Analysis
-
max time kernel
90s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
-
submitted
07-02-2025 00:16
General
-
Target
https://drive.google.com/drive/folders/1MpfYVcITx2v-UxOiEWOaNAMOOipouiFj
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/drive/folders/1MpfYVcITx2v-UxOiEWOaNAMOOipouiFj1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa08046f8,0x7ffaa0804708,0x7ffaa08047182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,11207510742215865514,3558151760903641868,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,11207510742215865514,3558151760903641868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,11207510742215865514,3558151760903641868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11207510742215865514,3558151760903641868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11207510742215865514,3558151760903641868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11207510742215865514,3558151760903641868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,11207510742215865514,3558151760903641868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,11207510742215865514,3558151760903641868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11207510742215865514,3558151760903641868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11207510742215865514,3558151760903641868,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11207510742215865514,3558151760903641868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11207510742215865514,3558151760903641868,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2024,11207510742215865514,3558151760903641868,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5468 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11207510742215865514,3558151760903641868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,11207510742215865514,3558151760903641868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\PvZ Fusion 2.1.3 [English Translation] Version 3\(Latest)\Launch Game.bat" "1⤵
-
C:\Users\Admin\Downloads\PvZ Fusion 2.1.3 [English Translation] Version 3\(Latest)\Game Files\PlantsVsZombiesRH.exe"PlantsVsZombiesRH.exe" --melonloader.hideconsole2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\PvZ Fusion 2.1.3 [English Translation] Version 3\(Latest)\Game Files\UnityCrashHandler64.exe"C:\Users\Admin\Downloads\PvZ Fusion 2.1.3 [English Translation] Version 3\(Latest)\Game Files\UnityCrashHandler64.exe" --attach 3628 26934735052803⤵
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x384 0x4dc1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c81e728d9d4c2f636f067f89cc14862c
SHA1da4b9237bacccdf19c0760cab7aec4a8359010b0
SHA256d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35
SHA51240b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114
-
Filesize
465B
MD57454ec7dcfe9e254dff2040f35e49c89
SHA191f1a95bd07d963ee08cc5228923c392d73bec01
SHA2567a319536993a51b6a684b5ce7917dfbfefe053923946dbe8666c103da543fc1a
SHA5121159e5ad3d802d04c481874ba8e25193538039d3f42d1672f370f67e9329b0f72342288351901b7cb362febd2dcfa3a5f6b12baad08013288e54a5dda2df2db6
-
Filesize
152B
MD562e6ffe7501e581c80b178323e921b81
SHA1d0881a3d0aee1c256291d34a90e3092fffa60ce2
SHA256a4f50a6b36e27013a694382c996a1d3059d38310a138f21aa25cc682be5cb0e5
SHA5120c4e34fc9a7c5308b1cd05ea71d78c75a9fb85267d7f3e5616dbc1390794941eb549bcc70f7430046ca79cc0055edf0bd51b8eb43f84ee42163dd34d612ba137
-
Filesize
152B
MD565a84cd7925378cc74972cc4e677ecef
SHA130b4da4c5dbd0cc77d756d270ad260ef74987ccf
SHA2567be0a4cebd74cb4d879e3f9950f5ac5a05acc3bdc415bbf9d3dd691cccee2cb5
