470d4e27c33c3a27b34981ff613c3058cccefde1f435be0d6b9a3c4922f8fe89c19c95b0ac664fe32b3753116fcbef9711da3f41d6e3e277e40bc93ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a29bc1712702f8e73ea258f04e126070

SHA1
45c60ee9f270451d16dc08d927d08a3837e27998

SHA256
2f77f50a9ea2c6dc91d16c352a7cf47a16eeb0f6866f2cca6b6461d12cd4109b

SHA512
6ddfe90321fc2f703b7e508b7cea00af065eaaff5826996e99cbac83d42be44501d2eb7244a4cd6c9ff6ea3b657339c4da2874e7c9ecb7e3b791a34f2d397b18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
938f2b0dcd3f9716fee0c70efaea24a8

SHA1
7d015c65de813aa5f9fbce6d9a4f008324c233b1

SHA256
c0f7f95a61a4db70eb7644160c219ac99066fe9767c77a709dc20f26fcc0ea80

SHA512
1072d4f38ad8974b1d6ec30496f75a6bb27b8db67e3b5e3390275604138aabe26e3fe1ddfa2ae11d5ae2a928a19d4f28e79dd5904392b3614ef52893fa01678b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d6937f88024b8410337be7ec33fb888

SHA1
4fce52f1612f612e761664a3b6772aca28a586bf

SHA256
df3986a28fd835770c59d94770096fef4640a0fe447f408ef919b2d465a037dd

SHA512
b9bf8bfd59c83111936101ea3ff1705cf458ab5b3daa4e7f1e050b7d9151e747a26b06268ac12cbb2547558c2becf0e6d0ebd49ee1cd02428c3d7e22a805911f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
13794c9e68bdd9885ea26ec4c0ba7c55

SHA1
81bfb467f371a596381cdd7d9dce6d3a22156add

SHA256
de4f385dcd4be570636fd15e15a4adfa042e6056cd2c62e9251d5be2228a20b9

SHA512
b8ba74e4440137ba126e7f7a341e18136a053560aa727778fe0afbb94c8120e1133fdb39ae3067269a97f978a553fbec9487509f337d3a8f43ba9ab4d0eafbe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c8a091c4b3a084df793d7bd7b48beb43

SHA1
03395782bc8de05d6aaa23c89a531293b7a7e7ed

SHA256
5040fffbad123147fa225786a60869df5b47c81776401c572399d2982529c760

SHA512
2635a7061e5d3ad69be8c73aaf690d761684a8e224f4c19e5eae18902c32728805ac9e992702be3e25f49a8f26d1beba1efbd759281f583078ede79e5228ee18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5979d9.TMP

Filesize
874B

MD5
ac3eb2fa6f436f470bb3113b24f4105a

SHA1
efd3e58e80800b674cc2b8c2184fbf18872cc7a9

SHA256
c10536c29a229f4ec867a920f28f4040698f332ad7641ec0eba26458c1ea8783

SHA512
d74445085ffee55c0752108de781d3fbea41af2c5e5b343fa614a46b71b3cd9b6459a80b45a80c4f65b47d18023cd880cd771c5e122b0555d219e9ef3e274f4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ed9b725c1be87df62bff0e4b0fd69260

SHA1
156c791d73aca8a9966a90117b459a47da5447ad

SHA256
e4fea55e9b16c74b9a30f7410103c5eecd175cca003d8d6a47e495856ac2fd1d

SHA512
4f355aaece21e26ff6610c0b50368dc907c4735734e33b55596237d39dea564924d4d74d0b637722051e783dc85ddfa082caec9b69082cbdba26e161cf1b82b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2c5a72785dc25b868cfbcd06938b7a2f

SHA1
aa6965f9f9259ac419031009514ccdb678038a46

SHA256
af910b72cfc2bacd30cb1ac9c0f1db86e0cbdbce2201f045e76e845708ccea81

SHA512
4a99e2b58cc05e9f22d0236eafb332dccd44d419b69b0b9137df3a5c78eb74363cce6b2c38bf2ae28c381d9e71f38d2f22b69ec3f1812f22ce2ae01c8b97aa97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d093e43164000b79443fbc260c5bad88

SHA1
f611a9234d74749b5532b4d5bc2aa5859f988767

SHA256
e3211736333609622ffab1120355e234017d1bdadb5ba64fe83f8de0a8b3f76f

SHA512
97760af73ae884272427057e4ec643f2fdf620bcff20e8e77c9809f22a5b8e151b4c90d908fac305089a74ed3a4782e38261814b2f547460c75681e361fba025

Download Submit