hxxps://drive[.]google[.]com/drive/folders/1ypIR9V2IgH0E4bxaoJe2w7YX8nUS1deM

Analysis

max time kernel
58s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1ypIR9V2IgH0E4bxaoJe2w7YX8nUS1deM

Score

6^/10

discovery execution

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
10	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
940	powershell.exe
556	powershell.exe
2228	powershell.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
3108	timeout.exe
4824	timeout.exe
1900	timeout.exe
1864	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4448	msedge.exe
4448	msedge.exe
4000	msedge.exe
4000	msedge.exe
4644	identity_helper.exe
4644	identity_helper.exe
4080	msedge.exe
4080	msedge.exe
2228	powershell.exe
2228	powershell.exe
2228	powershell.exe
940	powershell.exe
940	powershell.exe
940	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
556	powershell.exe
556	powershell.exe
556	powershell.exe
4576	powershell.exe
4576	powershell.exe
4576	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1820	WMIC.exe
Token: SeSecurityPrivilege	1820	WMIC.exe
Token: SeTakeOwnershipPrivilege	1820	WMIC.exe
Token: SeLoadDriverPrivilege	1820	WMIC.exe
Token: SeSystemProfilePrivilege	1820	WMIC.exe
Token: SeSystemtimePrivilege	1820	WMIC.exe
Token: SeProfSingleProcessPrivilege	1820	WMIC.exe
Token: SeIncBasePriorityPrivilege	1820	WMIC.exe
Token: SeCreatePagefilePrivilege	1820	WMIC.exe
Token: SeBackupPrivilege	1820	WMIC.exe
Token: SeRestorePrivilege	1820	WMIC.exe
Token: SeShutdownPrivilege	1820	WMIC.exe
Token: SeDebugPrivilege	1820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1820	WMIC.exe
Token: SeRemoteShutdownPrivilege	1820	WMIC.exe
Token: SeUndockPrivilege	1820	WMIC.exe
Token: SeManageVolumePrivilege	1820	WMIC.exe
Token: 33	1820	WMIC.exe
Token: 34	1820	WMIC.exe
Token: 35	1820	WMIC.exe
Token: 36	1820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1820	WMIC.exe
Token: SeSecurityPrivilege	1820	WMIC.exe
Token: SeTakeOwnershipPrivilege	1820	WMIC.exe
Token: SeLoadDriverPrivilege	1820	WMIC.exe
Token: SeSystemProfilePrivilege	1820	WMIC.exe
Token: SeSystemtimePrivilege	1820	WMIC.exe
Token: SeProfSingleProcessPrivilege	1820	WMIC.exe
Token: SeIncBasePriorityPrivilege	1820	WMIC.exe
Token: SeCreatePagefilePrivilege	1820	WMIC.exe
Token: SeBackupPrivilege	1820	WMIC.exe
Token: SeRestorePrivilege	1820	WMIC.exe
Token: SeShutdownPrivilege	1820	WMIC.exe
Token: SeDebugPrivilege	1820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1820	WMIC.exe
Token: SeRemoteShutdownPrivilege	1820	WMIC.exe
Token: SeUndockPrivilege	1820	WMIC.exe
Token: SeManageVolumePrivilege	1820	WMIC.exe
Token: 33	1820	WMIC.exe
Token: 34	1820	WMIC.exe
Token: 35	1820	WMIC.exe
Token: 36	1820	WMIC.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeIncreaseQuotaPrivilege	2228	WMIC.exe
Token: SeSecurityPrivilege	2228	WMIC.exe
Token: SeTakeOwnershipPrivilege	2228	WMIC.exe
Token: SeLoadDriverPrivilege	2228	WMIC.exe
Token: SeSystemProfilePrivilege	2228	WMIC.exe
Token: SeSystemtimePrivilege	2228	WMIC.exe
Token: SeProfSingleProcessPrivilege	2228	WMIC.exe
Token: SeIncBasePriorityPrivilege	2228	WMIC.exe
Token: SeCreatePagefilePrivilege	2228	WMIC.exe
Token: SeBackupPrivilege	2228	WMIC.exe
Token: SeRestorePrivilege	2228	WMIC.exe
Token: SeShutdownPrivilege	2228	WMIC.exe
Token: SeDebugPrivilege	2228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2228	WMIC.exe
Token: SeRemoteShutdownPrivilege	2228	WMIC.exe
Token: SeUndockPrivilege	2228	WMIC.exe
Token: SeManageVolumePrivilege	2228	WMIC.exe
Token: 33	2228	WMIC.exe
Token: 34	2228	WMIC.exe
Token: 35	2228	WMIC.exe
Token: 36	2228	WMIC.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 5012	4000	msedge.exe	82
PID 4000 wrote to memory of 5012	4000	msedge.exe	82
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4920	4000	msedge.exe	83
PID 4000 wrote to memory of 4448	4000	msedge.exe	84
PID 4000 wrote to memory of 4448	4000	msedge.exe	84
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85
PID 4000 wrote to memory of 4376	4000	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/drive/folders/1ypIR9V2IgH0E4bxaoJe2w7YX8nUS1deM
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xe4,0xd8,0xdc,0x108,0x7ffed61946f8,0x7ffed6194708,0x7ffed6194718
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9743364789150261653,7539930678931061420,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,9743364789150261653,7539930678931061420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,9743364789150261653,7539930678931061420,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9743364789150261653,7539930678931061420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9743364789150261653,7539930678931061420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9743364789150261653,7539930678931061420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9743364789150261653,7539930678931061420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9743364789150261653,7539930678931061420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,9743364789150261653,7539930678931061420,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9743364789150261653,7539930678931061420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,9743364789150261653,7539930678931061420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9743364789150261653,7539930678931061420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1828 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9743364789150261653,7539930678931061420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1980 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9743364789150261653,7539930678931061420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9743364789150261653,7539930678931061420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:3716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\EXM Free Tweaking Utility V6.1\EXM Free Tweaking Utility V6.1.cmd" "
1⤵
PID:3384
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"
  2⤵
  PID:2308
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_UserAccount where name="Admin" get sid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- - C:\Windows\system32\findstr.exe
    findstr "S-"
    3⤵
    PID:3932
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4240
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3108
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4824
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:556
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:3712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\EXM Free Tweaking Utility V6.1\EXM Free Tweaking Utility V6.1.cmd"
1⤵
PID:1276
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"
  2⤵
  PID:3108
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_UserAccount where name="Admin" get sid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- - C:\Windows\system32\findstr.exe
    findstr "S-"
    3⤵
    PID:668
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4028
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1900
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1864
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4972
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:3900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:940
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:2308
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:2108
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:3712
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3716
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Downloading resources (power plan, Nvidia profile inspector & more, Press "OK" To continue)', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2228
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:940
- C:\Windows\system32\curl.exe
  curl -g -k -L -# -o "C:\Users\Admin\AppData\Local\Temp\exm.zip" "https://exmapi.onrender.com/static/free/v5.0/v5.0_free_resources.zip"
  2⤵
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\exm.zip' -DestinationPath 'C:\exm'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Downloaded resources successfully, Press "OK" To continue to the menu:Information);}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4576
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4276
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
263e47a40c146e44c40bfeaa8194a7d7