SHA512ef142224cc0b94a1c5585836988a0d544e7e8b5e8573a1893c9fac528a1ccbbab6c9c7acaad7cfec1a415544bbdcdfd1d0c5e0a0819cb94107fd81989df18704
-
Filesize
5KB
MD59cae0b2e0b50c4b3ed7916119a62c674
SHA12413c73fb759cfd453185e2ab4a9ebf5b9a8e221
SHA256f01bcc2f22cb08ec79a01cbdf789f74094a2a947907b45a5aae0b358666191ef
SHA512246632c6dc90108d348889eb1713131642db418b9418e4c23b814f04d5a1381370119ac31113f03f44bdb2eb9af687e75d259a69931944f568e522d8dd511f99
-
Filesize
215KB
MD52ffbc848f8c11b8001782b35f38f045b
SHA1c3113ed8cd351fe8cac0ef5886c932c5109697cf
SHA2561a22ece5cbc8097e6664269cbd2db64329a600f517b646f896f291c0919fbbef
SHA512e4c037be5075c784fd1f4c64ff6d6cd69737667ec9b1676270e2ed8c0341e14f9d6b92fde332c3d629b53ae38e19b59f05a587c8a86de445e9d65ccfa2bd9c16
-
Filesize
24KB
MD52b77b2c0394bfd2a458452006e617f96
SHA111eff89a8e3e64401818f81a02bdc84e8ecc4325
SHA256c46f001852fd8e16bb731f21cadcfa0cda8e7d064e11b0faa18d6bb8325acb1f
SHA51221dd89b9d6874539477e8b8dc8d98877c86595a8b0b8deb624547c3f407fb41550f65ff744c22f25c574994414a28e73f4d0794c5bd49be890fdac7906f0ba30
-
Filesize
1KB
MD536cf89b08cc51aea3a6a084fe827c0a7
SHA1a1a324f4f326361db1a457b10588bdb5771f6c19
SHA2567e088d732029f71e7dad8352169d499faf558c04e321ea36aa6e64d4665c672d
SHA512a305158a144028ce97def8b153741d23f0808853e8e79739406a017f0c70eb4177afd1d1ac8974772fdb685bcdbef3b2b3660aa3e561cb4d1eb7764d293eee76
-
Filesize
4KB
MD5e624b628315b9fdc918c51919b8778a1
SHA11848d83612942dd161103e272bc2c8fe396971e3
SHA25654e2900401304a943cfcb8826bb16394f91e19a09be01f6319bd06d4abfa2a7c
SHA512337daa0fb8f51784707d68e11002b0622a066950090245458f1bd305243811536a5d87c29047c837315922c047374ea02ea089fbeb42fed9b54feef7c069b717
-
Filesize
6KB
MD549cb49a608696ead4409b6a74b5ef1b6
SHA17397d94bee87b45d1d81cd2fa2c0c496df6340cd
SHA256cce9d1ea8b3b6cb1002cadb88a930d195ad4bd16326f1f99a7eddf3569f21493
SHA51209d4e10f9ad6ee78c0546db2d716e43972824dfa3bdb0f41105651592cbbeda7d50045410dcd01885efa479a172495244d3ce47e72b4332ab3a3001511a65f8c
-
Filesize
6KB
MD5423bbbd2b885e23c327dbd0bed642b52
SHA120afd086c40011642ed156e86c14c543930d7929
SHA2564bcffdee82a04b24f3e62ce8dc07223bcb2dec7ad698004127f7cf9bad23285d
SHA512488ec5d8116f83b125c1cccfe4629d3b814c6ec495dadc2bbd43e9f78308fd30462ea772562ec8e23288fa6161cdc804b04c948862da34f895d3d1609e3ad079
-
Filesize
1KB
MD55a1fa11ea7b929a7417e7cc560589d22
SHA14cea7f235ff061694fd8b55a9fe090c479e70a8d
SHA25631a69ca83247e1dd2eee9332a00f2db244d838b5da5ddef711fae3d62e56b075
SHA51294fdff9331c46cf04af44ca6d66677b2ec6e7cee5e9feeddcf51c810f4fd1748d7b49bc2495f47b7f65877c5432cb919100ce911def11b78052efb243280c1fb
-
Filesize
1KB
MD510bf3fd46c6e01654505a245ef485e5e
SHA16d1511da25ccd053aca0c136e3e289808bfdd220
SHA256e263227d347a5e101a2610938cceb6d63bc1bc63a3911e08e527260c42b89f78
SHA512c7c530e9c9804118345ada7be847a225ca8a0fb27ee1f77292a570cc16e1a7e6c3228924b2cfbc6678b5e06e29dba7f7d0dbb4087ec5d4fe99bfb4683e191727
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5f0be77c028c8e2f2c45134867b1aed51
SHA1d6d71d1dc235a7163089930955dd2ceda428336c
SHA256dc52569dddd2d93e27fc96be7118b16251e5c33fa1202bc3d04a9826d199c41e
SHA512e69be016a9d4fdac7ffc7b4cd39c5c26bf891167c921f246201b9f4435ea265bb3270bef7555cc39ff39ed01a8a200916627207a4d0a108deade505ec8cdd5a1
-
Filesize
11KB
MD589cac588f62a38b04fc2e57f2ffadd9d
SHA17182ef91d3de1e169da63699a9328db7cd500038
SHA25617df0b01c2292972aa9702fb96b68d52b0fec3cccf13909ad73dac0efe2f8425
SHA512ec1164cfa07d45e1c1b3f1e0a68b1517e3b095a884931d372b1fb0efbae9f79d453beb5f7c86fcd429752a28d18cd84d0b59305a03c6cd140d4bea03fffb1bb6
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB