hxxps://drive[.]google[.]com/file/d/12YeIdSto8I9EV1LYfwh0f7qMrJMDxrv9/view'

Analysis

max time kernel
93s
max time network
93s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
12-02-2025 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/12YeIdSto8I9EV1LYfwh0f7qMrJMDxrv9/view'

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
95	5940	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com
6	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1760	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133838447312453366"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-456577188-2570430586-3070635863-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-456577188-2570430586-3070635863-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5460	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 3524	3740	chrome.exe	83
PID 3740 wrote to memory of 3524	3740	chrome.exe	83
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 5500	3740	chrome.exe	84
PID 3740 wrote to memory of 4148	3740	chrome.exe	85
PID 3740 wrote to memory of 4148	3740	chrome.exe	85
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86
PID 3740 wrote to memory of 3696	3740	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/12YeIdSto8I9EV1LYfwh0f7qMrJMDxrv9/view'
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffce8f8cc40,0x7ffce8f8cc4c,0x7ffce8f8cc58
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2032,i,5197227795006836140,8687319619787012060,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:5500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,5197227795006836140,8687319619787012060,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2056 /prefetch:3
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2148,i,5197227795006836140,8687319619787012060,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2580 /prefetch:8
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,5197227795006836140,8687319619787012060,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,5197227795006836140,8687319619787012060,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4904,i,5197227795006836140,8687319619787012060,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4932,i,5197227795006836140,8687319619787012060,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4524,i,5197227795006836140,8687319619787012060,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5480,i,5197227795006836140,8687319619787012060,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4452,i,5197227795006836140,8687319619787012060,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=1140 /prefetch:8
  2⤵
  PID:2796

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3940

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjAyNjQzQkUtRUJCRS00N0I1LUI0OEItQkE3MEU1OEZDN0Y3fSIgdXNlcmlkPSJ7REYwM0NFMEUtRjBCMS00RDVFLUIwM0ItMkRGQzRCNjBFODJCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OUExODcyOEEtOTIxQy00MTVBLTgxNjktODcyQkY4M0ZFQTdDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgaW5zdGFsbGRhdGV0aW1lPSIxNzM5MjcwMjUxIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM3NDE5NjY5MTUwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTA1NTg5NTU4NiIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1136

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
b1d7e62c58c5b8f495733da736a0056e

SHA1
2f8038750f4e70c96d37ae68fa878b90bcf2f616

SHA256
0eeb10f9429cee069cf742f008d97b4d26cbe1676fc79daf933577b037159eab

SHA512
8f7af02c07c7ef1089d89114e29f9929b9392a0f070e6f1a77c818c18a021d7756a07f0f8c58d1127b558fc9dc3226c1bc53d1c7cb3746475b8fb5d4fb98f005

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
d2a421ca14d7c98e9ed02bde9508677b

SHA1
cbb315d6851711d120e4ceb6436dadfffc180921

SHA256
dc8ce9096c919eabff350a88679cced5b9d8fbbcc35f109e11dd066c9cc3df9a

SHA512
a04549ef079f67af5af19ab524e7eb63327d03723e378f04203aee653ddbd517371038091d69098a4839e4b350233fb5e0dca6fbfc14247b525c210807b27036

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
97d8c518073c858984cec04feb19e537

SHA1
945bb9f172de5e992cff39d76270337271707a81

SHA256
489e0df5b04542f87a43d311394436c9a8611fc9757f8c458f171c83059da3c2

SHA512
f36c8a21d67db9f794a22530724b52bd85caabf823673e1fafbe784c49ec985866774a30e740b8371fd874597903f0c758f541ef0d620ff2feba65db1280888a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
0483f3bc76c99ddbcec32c25925cf04c

SHA1
0ffd5f2ad6bec0cd43d3bad9d3b8d2bb7e9a5aba

SHA256
4bafc327cee79e08d3a23dfa4e7d6006b7d6dfbb0a65cd29848358281c6f2ccd

SHA512
b090f186512d283c9134b2749562fadd04079a8477cfc78244616c517710200ca283f01292a022d36937536a548713370ae0d1b8b1682284485d02e1677ec495

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f56ad547dcb405517394804739fb53fd

SHA1
f8c15ce215b28884563892282ab0d080676213d8

SHA256
17373e342df99664bbf888168a0e5585ae130030dd341a5ed0d8604d8ea61e3e

SHA512
99bca3fc19f512c15a3f3beff073a6cb0e5a1c069e567e56ade86107759da4b594abc1c29b40177148f3bf1ab144b0152fdc3927bb21d8383dfb54249f5ba918

