hxxps://drive[.]google[.]com/file/d/14B4oJ9II5rDyYUSUa1-M1dZBuJsuRCcJ/view?usp=sharing

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03-01-2025 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/14B4oJ9II5rDyYUSUa1-M1dZBuJsuRCcJ/view?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133803772434798868"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\TeddyLauncherV2.apk:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4032	Winword.exe
4032	Winword.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
864	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
864	OpenWith.exe
864	OpenWith.exe
864	OpenWith.exe
864	OpenWith.exe
864	OpenWith.exe
864	OpenWith.exe
864	OpenWith.exe
864	OpenWith.exe
864	OpenWith.exe
864	OpenWith.exe
864	OpenWith.exe
864	OpenWith.exe
864	OpenWith.exe
4032	Winword.exe
4032	Winword.exe
4032	Winword.exe
4032	Winword.exe
4032	Winword.exe
4032	Winword.exe
4032	Winword.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 4988	2532	chrome.exe	77
PID 2532 wrote to memory of 4988	2532	chrome.exe	77
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 2172	2532	chrome.exe	78
PID 2532 wrote to memory of 4552	2532	chrome.exe	79
PID 2532 wrote to memory of 4552	2532	chrome.exe	79
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80
PID 2532 wrote to memory of 128	2532	chrome.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/14B4oJ9II5rDyYUSUa1-M1dZBuJsuRCcJ/view?usp=sharing
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff2076cc40,0x7fff2076cc4c,0x7fff2076cc58
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,10572532393357854628,7652631857956132165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,10572532393357854628,7652631857956132165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,10572532393357854628,7652631857956132165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2328 /prefetch:8
  2⤵
  PID:128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,10572532393357854628,7652631857956132165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,10572532393357854628,7652631857956132165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4272,i,10572532393357854628,7652631857956132165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4408 /prefetch:1
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4896,i,10572532393357854628,7652631857956132165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4572,i,10572532393357854628,7652631857956132165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4532 /prefetch:8
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4540,i,10572532393357854628,7652631857956132165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4396 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5344,i,10572532393357854628,7652631857956132165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5760,i,10572532393357854628,7652631857956132165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=740,i,10572532393357854628,7652631857956132165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4784,i,10572532393357854628,7652631857956132165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4840

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:72

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2844

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:864
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\TeddyLauncherV2.apk"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e3aaf8028741ec476c6c40276b5649b5

SHA1
8dce44e7a9d217efe6bab4467ad3e4759c8fb8af

SHA256
39567c54d32eeb29326f26da25af2854f0703a1c1320c6d274abda8ae2324897

SHA512
657ea4348b9690eebddf52a8d1f041e43b2ce6cbb54e6ff80d6e549dcaf380d4102f6b4e20f6a1a8a136ac140bfe444ee2049cffb9d96f91e889bfebd293e696

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
a25b5551865eb14f5d30b8756ec3d909

SHA1
98fcbb572c7207fea74049d99bf2792560d6ffff

SHA256
545d17636f1ca01dbc5ee3b3f94b911e07ffc909e164624c25a4a30a1c9c97bc

SHA512
d2da07744c848e8ba153bd25c3a5aa5cd16c062c5fad70cd3d0c59059268995bae3361dbc0c3f792313d26ab39f3916dc9bdc64bdbaadd4d33b3eafdaa0db0ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
1664aa5a5af1fd4c6c8cceb6a97e516b

SHA1
e74a08f5ec6380495916cf12cc03a8a34a186091

SHA256
54d98ccd9e8c3a669374b2a79fb3d1a9d11201463fc8bbd4e752f173c4561f21

SHA512
e376b4464ce3ec69bc6a07b7e755bda65a1963d6557786f7510a245a75e4e5582ab5f2000698b0180e0585c1e55af26a647e0c0d90be3b1b0ff49f42dc2fe78b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
9c5578da1941b181231843238c44e59d

SHA1
8d82873f3af44fcab85692f808fe1e29f3e89c83

SHA256
e6440c5e0e17a4f38cae66219d607c3ab3a9534444fe736dc049397e01d13a28

SHA512
d704e82ca98c9cc3f07d871c77069ef54d303e18c7b96d2fb0afe228f66f534dd3910e536e5c24f0acb39dd7aac173e093998cb8744e20551fce3ac016817525

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
ad40251d485d322b0d26109f52c05b2d

SHA1
3b35f09bd6f80047705658d9db751a251b01c5a5

SHA256
dd6e64c21dbc4b80d9675f525aaf5a86e6e5dda8e7fb9ad048ddf531f8d61ad8

SHA512
f3868f5510358831706740ea4fe3395384e5a1ffb40e61a182a284d0fa6dd14c1f07d7685b371292bf72a647d7529f1a6feb998786340e832079e952fad9ef84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
1485c2813ebf8bbf1f0ebed6cb85c67f

