hxxps://drive[.]google[.]com/file/d/1XDtDaWQRVy3KV8dX-Rc0sGX7Y58vwiQ-/view?usp=sharing

Analysis

max time kernel
149s
max time network
144s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
23/12/2024, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1XDtDaWQRVy3KV8dX-Rc0sGX7Y58vwiQ-/view?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
7	drive.google.com
8	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133794591089553905"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2432	chrome.exe
2432	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3240	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2884	2432	chrome.exe	81
PID 2432 wrote to memory of 2884	2432	chrome.exe	81
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1736	2432	chrome.exe	82
PID 2432 wrote to memory of 1872	2432	chrome.exe	83
PID 2432 wrote to memory of 1872	2432	chrome.exe	83
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84
PID 2432 wrote to memory of 2928	2432	chrome.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1XDtDaWQRVy3KV8dX-Rc0sGX7Y58vwiQ-/view?usp=sharing
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff859cccc40,0x7ff859cccc4c,0x7ff859cccc58
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,8063283547314100689,153439158513735523,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,8063283547314100689,153439158513735523,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,8063283547314100689,153439158513735523,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2136 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,8063283547314100689,153439158513735523,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,8063283547314100689,153439158513735523,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4456,i,8063283547314100689,153439158513735523,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4740,i,8063283547314100689,153439158513735523,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5324,i,8063283547314100689,153439158513735523,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5532,i,8063283547314100689,153439158513735523,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1076,i,8063283547314100689,153439158513735523,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4080

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2828

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1988

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3240
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Genesis 1.1.0 Source Code.rar
  2⤵
  PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5cd801d3af46b34e3c7d2c3e814b39d0

SHA1
57536f61b60bc9f29c2ec0f886930214ffb07c21

SHA256
269de9e602bcd0e7df48605b809abe091b0c51850cd4fecaf8eff883499f77b7

SHA512
579410c605a44c9d26257f2b81b78b4f37e33a227e35070aecd8fc4d062d3f5c8fe0168f8f9d0c497017560ac5140b1e4a455ccd1308c1134dc81966953c7ef6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
1e9bee0a5505311f13e7d2235b27b1c5

SHA1
f00752f416c90d17025d986652f6b5ac21147fbc

SHA256
8e211c8337916ac7347364ba715e4e2c78230605dda9e78bdbd39b20e971ac15

SHA512
02edf9177ad56b0fe49d1cab851cf7eff5af0abcdddee76794369a7abc8a7658da7d494ca3b658b8a440ebf1ad6f31cfec7a553c488fb2a4d49a29882a698000

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
950ecdfef0c66b810cc816c9ac242f32

SHA1
ca9934180fa119c90bcf78aaefe0515423771db9

SHA256
2d4bd3a3cee1cfb8f6fb6b9ab1acb9c662bb840e1b80506b1b7a146672f02163

SHA512
3f39a45506a37e0569f720ecbef0530d6603647974c16694d8ccddbdd319978de99f96579959039e7cbf151bf582af299eb1e7f24e2ca18cb806ca88d0c7e0de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
90d44608c9a06a687726ab943afa011c

SHA1
8b82be946e0ad98a4dfc6802a3227b81619112fe

SHA256
5a13cd5ca038999cfbceb075017ae9b588c8a3e802eeb7ab27c5fb05a19a6531

SHA512
f058cdefcd8f02d3e48bb32dcf6f91bc84a74d9be15bd54e990bd953dd6b7b80d563072e2c995120a6e05a87547784c6fd7b1fb831e129b78767f1c32b68f6d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6d8636f62650b3bfc98f07e55fc8f96a

SHA1
f92e19c86dca023d7c0d680d5b8b828639fbd691

SHA256
12a24666b41daa5e701d9ff79129cc4e8c6fd3ad81bb10b0f5e5a0bef4c3ed53

SHA512
4ccafda3076b254e9b46d82a5a80cc4f837c9fa50bdfc8b39040d321ac40b3714a0053fe03b3177587f24594ed24b4c86b78b6802dedfca0db3b6ff73741afd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d06872df18cd0423aa6142cd6fb9fb90

SHA1
0b48df061b05ea9f22fc1cb31d632d99a7d48641

SHA256
0857bc33865efe66f07cc0117681c64e0ece22a2258d9982e0d8814c60a6b2bf

SHA512
fc4c683734af530573d20efc06f19d6766f61317f39ff0acb26a53b1f50a0869340f86dae4ecfb51462c34ed41c2eb17dd5fe54b76498e51bd7d7d432f5d0443

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7c7cf4577fc9b8c561cd8226d645b6ea

