hxxps://drive[.]google[.]com/file/d/1imWc3F1SkUfEmabIMjNh9iYtaon66l0Z/view

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1imWc3F1SkUfEmabIMjNh9iYtaon66l0Z/view

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2788	IbisPaint.exe
1280	IbisPaint.exe

Loads dropped DLL 8 IoCs

pid	Process
2788	IbisPaint.exe
2788	IbisPaint.exe
2788	IbisPaint.exe
2788	IbisPaint.exe
1280	IbisPaint.exe
1280	IbisPaint.exe
1280	IbisPaint.exe
1280	IbisPaint.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
9	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	IbisPaint.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	IbisPaint.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	IbisPaint.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	IbisPaint.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2428	msedge.exe
2428	msedge.exe
1132	msedge.exe
1132	msedge.exe
4340	identity_helper.exe
4340	identity_helper.exe
5020	msedge.exe
5020	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
660	OpenWith.exe
5788	7zFM.exe
3668	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	5788	7zFM.exe
Token: 35	5788	7zFM.exe
Token: SeSecurityPrivilege	5788	7zFM.exe
Token: SeRestorePrivilege	3668	7zFM.exe
Token: 35	3668	7zFM.exe
Token: SeSecurityPrivilege	3668	7zFM.exe
Token: SeShutdownPrivilege	6104	msiexec.exe
Token: SeIncreaseQuotaPrivilege	6104	msiexec.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
5788	7zFM.exe
5788	7zFM.exe
5788	7zFM.exe
3668	7zFM.exe
3668	7zFM.exe
3668	7zFM.exe
6104	msiexec.exe
6104	msiexec.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe
1132	msedge.exe

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
5268	OpenWith.exe
384	OpenWith.exe
384	OpenWith.exe
384	OpenWith.exe
384	OpenWith.exe
384	OpenWith.exe
384	OpenWith.exe
384	OpenWith.exe
384	OpenWith.exe
384	OpenWith.exe
384	OpenWith.exe
384	OpenWith.exe
384	OpenWith.exe
384	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 4764	1132	msedge.exe	82
PID 1132 wrote to memory of 4764	1132	msedge.exe	82
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 396	1132	msedge.exe	83
PID 1132 wrote to memory of 2428	1132	msedge.exe	84
PID 1132 wrote to memory of 2428	1132	msedge.exe	84
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85
PID 1132 wrote to memory of 3288	1132	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1imWc3F1SkUfEmabIMjNh9iYtaon66l0Z/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8658546f8,0x7ff865854708,0x7ff865854718
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3477501827546370537,14101556653515808519,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,3477501827546370537,14101556653515808519,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,3477501827546370537,14101556653515808519,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3477501827546370537,14101556653515808519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3477501827546370537,14101556653515808519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3477501827546370537,14101556653515808519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3477501827546370537,14101556653515808519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,3477501827546370537,14101556653515808519,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3477501827546370537,14101556653515808519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3477501827546370537,14101556653515808519,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3477501827546370537,14101556653515808519,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3477501827546370537,14101556653515808519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3477501827546370537,14101556653515808519,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,3477501827546370537,14101556653515808519,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3477501827546370537,14101556653515808519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3477501827546370537,14101556653515808519,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3477501827546370537,14101556653515808519,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5276 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4680

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:660

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5644

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\ibisinc.ibisPaint_12.1.5.0_neutral___sxbx2qs82h9wr.msixbundle"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5788

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5268

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\New folder\ibisPaint-win-12.1.5-20240717.msix"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3668

C:\Users\Admin\Desktop\New folder\a\IbisPaint\IbisPaint.exe
"C:\Users\Admin\Desktop\New folder\a\IbisPaint\IbisPaint.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
PID:2788

C:\Users\Admin\Desktop\New folder\a\IbisPaint\IbisPaint.exe
"C:\Users\Admin\Desktop\New folder\a\IbisPaint\IbisPaint.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
PID:1280

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\New folder\ibisPaint-win-12.1.5-20240717.msi"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6104

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
3a4beaefa51144746b92d165981be282

SHA1
0a7c04c415fc62ff0587495312e2bdb1adb30fdc

SHA256
0becf84f0ec498b431e15221b2a525aa1ac402e136caf06bd8a34d884c97986d

SHA512
4d313817c05c668bb028ca0702ac14ba17e98835466dad719721f29212a19e2671c35a7376817943a88b2daf9c7556a3da8155df2d19350f8ac779e7a220ae4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
f6702caf870a6fea4200e02c144249bb