SHA1
ecdad82a509539b51a387271f6f5271fab1ff333

SHA256
77ae2965589b496bfb00575bd0ccb01fa95a9a50288d1329a59d7978c723bf23

SHA512
569f7f47a903da2ed926fe77ecf16a6613190603f9db927ae1fe6ceb7d5513bc2b9e8c558fcf7d3cee41ba2830bf80d4880b1e662bee7eac77bbce3678f1534c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
ab35eacdce417f2d8c99f4986f65bfb9

SHA1
30288c4b36891687626101a7b1675825533e8448

SHA256
988e37036b5a81a33d43dfef760f91f438a542751a478a49aaad3047a30b9328

SHA512
a732d2a21a6f6f977686cceb8244c307dcaf4c270c7f33bc5eeab564ba70e4901cc12591355d350dd9815eeeac0c9124c6a7e04a08d6724f3d57faac879c2749

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
c76c409d82c998f3172248c1eca235e8

SHA1
0447ce31d9c6e3e5350c57088834606fbb0d0106

SHA256
690fc1410fbe8383c70258a9409dc61a9e49deac89ea8af351e60179a2dfbf51

SHA512
67ee3a601be1d7b908d7730002f5e2f7dc7e8ce38ea81942224aea89a1811a05fd1ca70a9b7762f6cd4457b4dbcc1b98a0aef17ebbd71f74c4802c00b36ec8e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e8bf0149c2d95487ee8b1698081bc7f4

SHA1
c45f2289cde3b8442b235dc7136ebf3dd78f61be

SHA256
18ec8260365fe3c1d5cd4d7a19d88cd855d887f3f62c1fffeb93129543f096ed

SHA512
1cc21e99791eb1e44734811c0ed0cf88dfada9f7bff46c22a04a8d72873ed027f7f74cea4bc3e6a78644e1aa2c971535b23c8434cfe49d99e22da495873b848f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
afeb38118e36b204867f1918b3d9d1d8

SHA1
49810ac18f5c124ec08042725dfffc46cf1f67ec

SHA256
fdd8266ddfd969e9d1d494c77f0ca5e7b132e50b07930926f1ef6f0424c2df59

SHA512
9e34ae4f3b4c8ea0096b89927ff052ae904a1c6a870623c968ac523f6117dfb423e50ec2692564d47086727835d741be54257fd324ac6492eb9451af0bd31d91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4ee35e6d14ab9df7b399651a3a872c2d

SHA1
eab8442bc3262305bd40a1c8b3664acc1942f659

SHA256
edab6af1d07c704c74c58242b23480a170065a3356ac8b73e68228a10dab626b

SHA512
9defd13c988778bacb3ba4c99d523530edc5b4ab81f54a83317e0a62fef5908ccbb38ee57c7ece25d76a6f90892add87f0548396c6ab250f3478631ae3af7d03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1b755eb30234bee2c17b54a30d9506dd

SHA1
bdfabd277848680c5f23d0ea11e113a4889d2b7b

SHA256
bdc85230361337bc7a5832d1c9d710160cea4da890ca339cc2c8309d0ff7aeb5

SHA512
2f6988c162f5f98ef62e72cb1d787c27eb86f2ca640eaa60d23daf93ea9837e7a70167068355d809d654a3fcf4bac7ff6602b2d1b21ffc8f863e68b9627e8d27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a022f1aa14879ce9bca8e7267b6cda10

SHA1
31afbec6ceb9dcd45bd1267613c02f793cc2191b

SHA256
018e7d5b9a6c78e4dd53cf3614acb88755585ede4386ceb9b577e231f9b5f154

SHA512
d4318202cc59b0800ee02512b2cca01ae24c0347e6cda68f8c5f3001c396057208de7b5c2569366d5ee8f2ec6f1f783e8823b7aa33e7c347f50deff3f5801f9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e4b21dd07702f8f63419264b99b5200b

SHA1
92bc1eb693c6ae2f2fcb83d505ccb0f110a836c1

SHA256
13c44896546d2422e55bd1fb26da453d5f8ab8a489a354dd09ec42270beda066

SHA512
d010c1e2ef858e6b9ccb7f22e07665f081271509dcf21708ba1430f9f10cc2ba1683d48ec9e8cab4ad9ae635eb34d98b8acb840e5906b4329318dc1bb731c2f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
27f1b02a8365de4d005187e9acc739f0

