hxxps://drive[.]google[.]com/drive/folders/16WL1bC5EbNBh6DOrmxDwC6a_6mUC3Qwq

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/16WL1bC5EbNBh6DOrmxDwC6a_6mUC3Qwq

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
10	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	msinfo32.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3940	msedge.exe
3940	msedge.exe
3192	msedge.exe
3192	msedge.exe
3364	identity_helper.exe
3364	identity_helper.exe
3156	msedge.exe
3156	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3524	msinfo32.exe
716	msinfo32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1660	OpenWith.exe
1872	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2496	3192	msedge.exe	83
PID 3192 wrote to memory of 2496	3192	msedge.exe	83
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3548	3192	msedge.exe	84
PID 3192 wrote to memory of 3940	3192	msedge.exe	85
PID 3192 wrote to memory of 3940	3192	msedge.exe	85
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86
PID 3192 wrote to memory of 3424	3192	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/drive/folders/16WL1bC5EbNBh6DOrmxDwC6a_6mUC3Qwq
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb386746f8,0x7ffb38674708,0x7ffb38674718
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,10203907372516608107,3096798559636775155,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,10203907372516608107,3096798559636775155,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,10203907372516608107,3096798559636775155,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10203907372516608107,3096798559636775155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10203907372516608107,3096798559636775155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10203907372516608107,3096798559636775155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,10203907372516608107,3096798559636775155,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,10203907372516608107,3096798559636775155,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10203907372516608107,3096798559636775155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10203907372516608107,3096798559636775155,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10203907372516608107,3096798559636775155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10203907372516608107,3096798559636775155,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10203907372516608107,3096798559636775155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2036,10203907372516608107,3096798559636775155,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10203907372516608107,3096798559636775155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,10203907372516608107,3096798559636775155,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,10203907372516608107,3096798559636775155,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=904 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3636

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1256

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Downloads\substance painter-20241215T104309Z-001\substance painter\m0nkrus.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:3524

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1660

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1872

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Downloads\substance painter-20241215T104309Z-001\substance painter\m0nkrus.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1c5edfdd-3574-495c-a9fe-785d43cc9121.tmp

Filesize
6KB

MD5
1980d971ffbd48e68a99dd66d7deb874

SHA1
1d2565ced694af219a337cde6e0354808fd7a2cc

SHA256
df1e99160a58522712897fac596259e2e9f2a5e250165440c530fc1bb6511997

SHA512
2a88cb27a5afb3fed1f86c754c53095957b59e3a6d4b677aaee6622ce9697a656a9de7207b71dc0b487967c35c0eebf74312ecc20c972c9920efebb0bbc6d158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
29e6d577ccad18897852e146bf134825

SHA1
2c874d382464b29f84396d063485ecea1f379deb

SHA256
35de2b82af7fc0c4911ce2ed7aa5552fef95f4c3d35bf2ac2f19bc5c9446149c

SHA512
ab14342ce43f918f57c1506fca89eb492faade2b9949d79ae496877a7c72c1ecbaa49e69bfeeed266b2b41bede5d2a17c9eea6f5706f01d99e752cbc325fda09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
13e88076578debb5345f75f6c8c547dd

SHA1
673720e9a4b2eab409824e7cf7a15cacd0970eda

SHA256
49acc678a030d81ce9f52904c5b0e0519012604c1b916a260269e5ad420b550c

SHA512
026087c2d0dc57972313b629be1103a98ed7ac573f056b13a16850545620d29ca87e6c0c4c113f012764bbd8481cca418e5c197eef05af8478ea26be21d9bdd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
12935009a71825c4055fc3acd286e2de

SHA1
80b22804f4a479a2dd43409bf903821397388595

SHA256
c2abaf012569d4d02c1e2f32fa63fbf2a8385a351778dad4639dd26a28ed2a61

SHA512
59160593a28c11725cb5273c9507e8081c705bc4cdc2fa7ec69274ff0d9083625525a472be88e6d82a2e6f1f0fd3863a13835a28f18c982f43f9bacbadda39fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ce557bd728a3f38235a8de296d4eaa65

SHA1
1741d15a1872dbf56eff8e50c4eb835be686e454

SHA256
5940fecd238a1b9fe040c7aa0462a093d9e905c7e0e464c1cfed4e5c675af810

SHA512
b6ed826b296070c2a7443d1863a6dc9a0dbfc033f8829797be14a446387753a511db3f74ae5d2192ca4bc8d8a60b3333af01a98219371c91a1161f39506bdfe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3ca7a75661de6789790bee9618b01038

SHA1
4de926fead45246a2bbb4711d5069b314c1529d1

SHA256
4a8c9dc87a678fa8db528965de44c95005d876af6054137a5463f84ddce773f3

SHA512
f0f6f5c84e577a8a14f15c1177e922f082b351e68fc63ea8e5a6961e3db7b12834789ccf9e1c6f64c9ea66e2267486f07ebacdf441be443e8cfa9970384078d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5bfea4965b7c24614884021a2c0a7235

SHA1
de05419192a618ef48f82dbf615799f45fb1c085

SHA256
22c957bd8de63f9bfd9336f10124bce0218d685201ec5f7ca7960399cca381d1

SHA512
a36820f9fed4582569fd1522f3402520cb5003ac22a11ff7d455d81dad73b120512fdc83abd67df8f470d9efe3a151961d174cac063373d14d2e5fe06047d42d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
642d95ce25373f3d06dbab13d6ddcdeb

