hxxps://drive[.]google[.]com/file/d/1d4LQnDC4qpmhpEaMyI9nmjFIG6rsNRKX/view?usp=sharing

Resubmissions

21-10-2024 02:26

241021-cw4gcstfje 7

21-10-2024 02:20

241021-csf7nawakr 6

21-10-2024 02:14

241021-cpawgatdja 7

Analysis

max time kernel
299s
max time network
258s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1d4LQnDC4qpmhpEaMyI9nmjFIG6rsNRKX/view?usp=sharing

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
4412	KontaktPortable_v801.exe
5508	KontaktPortable_v801.exe
2124	KontaktPortable_v801.exe
5772	KontaktPortable_v801.exe
788	KontaktPortable_v801.exe
2960	KontaktPortable_v801.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
8	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KontaktPortable_v801.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KontaktPortable_v801.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KontaktPortable_v801.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KontaktPortable_v801.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KontaktPortable_v801.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KontaktPortable_v801.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 236139.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4464	msedge.exe
4464	msedge.exe
4232	msedge.exe
4232	msedge.exe
548	identity_helper.exe
548	identity_helper.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4780	msedge.exe
4780	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4412	KontaktPortable_v801.exe
4412	KontaktPortable_v801.exe
5508	KontaktPortable_v801.exe
5508	KontaktPortable_v801.exe
2124	KontaktPortable_v801.exe
2124	KontaktPortable_v801.exe
5772	KontaktPortable_v801.exe
5772	KontaktPortable_v801.exe
788	KontaktPortable_v801.exe
788	KontaktPortable_v801.exe
2960	KontaktPortable_v801.exe
2960	KontaktPortable_v801.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 2224	4232	msedge.exe	83
PID 4232 wrote to memory of 2224	4232	msedge.exe	83
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 3064	4232	msedge.exe	84
PID 4232 wrote to memory of 4464	4232	msedge.exe	85
PID 4232 wrote to memory of 4464	4232	msedge.exe	85
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86
PID 4232 wrote to memory of 3684	4232	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1d4LQnDC4qpmhpEaMyI9nmjFIG6rsNRKX/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc825846f8,0x7ffc82584708,0x7ffc82584718
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6416 /prefetch:8
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6544 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,207410926547280162,16540059378195656700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4780
- C:\Users\Admin\Downloads\KontaktPortable_v801.exe
  "C:\Users\Admin\Downloads\KontaktPortable_v801.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4412
- C:\Users\Admin\Downloads\KontaktPortable_v801.exe
  "C:\Users\Admin\Downloads\KontaktPortable_v801.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1948

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\e8f5da6b664f42fda3a1073cb318445f /t 2064 /p 4412
1⤵
PID:5604

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\9719ab435ce9466a8243d2eb40ea4715 /t 5600 /p 5508
1⤵
PID:1392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:852

C:\Users\Admin\Downloads\KontaktPortable_v801.exe
"C:\Users\Admin\Downloads\KontaktPortable_v801.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2124

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\bc5239134c514f67a9fae7036f745201 /t 5592 /p 2124
1⤵
PID:5952

C:\Users\Admin\Downloads\KontaktPortable_v801.exe
"C:\Users\Admin\Downloads\KontaktPortable_v801.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5772

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\094637aae4ae451e83071e9b76db67a3 /t 2184 /p 5772
1⤵
PID:2944

C:\Users\Admin\Downloads\KontaktPortable_v801.exe
"C:\Users\Admin\Downloads\KontaktPortable_v801.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:788

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\2345ad2949b740578f6ddbb838499c5f /t 4828 /p 788
1⤵
PID:1640

C:\Users\Admin\Downloads\KontaktPortable_v801.exe
"C:\Users\Admin\Downloads\KontaktPortable_v801.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
f6dcd528aff2d1399db92b2833960e44

SHA1
e95c449f82e35b6dfa69cb0bb5914e4397125443

SHA256
0357add53821eff339f632f3d499e350af3b82c1d6190ed9855c59267f7423ce

SHA512
738e7da59cb563fb56501f49f7dc104558fcec64c4022a225b3359314f7717e434ed83a57b4d6f2d59313524c9f18d1d78d54ad00f66e4cd8506109051523470

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
8ea7ec086dcc825462e7661a9eba483e