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
40a4f5457b125e6156ca45544180d892

SHA1
090c0d0d196a67824b2f80a376672d281e50d735

SHA256
d7413e760306a8079fd83e77a6755f579067fcb24ee39840c40fb5266c6f358f

SHA512
a461e9244608de2fe24318af92d60bd31f252e963f07158351d383140a936acb0bf516f90732f508c952e99d53fb9bb42de3f5625da6d813f0dba1cfea441c67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
95dee627d75de30cf66ce6c00d5ddf2a

SHA1
c83cfb63890dc23a7537d4cc4e4ba9a350e07639

SHA256
99f132f3366cfa3f1f8c8192e52bd8576cae9337d5bfe3c16025ddb53093a47b

SHA512
f798e9cb22199f52e9f8c1b2691b5fea017934c418b88f7a00baace362b91cefd937c8ae50d39db94d0bdc98ef0b53b079ed1c8f749214abfa880e8884bb7723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8f67be65abbb688dd380de52981d1a84

SHA1
bb994b1b08278d1e69c411064e1820529340cd5f

SHA256
8cfebdf59505be78be4cbc0ef9193f39b9ea848819ddea4143c5b2ae55a5267e

SHA512
f00ccbfaa4917777e4d410ae671960304c3a981535e6171f05a36f1baa2d6236ad05756b7319717a0467b3309b4ddc0ed251a0309a8d7430ea2ef3b123e39574

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cdd1909cfc51cfc2cc0602f78aaa410b

SHA1
227a7ea31e06ee9efdafc66f9c46b037812e5297

SHA256
28abb32fb6cb476c030e1e87428c60d845bf4eceddab24982fb2f68594b0310a

SHA512
dfbbcdf7069dfa2963c5d4d48451aa10b1e7db0b15d652df4e489156914e3006b5fcd286ab1d5dbde10f2c0e771663c201744719954cc7109f189a062820fae5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4f5c1d07c150673278c064f11245e036

SHA1
be6db20d75cdc82756de95dbf39be172d281b9c2

SHA256
1068efd8a99320da3ca60ee1a45d37ba6e7a90beb35e96cbeccf0be0c981cda4

SHA512
4b42811b8c8c45066c6a5b36bb22aeee1e8e69dbebbe7cf1f6a45e7a7a85271f39dda1e7ae6a6353f7d26e94c5528d5d13f0ea5baac7bdded109b058f7758464

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
d98ba5a357bf393efd2a8fee4e261d65

SHA1
d1764e9c148891cfbe1252909ecb40846e9ca153

SHA256
56e285457a62d049f74b0e313f276139668a10f9a642893ca0b4326c5fc9f45d

SHA512
a688ffd9d61b04e790528809c34537a7d4ebbb8d8daf4500ff8f6c5aae26dbb77fba4a7426df880a2f27791d598e4d54c2bcafd15ca11e9b3335468d23953100

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
83772754c0793d06d9495f4e21f98ec1

SHA1
cff70a71c47f2b18a6c7008f6180556e729dde45

SHA256
41c27209fbb9838353a11eb9d94bab1d909b72dd9ed936eedde81faacaadea00

SHA512
317d36c47cb1c6dea87a705e1da92dba16045452ce4db7ad806008f3c1b2ba82575eabb3ad91a8c3f61fbf41f4d827ff09710910fc20013d20da8cc41f6ad959

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
4acb71bb0b539e6614dd9a386ea5d377

SHA1
04cc1565f81caeddfa270ab2464f8baec06a3941

SHA256
1c38bf4f11e65190c58e3313240598e9c214c69e90ddf8c811b1bd6db623fb4e

SHA512
cb82e972a9c0eb39ba8e651a20764ffde2eb649109b9b99742513d56ea5d58455f7c9abc6cb652644bb3bc03f5e1c442a4f56f68fee25d48a0fb5f2fe35cac85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
125KB

MD5
618b7488336891c057c0643dff00b4df

SHA1
35d0411096c62003e07371cfa1abcf13da1bdc15

SHA256
0e945f4cd9ea36c6f976f308ae3e00a52370a88b434f1374e195f97dcba52d95

SHA512
ddc0123e30576e4bf593d8417b9535a64afafca7defbfe9debab8f6f53107d40bb3362bd3dd17e511f2d1cb05f977820a4124d263d3d5247c29684b0dfcc4f9b

Download Submit