SHA1
5f1a9a782220f90d060ea4ef72e7b11cfde46530

SHA256
1e1c302f29ddad83f46dc53002b1d7085f8339fdb3561839d23d010c5565e8d9

SHA512
a219092a46d95a20afb47cbcbf1f8a8567a6699a2f938ca36d2731c3a93310ac59453da84e5fb98f8bc9cee4930747e8a3130932528a1a85b82fbce40e4e5b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8bc588bd84c8c627658a1c65c6e82429

SHA1
5ab080f959be2f7ce9c00c8fb8e42811ef5825c5

SHA256
f5df2847ace9b96af490f1c2439baa2723bf93854762bbabaf0e43b39afdcded

SHA512
66f007550c6d4e7f3b1b6350330fb2dc42e6cebf222986de11176a851323dc8a1d14c7d80b4ecd324e49886ce60d6acefc14e95534da7a92446dfe553187be4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e0186841463539e734dfbaefabc22898

SHA1
dffea7c5cd5c42911838402f25f16584099053ff

SHA256
e0f80eb701b66652a03ebaecc37ac431490b0abf3c928fd2191e151048f46d09

SHA512
89075ec98686ad53a7d39da50fccae6089d15c440ce59c540dfe584c05869c7cd977b28eb2d5e648eb64a11097392143e370727b17b769131dc51642fdcac0d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6e1f0869fafa72e14a1da4be465b967c

SHA1
e08a4c37f6c944afc53d1aff5779504f84214f0f

SHA256
b66cb4581757c35836c7b00ea6249deb4e4fc717e1c479f8b87bf0f73253562e

SHA512
7d4f5ab865b272ff503420a0e1966cd16dfd853a8ddea6f4a631f6bf437730345731e1c1c836e7028a8cd9c1ee11afe3392e6012ba254ed8f1825e5e481b897e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
88c09d02b4e43d19c806657569cfbcd2