SHA1
e905fac5b03f3694e2d2561b97613b8940c1afd3

SHA256
d120b61fc809b0f0216b450f70b4feeb4ac0e59ef104276dac5517e7955aeef1

SHA512
0c0579cac7463723ed0e1426a226c052464c95a96463ade8d9baac7bf55dfc60d6ab38912c4a9b22e700ce43ed29ec46fe8bdc41442299b35a4d43239e9cc212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
763ac47d83b0ede7d3866c0f4b9e0c2f

SHA1
dc1a6cff6f34a9b15418a9254a72df22fc376df3

SHA256
085dd516cc1d1cb7f9cd7a4496e7b02ecde8c9a3d1227a5db8f0e97aab5b7654

SHA512
15c3a86ca46afd8e4441c7596bbddce5c0f7e728bc31659c41fedd7ff9413d5c36febc6b647be63af324112df7435f9f7da518fc213edde284e6b4b4a3cc6547

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a066f5ac5f8059255f1fdfd905d89408

SHA1
3b5d6cd32be2879a1804fab2d021194388b13f0e

SHA256
e6f5f4e2bd037c4c4d26dc71446007664688989e9bdcf409cea80d3b2eacf8d2

SHA512
6b3b0b6a547474fa6688d2edabb511fbeab2c9f72af1810cf0f0e955ebe11c4a4329ac750fbe607ff8872003cbd388bdd0e533071f1d8de3f86c2b2922461c07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
3d98c8149ee3e88cf73d96eac551248a

SHA1
23bec70c1441572930bffe607df4772912c93bcd

SHA256
f2f486c3bdcdc789da96cd1942779e035f2a86bf6c5f9ef5de372108af02b40d

SHA512
908489c259951d4da50a63d3b0a344acf5ffc704ba0409825cb7da099bc353fca2ac97b809f208a92a9731425fa1e91c81ce835e4d64adbc371ce79fab476b6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0a98a8a199f8567f3bf2acbb13f9eb56

SHA1
d976ef83d4a972cead63367c60f622b6120e2ab2

SHA256
e0dd38cb5330fa03e00e6e17effb4cac13c355252915ea2a64107729cf1aa70e

SHA512
e91b780eeeaf50597c92feb16b9dc84a7d8756852ea9c2c5d2de4d0644eb08ed4b62a4aa8cbbd860dfca85c2e3e1cf0a0a365b6250c30bdccf1673ae97c124bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1334472deed24b13ea5e17a9c0f1616b

SHA1
c7e044fd1aa82f6f7ac0c4d7ab3057339e7ab2dd

SHA256
dd7554fe69db3c0be09262d04896c80e0198e48206b743a26a8fffaeefebf9a4

SHA512
023678e47e0554e223d0f80557f41b697f4edfbdf46c0fb9f66c49293b89d0151991dc3d7e0b5dd4575f3088ca317cdd7fdc83e201a500c2a1658ef8539c2d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7a02870e7a24ae3381bc97af3ba0d917

SHA1
75c063a3cf0ec654bec7e33e262112920c87843e

SHA256
23c1dc79cc2659c6c79bc3f10f7d3a2746fcdd47b714dd384a8b9144dd4b4757

SHA512
abc3c1332889a52e70dbaf59c4689c7447ccec2527868a8b26bc9a554d9716afa60cc4b2119259f55d9e958cbf501a18e934e7ee28b70b8af1715651a9feba1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
50b395a385dc3f6d9bebb354d48a5ccf

SHA1
165460185bbd99a1f886790aecd24900380da5a0

SHA256
bd921e7146d55327701eb60b299310a97d49b580ce8f3a991b7de4b357fe8c51

SHA512
1af19b56fedd27ae924f1470f5b688b0d1f53a4c9c3cb827c2bc1c34a44d5229468db7754f8cc8bc3bd5e036c8fca413f0bbcee15e81b4ee8a5cfcc1dd2ae091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a1f22a7d8d0ba596e5ad9d6f4ad2109a

SHA1
d136f541f7a04f1423678d993796fe3c9dbd68cd

SHA256
7c9db7b8d394657b4806f37da62ae035f82e80d2547364169838b1dcdfd30c18

SHA512
3458c05950daa0aac66ac92bc7fd084ad5771a62062dcec860cec84c346260415f339e14646b5abf3030f385a7e5f1ac6f3227d9abf164400e355b93cb8bb2fe

Download Submit