hxxps://drive[.]google[.]com/drive/folders/1yYcKGMKlH2jDzPnljv4Oc5NtGkvIYaZj?usp=drive_link

Analysis

max time kernel
31s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2025, 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1yYcKGMKlH2jDzPnljv4Oc5NtGkvIYaZj?usp=drive_link

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
4	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133831680517467235"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3088	chrome.exe
3088	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3088	chrome.exe
3088	chrome.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 1828	3088	chrome.exe	83
PID 3088 wrote to memory of 1828	3088	chrome.exe	83
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 5036	3088	chrome.exe	84
PID 3088 wrote to memory of 824	3088	chrome.exe	85
PID 3088 wrote to memory of 824	3088	chrome.exe	85
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86
PID 3088 wrote to memory of 1496	3088	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/drive/folders/1yYcKGMKlH2jDzPnljv4Oc5NtGkvIYaZj?usp=drive_link
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8959ccc40,0x7ff8959ccc4c,0x7ff8959ccc58
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2008,i,17126590844318786156,10010458517066950560,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2004 /prefetch:2
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1888,i,17126590844318786156,10010458517066950560,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2476 /prefetch:3
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2136,i,17126590844318786156,10010458517066950560,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2580 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,17126590844318786156,10010458517066950560,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,17126590844318786156,10010458517066950560,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4628,i,17126590844318786156,10010458517066950560,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  PID:2524

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0277f06a7377c734d6057f0eabd1d785

SHA1
b09b0e0d9c1b79465a77e9fa3cdc355c050a9dca

SHA256
793253c5cdc6b869c0dc50d0e0d0b517d8693212b7a6ac4921fd522b1a4b606a

SHA512
b4b2dd47301e706948224e6a3d62e1ef41541062fea388973fe50b0134f377a69ce9ad328fd08f5f6c745aee566d06034c6d3387aafffc0c1d581378ca7e3979

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3f5fb080795a89b6ba68a96de0e8014b

SHA1
1e4c270cbdd4e5fef071c6d7ce5fbb04ef4ad61b

SHA256
013f035c104063ca1f0a93585bcf6dc2ccefaed67bbd0a62fd210c11a4ef93e0

SHA512
2c904d56e5182f60a1792a4ab8780f701970c26dd31657f509282867f48d968c38369f9abb82670491e5a02a7b02f5b37fdacd6b6c45edefb9572f5cb8fd01eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e1d296ea6e2cbd42f650c84202c8f0d1

SHA1
f16cfc147ceb5336fcf91975683b2a20aee5f058

SHA256
423ea16d1ecd32845849fa605cec238e04b2b80a29faef8219f3e94b561ec120

SHA512
f48c628fb036db3846c24c0b50b0054dbd2edcc121c205eedcfc022ab380ca4e5d046335b0e20ab1d9a4b24d2afae65ce72fff0a913d26022d35a3f71e3cf9b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8a385a312d7e664dbb03d4dc63d7f9dc

SHA1
0d8d09b654db1710821c5abed10ab6d9a7a42aba

SHA256
a0de2e372992a6a52951f30d34c7796813fead74230ffb8783bb0a68d2dad53c

SHA512
adfe489f9723b6a88db298a05f602abe738aa4c37e9bbd15b9c18f841d08cb5f7e23745ba7cd86803c54446a734907ce3b42e759e698e844c7dfae3b043e28f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\16.png

Filesize
566B

MD5
b3b099003f605d552145790cf1b71e00

SHA1
6dc54b1268536935e9ac96a27c34c03aa1a1eccb

SHA256
1d1113f78a60a4702db32f106598883cb864cd273a708ee292dd6003e3cc8d4b

SHA512
d078de028160ea917c24ccbda0b74a8374a2153c7bd1f5a108710b102d64f0ffdc57caefe2979153a8d42d2e8d7a85089680bfae9f4facaaf048d8d93494d5f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir3088_1039492023\Icons\128.png

Filesize
7KB

MD5
8eec20e27dd654525e8f611ffcab2802

SHA1
557ba23b84213121f7746d013b91fe6c1fc0d52a

SHA256
dc4598a0e6de95fae32161fd8d4794d8ee3233ab31ba5818dfbe57f4f2253103

SHA512
b19d628a7d92a6ec026e972f690bf60f45cbab18fc3e6ab54a379d8f338da95e2964ecdc5e2bb76713f5d3ab2ced96766921e3b517036e832148d1fe5fe8aa6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
1162c3c43501d1f3d8b34e2e94292f84

SHA1
4ccfc3930739ddf803984e22c07d92567a30c498

SHA256
12f4d806bec470fd15f3c88a8c55c902d01f3bd1ebb98933dfaa762531dda9ed

SHA512
1d3c6242178840e06528acbf22ff508fa4e6b25e9017506f026a3b88ad20de77453f3e29deb422cc9695d8c08028908f8a26ac70ba26d592eebca8e4a580418c

Download Submit