SHA1
0009b8784c1270006852647c684f20008d2436e1

SHA256
ff8886365a7c9001c50250839b58b3f028b265a35bfcf6ad94a06cdf432c5b82

SHA512
ce0e375f081707e741e133be598525bba976df2c7fd4dfc0f5e4ca43e5dca75e79fbf89c242c89a7195f6db8fd65c7f27bde21f384103cef01af7e26f76847f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57def6.TMP

Filesize
1KB

MD5
a82f34ae5b1ced4bd2d1e3818983cca1

SHA1
f20a0aa71a2ee30e56692179bc66f6c36841a282

SHA256
b5b84a24b2f19be769da67a163afa7778be8a4f91717003affeb733cdc0e5e27

SHA512
3fb4cc53af707e80e4c556368c27b68b72a1dc0623a114e0586d2984a0065d2683b636e54bf7119fb9c8334a2420f54dcb12b175db415aedd8dcabf9669d8ab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
581fd46b39b33427efaffc1e4a282461

SHA1
1b2155be92c75cb4d262da3c7d90ac725ee53691

SHA256
c9c71aaa94f331161f69382627ef1745fecf28b43516b424f9a78026e2e2a5be

SHA512
43bdff39d8a2e9d04b1328d27205411fa2fd759029a1bf0e14595be75c5f296adde27ba399f9ad8eeddb4b5f9213fc1a8f91b75fbcf3a37f928896b4ea847817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
192c8fa00e87578371ae17ff5b443e79

SHA1
5f28f51327353752501fa0d6ca482b89f661da9b

SHA256
91f266f61a16ac199efded1d8837aedee73187d30511314bed168e2e1354a222

SHA512
0cbd5a21d5b7a5f85863e10e2272aa9df94168fa88f698aa26985587c71836b42aa019e51eb33297efa05e498957bffa64ec91f87db222e0168da288624098a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
224dcf4c17389871fa59fe45c7acd94a

SHA1
d02998277a18745bc5a5209d80a4d5c5077772ff

SHA256
c10c307786cba93488fb258b288490207e01024028a4340eab17f0c0b23dbb0e

SHA512
8e30a4a06f9a06dd2556ee9125e9dc9effcc1cbb3ce6ff9fabee383db8e4fdbe7f638ea71d5a42d6722748543c8f2a4399baefdd2a2cc20e531c966b29f32e10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ad4f952899a2ae1cda4f0e86597d6e19

SHA1
e35dd97981c688ea8efe15e512ea69133df2ef88

SHA256
0b381367bb77dc10498d144a4e0f966934ffffc4238c844f1c1053c3909a5af1

SHA512
61f46b95e7edf8d0fd6f6d04fa35b08f5c057eefd048e8687e532e45e95da2084608c0f72802f01818bf887b3ed9c83053629cee3c79a1b247b9f4077fb81cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nqufjked.lhj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\exm.zip

Filesize
1.2MB

MD5
db0e9e1953431cc977c3e95bd3d36ab6

SHA1
4f34027bfd24a54e269721e07f3fedceb7841e70

SHA256
c4e798355111c34ae3424a1c102758335a5e24f714831b15a5bf2a1303df9097

SHA512
0874095e38b8c5ab0e2f68fddb77ea2283ef6515349417446aef12e6b9e4456c429b156423858830264cbbe9cacc4a32d9cc2325135432bebc0c5b38720fff9a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 329309.crdownload

Filesize
36KB

MD5
9fb407c6b0890549256c5f3a3ecb6cbd

SHA1
337e04b26691d932a3b365072a0a94e417006b7a

SHA256
2b274828909181281f74f7c52e3782060d61b1b61bed5e5a34ea40b7265f5f7f

SHA512
2d81e5b338d9ad036f8febeb2330be8c9cd682dabc8893833faab25d329449630fe8ff56be3e176036ab9ed93188be56ed2cb4bd3914d2673ee7cdee7f6c4c99

Download Submit
memory/556-260-0x000001F970630000-0x000001F970642000-memory.dmp

Filesize
72KB

Download
memory/556-261-0x000001F970240000-0x000001F97024A000-memory.dmp

Filesize
40KB

Download
memory/2228-201-0x000001EBA6050000-0x000001EBA6072000-memory.dmp

Filesize
136KB

Download