SHA1
206e658564d1213270b781881c5170f7c85c6262

SHA256
5f11b17a3e2b13021c9b4efd307ccffc16de9cfecaecee2b7c1bb89888416b53

SHA512
a2f77b54efb409d79fa565d22e93509bd65a9e7a6e15f5d9e01fe470bd1354e80d61f1a0b3ca7ebca9f5493c1a70c2eacbd900d3d8d0464da06c8224ad6b9893

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
31c54d100aa9793837f9618b91fcdf4f

SHA1
cbcad4716a27ff940d5cba9b8e10a86472ebdeba

SHA256
66f4a8e15e29575ff5fd2b265b172845ee8c3966eb9040776e75a77f05dbb3e3

SHA512
c5bffcc3ea343944c929d528a3392b3ded82640a161dd3f15d00a9b2f7222fcdb2a8d122aba437e7946579689eb4e81f90bdc658dd8f1f3ec19366364a3dc81b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c82edbe3ba2efb47e060d67b6b270a8

SHA1
29bfc117ed59b636c64041c693c7cc4c7fbbbad2

SHA256
93bfaff7614e9f091027ad29e2bc6d0c95242370c0601b6f928248f3df3f9d15

SHA512
806d4a42c01d2d0a3582579a6d57694d7055302220cd2da243a40ce2bccaefcad942797a1d4ade4f233c38d3f844be8375e31b98d55e1e249c19583d414119b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3e1a280258ffc61c995ce13cf6cf459f

SHA1
8e36b4f62a8b272293ee15f7ef9441871751960d

SHA256
596cd06cf688be9a0163e0f6f7258323ac47723b8e7d3e8fb10cf26f34e06672

SHA512
51ba7ddc5b6e571106b03b2dbe816bd8fae0f1673f439ab456799d83b759b4a2754b40574e897cc617432dfdbc1b9286367ed432609a339a90a66a5e4d57733d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
51868bfabc78cfbc50aebdc6edad98c8

SHA1
3329f82b405c584b70ca65999186d6ff4c945e04

SHA256
6371d0e6f908afe171f32f42b3dbca85eef6294516c13adc398be3aa2f206a84

SHA512
e9b83c552927ef61112dba8b6d04cf93349ec04297c501e17005e604a90a29c2067c3cde29d1f6fdb351fc04970f8a38698d0d5b712e1ed9cd889605a7504df7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f40c115dce341ef0dfb5e40b17cff080

SHA1
e50303eb2c32eec6352034c64bc9c85e33a1a5bc

SHA256
3b51223c4a0208dc4384f7b9d09078411bc51c325bfd4636b9e2a2fbf55e82f2

SHA512
436733f9aec017ef3891f1d8f6e997b607a0609e55de1db4ca16c997b8bb7f98fc3ef314e27c2368bdc4a2f25d469079ee97ff30032bb1430e6c80ce90fc2ec8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d6b0721cd287ef633377c56e2c703113

SHA1
3d71ed632d28ef52d5f5509a1de836c8426b7945

SHA256
86fe8cfa06af6c418e4247b6fba174655586384466a41944abbb3d3e8a964364

SHA512
42947cdc1213952782519bde4cad103a51bad6e20d0031cfcf28f916215894a9aa5b1bd01ab4f1fcf476b6666f331a28ee0b7ba1e46e9d5b1d289301e0e389d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE45EBF669\Images\Square44x44Logo.altform-unplated_targetsize-24.png

Filesize
1KB

MD5
a11f70eab82ede43b593770c43ae057d

SHA1
9c0365501fe6302f90ffaf3f5846b28d84ab2e9c

SHA256
cf934986c1252e92858902ad85261696c3514cd4b0597a453e7adfa334304f4f

SHA512
37bc7b6a3e7c6a98a8ae3a65b9298cd4eb0117399a43197d9e12381e199204ec64dc26d47146e2d6415c670d7e91140ce9fa5c48fb583a0f493f6b1e7c982be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE45EBF669\Images\Square44x44Logo.altform-unplated_targetsize-48.png

Filesize
3KB

MD5
ca86d758ac2aba2ec398d878eb48a5f6

SHA1
a82318ac0f61c90fb35595020af2435c481eb467

SHA256
b9e500b1fa742f533d36d7f34959ed31224ab975e6499b46777d3240e3d87e20

SHA512
9a64baa933cc4b07c1f5fbd389bf17ae662a4b7b5e3492e31c081594eed8b6c6fe8b3dc8fa1b022ee30bc095c51322e3b48fb0331594dc5e0356a76082e8c48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE45EBF669\Images\Square44x44Logo.targetsize-16.png