SHA1
48bf8a7a1fc138e25052665a11be5ff7593a9f17

SHA256
f8f07285bb113c42bac75ac68982131d752db0ddce2725b3c81536b9f3d393db

SHA512
f0dbae00edfeca721602f5a46d697be9f26b1f598735eae90cf8006c537dd02159ea63f246d443d058a0ac8e0057f9114884e77711ccb909cd5793adee61932a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6ae5cdddcc7f82aa646d867eaeee5ed3

SHA1
a4b3810b0ca872b65437ea53e0b9d0aed2ef6243

SHA256
e99b38191b5535dbaa9345eb195fb3ea0449b32792198eb95fbdd16fab1254f8

SHA512
5e116d9ce8276764521902d012025f9435a54f1d8258cb1930f7441fa52fad5a2d31b7a8b38f9f39108fbff0feb99a84aa18db3d48457d2ec2c6df7db2699bfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
80fffbc2ad11348e9679ffa132cd4739

SHA1
10b71bfd58f18b0a0e0a3aa15154304264ed72d0

SHA256
f840beac8309d02e39093c0b28bced1d34748ccb4e5393140952811a458b667e

SHA512
41bbd1b4c6af1721ff8a90db1b3183d33bf61fd7a8c3b0b357c42a5a0bccf914ee05e2a9f2031c7e23b71311cf5f6493f9aa697f5a32e2eb0c1807efc435aefc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9ca27ab305720d9d9a912525685cf362

SHA1
e9447b7cf87d0fe8868b49e4bc776b689e62d92a

SHA256
8bbd4f7f4d9c78bb9735167b05ce25bc6f9ae225751e12ed983be3f1f93eb3fb

SHA512
c274254cc35afc819a31288be64c0dfbd6ee12a678f5c982cc0a1eb9d70a2e3f085faadc37e80ec44e4bbb49276fb22f47cd8f68aa3a9bb387ef739400c28421

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
c46546e82c81ab633437540a8e5a2164

SHA1
39c5480e4a507b4971be3323c53f34a88b44d989

SHA256
8b1b86a4928afd0f10b08735550981958d5dff255792feb6808f4a9b624e6873

SHA512
78b8bb274430a3371e27a1a6c09dad30c908b45a91dabd8a111b9f4f124ce15b02ed1a377a44cb2aec076cee4afd9cc06544d1f578d314cfa78a8e137d797240

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
f51f54152b41e0cba20a9c4f1669a8df

SHA1
3d834c5dc2b321ffca90094fd8be3b40e34f92ec

SHA256
94d5f9aa0c0240e11b9cd6ee4b0d630d35c6e9a2c27d297993d27b856b263539

SHA512
e51fb2a301c2582dff5263b7d12bedb4618ed450271d29b0a3c34ede93288a2c09646eb3f43d916810145325abba8f1cb58c567ee0258a4f9732d7fbcb30559e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
9686e3ce5eed9a1e13acee1b401eba27

SHA1
ebeab06cef683ed7769dfb29c343c3a44b6a311b

SHA256
87681a72fed13227990d572d9438fec044b212cf4e7d42b9ce4dafdd77b901f5

SHA512
e91687594e539849e9eda4cd48a8f1d924b0ebd3453f48a1a84ed1a104c02941a0d7c6be52f9ae3314463eb160ff6c6f83931d10f5fb102651666d343ef12631

Download Submit
C:\Users\Admin\Downloads\TeddyLauncherV2.apk:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/4032-106-0x00007FFEEF6B0000-0x00007FFEEF6C0000-memory.dmp

Filesize
64KB

Download
memory/4032-161-0x00007FFEEF6B0000-0x00007FFEEF6C0000-memory.dmp

Filesize
64KB

Download
memory/4032-160-0x00007FFEEF6B0000-0x00007FFEEF6C0000-memory.dmp

Filesize
64KB

Download
memory/4032-159-0x00007FFEEF6B0000-0x00007FFEEF6C0000-memory.dmp

Filesize
64KB

Download
memory/4032-158-0x00007FFEEF6B0000-0x00007FFEEF6C0000-memory.dmp

Filesize
64KB

Download
memory/4032-112-0x00007FFEED490000-0x00007FFEED4A0000-memory.dmp

Filesize
64KB

Download
memory/4032-111-0x00007FFEED490000-0x00007FFEED4A0000-memory.dmp

Filesize
64KB

Download
memory/4032-110-0x00007FFEEF6B0000-0x00007FFEEF6C0000-memory.dmp

Filesize
64KB

Download
memory/4032-107-0x00007FFEEF6B0000-0x00007FFEEF6C0000-memory.dmp

Filesize
64KB

Download
memory/4032-109-0x00007FFEEF6B0000-0x00007FFEEF6C0000-memory.dmp

Filesize
64KB

Download
memory/4032-108-0x00007FFEEF6B0000-0x00007FFEEF6C0000-memory.dmp

Filesize
64KB

Download