SHA1
4bf4a9558f0757e0a8b5a2be580c6e52464773c1

SHA256
3af9066d15368722b30a86d7c29dba85fa31be23df4330f68c63070448ff0a05

SHA512
cd9ea39f3ee986034ec01368da786f3ad7277a08fddf7f748c667c9624e06c8b64a35dffc429169e01a9d16350a2c7b17c6656471d028db88154695546167ca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b21908f9f080f1e45925c633010c7f45

SHA1
1d58fdc8c50b02477bf36c035880678e83456f56

SHA256
8322cba7a5ef878aebb48a157a3dc921b3cd8b4cd2d34d77fd3056582d83d4fe

SHA512
9e665d4f6e6a2bf405e12cc4567f777c0e474ec9539431f7255b604cea01ef1e67cc4a92727dbb47aa4b3305580fa932fcde200e6df6f34325a6f436841b95a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7f02d995282d01184ec267cfc63fc80c

SHA1
5b272fe5a307a4a15dd09430585a6a16bf22421c

SHA256
c69646194b80c65c4aaef81754257fb33b8fe72bbe522b268520895fecf1d9f7

SHA512
4766954b3423346d5be49711231bad5654eecea3f0cd6b14d393b690e2a6683e7884794b8f84896920a600a3aa56dd3ad778e3d1dad64d56c6ccf444b90c3f59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e5ad.TMP

Filesize
1KB

MD5
b4107c9196d2940ed9ce11619c7ea3cb

SHA1
26114b296031c6ec426e72d6c076872290815641

SHA256
f3148006e95b9b7aba3dc09dd8f7bc98c235daf311ad171a75f10e478aeb9a0d

SHA512
7ac37502d457ff03b060336b2914ae6d7dcfc0ac57197a109f9490c17e0b634fe87db125167de5dce08edcd91e33170fd0fbbc6c2e325263cfc95c9515711987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a43d7648-5f76-40f5-a839-7c0fb5971f7e.tmp

Filesize
1KB

MD5
f395676468409544877d36e2eb7dc377

SHA1
df0b06b25a9b6bf2da64130735819300cf291a9e

SHA256
17f4f8f59767bd7b397141b411c7e55da8690d19d8940d66e59cbb4d23bc3540

SHA512
48400072ce22f7fe21c48cde33faf4361d9dfc7bb1e31019213297116b0293e4c777ff02e78d1d8afeb340fede8e5d227abce4e680ad827f9a2221788e23e577

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
14a0bd827156b371cf591d2254fc0da7

SHA1
325ddcb0a463e3e4eddd2169c8458ce85a18159a

SHA256
e99250c1be86fcdd8fee757f44c053d1d6b4aa6d62038ce7fb6d70c08a1c6ebc

SHA512
59a93771097a9958266f51a7f76c1b661f60904491afcda6e0b539a615845b74ad069b04b1bc0e3a254a13ebb474d484b7879aecff5ae6bac74073343614e08e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0cf22f7bd9394267fb272a8f27d27204

SHA1
011d3701fba84af2cdb3cca1ccfd03766abeab45

SHA256
36412b76d8275537d6e4b468b2474bfdfb6115bdc434ba3818dff8a0b18f4c38

SHA512
70e6e8f1005c4b07f39fe8310e57155a4b9008ade7ee8cb445520a7b81bc307d3a88ffe4b4b68906c5dea96aa7afc5230f9879e47b0044d30f1a9d6a84eed887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
de343c37ed8f4f6e1ee32e36fc51f85f

SHA1
f0ccfb785bba0105508359a11df5f1a6659008d6

SHA256
33166b9cbd5566489c80e41be600648ec0d0719966b47ff14bd2d9167768a810

SHA512
2a5687cb743384a28c01e7256a94aa9546a55e756d1f4908a9b4d10992b49d4475f5b02b7df59b6b2bcf9dc0dfe6d9112bcc0462e5062449b4f6579ea31d4fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c811e8a9-e234-4833-b604-11507c88e1ec.tmp

Filesize
10KB

MD5
5823397932fc55bfc32101390260f79e

SHA1
bc9ffd3f5c15ee7ce3b03501659b14fc82d7c816

SHA256
63aaf01fc57d8ab24e6c21a64f0cac1a6aad0bbbb1d50e604f4836d319f5f558

SHA512
6aec3d73e0d40d6b49112fcfec8b20bdd1df4149b54bb2f0ffb47274dee1acc5a5060c40b61f8159a36b2fca56ed9b53e19b5797f2d230752c654d48959799de

Download Submit
C:\Users\Admin\Downloads\substance painter-20241215T104309Z-001.zip

Filesize
3KB

MD5
29c3e50eb7f0139f057c41d24c999ce6

SHA1
6122bfcc767ee7a51a7dfd2cada03b5223f7a28e

SHA256
60bed17bf9b69bf7207cf82a3ffca9ff3d7b6db5487b69f452566a0b1253f736

SHA512
264083dbfca72863452fb506c0ae8b6fc8276f76236132950cedb281aa8075d6040d37d2dc8835024bb68c8db67154cbcd7bfffaa74f3b8b77d5b09c380f30e1

Download Submit