Filesize
815B

MD5
2cbed9ec03bdf4bf795b587dad871d85

SHA1
745a8602261a5a4eae13b477daa9352ca3f66b46

SHA256
d0261e2aa599b93c5960ca72f9823c64b2677903b680dbcfe5f34186719de671

SHA512
4f694a64e4d14748837752bb20e4dcd75e420b3793c9511710f868ccc87f29a351ba7b0c819f27e684b48973237d9f059b38ea125e110892c8d74d4929399461

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE45EBF669\Images\Square44x44Logo.targetsize-256.png

Filesize
29KB

MD5
dc9c73a89311e7b3a347c7268bfefdcc

SHA1
daa9de0afa03386e65825aa582c35119ab72a99a

SHA256
e69fcf409cbfca94e3c7a973c49dad9be1afca5ea70a3671222775a599dde9bc

SHA512
85b6ddaae06ba1924eaf53ffaf8d82c8bcc276b74b822b9171ba3ad23a415b898b7b53e1b9ed98d02f67760b40f9c8f7a49afd8ac69853dd5563e602b4d41937

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE45EBF669\Images\Square44x44Logo.targetsize-32.png

Filesize
1KB

MD5
f620b8cca4ca663f136be7d02f32c689

SHA1
26d0e128ebdb6cbf1be4f345f8fd469d16706358

SHA256
5dd6eb11325e2120c1ec578cd45caeaac15a8e319399543a14b5ebb6ecba81ea

SHA512
c1b794e8f845bbb42239a89deee9bbbf5560031be153dc994cdb6a360c4be2897240dee4b3d6e00dca898d315102749778229eb4643d71d97a139f80e296ef8b

Download Submit
C:\Users\Admin\Desktop\New folder\a\IbisPaint\IbisPaint.exe

Filesize
22.1MB

MD5
f52cfeb4eaf0260086c80c45faa81be2

SHA1
a6b450939f16b365e21d7b5472d5f4bfa6d46a12

SHA256
44f9770ec774fc469769acaa9218680861eb2bef37757af0408680ea643ac0b7

SHA512
f2c63ef8ba2ac644ba1d2ed6a31aac97c5b825797fa9045ff495b0140c6246eca3cb11e1a58291ad35dd1e7c38d6d53b1f7cf1be5f91cc28034cb7b81c032cf0

Download Submit
C:\Users\Admin\Desktop\New folder\a\IbisPaint\WebView2Loader.dll

Filesize
161KB

MD5
c5f0c46e91f354c58ecec864614157d7

SHA1
cb6f85c0b716b4fc3810deb3eb9053beb07e803c

SHA256
465a7ddfb3a0da4c3965daf2ad6ac7548513f42329b58aebc337311c10ea0a6f

SHA512
287756078aa08130907bd8601b957e9e006cef9f5c6765df25cfaa64ddd0fff7d92ffa11f10a00a4028687f3220efda8c64008dbcf205bedae5da296e3896e91

Download Submit
C:\Users\Admin\Desktop\New folder\a\IbisPaint\libEGL.dll

Filesize
201KB

MD5
c4cbdbe4681c211ccb81dba88653b778

SHA1
e5fbb92a7c9c032f1e2747a7c8d5bfcccb38e2ea

SHA256
b3d6853c7148f3fc9cc6c489133a06dea2272781b6dc5998e3f47b62cda13016

SHA512
f710d8588a466f15b39e521bf6a82fb2c3264a37fcb75b7a87248cb556738ed19cb6e8d1dfcc3a2a80d445bd09585f71fecc21ddb002d8cf99f959d4843f0b10

Download Submit
C:\Users\Admin\Desktop\New folder\a\IbisPaint\libGLESv2.dll

Filesize
10.2MB

MD5
b9d79c83fb0c0d6ce6158c9efa1cca32

SHA1
fb8a0e26a8dea3090c4f962f22f3a52dd7b013d6

SHA256
85fa43208b1be13e6ca8a1504705207ec486ac9a83af9718bd441e3ee1e62675

SHA512
5e0eddabd90adf121bd71e7ce9a755e3acc28da19ad3244b391f551bb7c90506c277b397d58df1099e96fbe58228bfd4c776066622473efc0bebebff233d4c71

Download Submit
C:\Users\Admin\Desktop\New folder\a\IbisPaint\onnxruntime.dll

Filesize
13.2MB

MD5
00421a4385067bafd23e6e0a1ef0605a

SHA1
b11c738ecb475e8b892b18ef55f87e203018e500

SHA256
6cc2fec259ff9fd2f59fb69caff0b247de51050a179cb4b3fcf8a1528a6cf3e2

SHA512
72a1c1780ee3162883b6aeced473a6fe54d2693d3ea843416ddc7cf68bbcff4da3fb8a511418f5b5e97316f7acc85420fb621a1a5c409c84ef459311f769df71

Download Submit