SHA1
5c02d9065e7bd7033ce2830181f880409ce56a99

SHA256
e4c05fc53670788f32990ce4ad21cbf966f8ab500ae86ba6d438e85d980589a0

SHA512
eec501f06bcee42231add5566c4291c2ff4777239f823afda3e4b4f137402d8e359e9a6fad84b10337f9ad03f88b8f27453fc6939ea8c0c26a348c3c2aab1e62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
61aefcf5690bed90ca3af352a62af30f

SHA1
dc8be68b13a9c52ce6c5ddce3ec207e5b9ec6f3f

SHA256
40bde4c7be0ab600a597effc0f86e50f379f8ce3c2730fa8b85498bbc29649a8

SHA512
866ec87398a2c4890703b62b21bb8555115b2ae78d1632d7de3c7100981ea4275d9156da4aafd89c99627eaf979bac1f31c07fe1047ba81ffe1fea9f5efead9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
897b835d7424f678bbac78fdde212882

SHA1
471bc8a2c1193ca316b85bb9b54b2d8c46b94709

SHA256
ed42dff57c8a23232b996b4b6be2530528619fa9d7f7d552985c86fa120adfbc

SHA512
d7bb60a619df3272f5257840c92072805a1e661d466968f50a681ff39c7fcc10a0352d088896a53b2ab59cb661335b29ee8ff8b83816e73728284de3bd657a58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
41367760cb68b718803607f5d458a01b

SHA1
7400552cd2c4e0c1dcbc16fa76aac4647475ac42

SHA256
a03c2cf918497659734c378d98a90a6a2a2c3a8507ac7c9859f953a3856e3398

SHA512
e7577a6be5082d6103507bdfd2cc3efd04151df84b6590a9c18eee765a241ea21e81e89fcbc26993ebc2be1e61d4a5bb4c6e18f4ac35c611a5fc303f863ea74e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c8deb24996ef27d878f61a170bbb6759

SHA1
8221a299bede0bb18f1769a6c47ef0d25e79a3e9

SHA256
99b2abe7c2a102c51ba5070d8b1ad7a7f2fef2eac8456cbe3c4946393ade018e

SHA512
52ecca94e4f8b37610ccea9b3807fad58dbe32f5ba0a9e50a30bdbdf21924b2320d92dce3399f2d9d3e15727c233e61c0756f31e6383299f5d3a8589fb6f74eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b14c5f01503cdd8310627511e1856181

SHA1
285dd4c61d008a8aacafccb946fe44a14c42d7ae

SHA256
be8e7f924cb2239e6a5c4586d30e4933d36542c3532ceadcff70a57d05dd8866

SHA512
ef701afa3bf7dd2f8a5e4f48ffe9d9f5eb1e1e1d007e8e7a79a29f39e2cc6a2f991f1dba19e770cc005b204de505f8d2fb3f4c4ba6798dce06a804de8fb851c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6384b99597f844df44210682b37e5f30

SHA1
c0456e9df1d750c4ef44423e7779a4ac55272f24

SHA256
460d670812a41412b0afc6bbf14418d7cf25b437fa48ca60c271b785b9cb3759

SHA512
3f661fb67b3d28f76965e7429074bfca40998cc9ea0ad175323ad7cd0375db08f482aebf4a312fc1c76635034fdd8853e9638c9e366605b9e3889861330dabda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
88e3f3680b121481e9eb05f00cdf4323

SHA1
09eb5411f083d0074325740a91739edb5d56bcd1

SHA256
a9c1947c3773249894205198b17341eb4836a3df3b4b9834f22f3c17957bd258

SHA512
410477e669422596ca72c1124136d8ad728a18cbaa67258b3857e65f4bf1730b3d73c52ffb834950e778e91235daa96029b162db7b88e9ff832ffe8fcb5ffa20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
c296bf016706b8bc1db15d3bf70b1c5e

SHA1
febb8f308dcde3b042f6b64abe54cec2d8fe320a

SHA256
331e27ca75e1fe2b47ca2f9f2e8c4816239ec2600941e14f03ed2fbcee2afbda

SHA512
5bb9c0892486e5aa70ffdce5cc1cdabd444393ba3c569511df2de4ec5a9489a8907c8b580534ad9808b1a50eafd5f582fb44a95bf9fda62d16a2426b26b22e38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
9a368b7d57960bab7ceaa042d26b714e

SHA1
cc5a1545d6fec5d50c29f35c0d817dbc96164449

SHA256
d2ed394dedc4d3910298a827831084ec7b174a86a033d0fb96cbd7fb702df1cb

SHA512
555758896cf17df2ec4cac82360b0103d840731b11fcd77f2f6aa6e48d4d5b864b161d4fdf6293ddbcbc36d2b3bdcc7e0f5bf298590b7643bb8048d6b795ef82

Download Submit