hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n[.]zip

Analysis

max time kernel
146s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n.zip

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
2460	[email protected]
1804	system.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
46	raw.githubusercontent.com
47	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1788	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
380	msedge.exe
380	msedge.exe
1340	msedge.exe
1340	msedge.exe
5028	msedge.exe
5028	msedge.exe
3484	identity_helper.exe
3484	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	4192	7zG.exe
Token: 35	4192	7zG.exe
Token: SeSecurityPrivilege	4192	7zG.exe
Token: SeSecurityPrivilege	4192	7zG.exe
Token: SeShutdownPrivilege	1028	shutdown.exe
Token: SeRemoteShutdownPrivilege	1028	shutdown.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
4192	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 4568	1340	msedge.exe	83
PID 1340 wrote to memory of 4568	1340	msedge.exe	83
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 696	1340	msedge.exe	85
PID 1340 wrote to memory of 380	1340	msedge.exe	86
PID 1340 wrote to memory of 380	1340	msedge.exe	86
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87
PID 1340 wrote to memory of 1220	1340	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffffc1046f8,0x7ffffc104708,0x7ffffc104718
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,13447360733721445115,778776209614844412,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,13447360733721445115,778776209614844412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2480 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,13447360733721445115,778776209614844412,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13447360733721445115,778776209614844412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13447360733721445115,778776209614844412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,13447360733721445115,778776209614844412,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,13447360733721445115,778776209614844412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,13447360733721445115,778776209614844412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13447360733721445115,778776209614844412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,13447360733721445115,778776209614844412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:664

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2920

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\7ev3n\" -ad -an -ai#7zMap21604:72:7zEvent19303
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4192

C:\Users\Admin\Downloads\7ev3n\[email protected]
"C:\Users\Admin\Downloads\7ev3n\[email protected]"
1⤵
- Executes dropped EXE
PID:2460
- C:\Users\Admin\AppData\Local\system.exe
  "C:\Users\Admin\AppData\Local\system.exe"
  2⤵
  - Executes dropped EXE
  PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\SCHTASKS.exe
    C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1788
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    PID:4512
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Modifies WinLogon for persistence
      PID:2360
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    PID:4772
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:3248
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
    3⤵
    PID:1224
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      PID:4768
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
    3⤵
    PID:384
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      PID:2392
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
    3⤵
    PID:3572
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:4356
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
    3⤵
    PID:4792
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      UAC bypass
      PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
    3⤵
    PID:4576
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
    3⤵
    PID:4372
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -t 10 -f
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1fe3a26bd35b84102bb4203f31e74c7

SHA1
45fdfa8433789b575eb64e116718e62e0e0cf4a0

SHA256
26e0d51529de906dd285ba48288e25eaf5213c0f0bab9bc5f119ecbc5e1b93ee

SHA512
d528db2e9b917d4fbe24b1b5c6f4cb274f4f91c84f63e5119e041fa89ae0cd01a370e314f8b6aca9d6fa958e79feabc720f4b54b3d8aed69aab11fa84cad36bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2915233ace3b11bc8898c958f245aa9a

SHA1
68c6aa983da303b825d656ac3284081db682f702

SHA256
b2cb442f2ca27619c8df087f56fcbbb53186c53f8fd131af886ee3712220477e

SHA512
e3f1b70d39b615e212f84d587ee816598236ee6ce144d919593894fcce4a0900343a9e8b837a0d1bd10921fff1c976c84c4a570eda776fe84d374a69e7a54890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2472e5921e8966fe44a5423e1561f41f

SHA1
d74cb4f021dd5d894acaae344ddea2221759e13d

SHA256
7cd2ad6ff8415e61f25a682ecc5f5182c110299cbcaf395c47b4e4d9040b5572

SHA512
e6b882b0a8e5e13d616aeea558d6a07f316856636cb57a7a3c1f23b70e9917ad6d9fbff16bf34a846d136d1fba07e9be12ede14d4b8930daa30d23ce300d9eab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
492B

MD5
56e401e65d78d35604700cf47e7c751f

SHA1
e1dc13b0bb31520e83e977b49bf94ad730e86582

SHA256
c214537b8bce20816602edca378869f820c250501443baedeed5a6accbb0ed9b

SHA512
bb70fe715832b0da8ada5b4f75913873de84eba4de6fc593137b364af60a767aa81635f58cfe2b9d26be2d8acbf64ad2dab03b920f024f39ca8f53551713937c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7aca6385d967ba0fd868fb0a03b16303

SHA1
9d4d648a77b303bfc68a3ecdf369eca4b300050e

SHA256
141f05e3e597b62b637f4d7b6ea78ef0539c30c4c41b8c657bf57756a24e2ceb

SHA512
5017679c9e09bc43ba069c6c784bdf5841fdadba0552d6a2be42ee689fc9b0c83995196df7454fd5e579adc3e89a7db48d9dd66e96f23604ed9415b0b1793b57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4da8ef4f9a56edd8b045f0044b99b865

SHA1
35679fee0c3a3213b9ffe442b3ab3950028ce09b

SHA256
39f99799f7e0f41ca41d6b53f309b89f4c991391080c8bba54dd9588e957aa6a

SHA512
f772bf1af7e25ea77a637d3721206bf0c3834f9644873f20816a8a0691b29d0af43a6df9ecdd3e0cab58202f293d833cb6cfec8927f0ba761d089e2450c80d77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ef4e989ea6414f7eedcc9d2bb3cd2a3b

SHA1
af0059c19eae3c7c3f3e2be52877db36f0cea009

SHA256
e8b43cc3bce456b9167aa56b589819378297cc15ea9120b0c762316242d37f01

SHA512
491a7bbe7ce49181ae0868105dc0135a17604c37ee0d4c8ebaadcedb5317c704e3fba2fa81fbc4563bc739593ba3f78f7ba1b8c14531f76e5d05c81407d6106c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c1a8292635c6b8bf208adcebe2203b3c

SHA1
44c526cca5d5cff2bcfca668cc187fc94891c731

SHA256
075a29012fa772bf71f90f440c53c06aec61beddf780a21e3080ee1359eacab4

SHA512
44a50f08501c434f7b5030bcc6bebc3552758e8d4bfce43a611d67d17e2ae3b8ad16a73188d9d9150f8aa7a1f5724c4800dba575cdc84af59b9e087ae17fcb59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
d046b4e6c23d2650d86f4a1d765c790e

SHA1
005298afb58aee4f49bceda05d314d829d15b15c

SHA256
cff7f5f0a4ec5ad09853edef26a833b729af82a8aecb0aff743506cb5c6250b2

SHA512
620cd3984345190771fde0373e4521759609c085c29cf00e97b5c3bc8dea521cc813b3fa83977c6e7d89c9b3c7f78236b56450e9b52500c6c6d59220a7e6cd5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
1a35bef2017d75ee9368d1601832a00a

SHA1
d3d119978e7ec846a787d9c970ff34e09f8b0cf8

SHA256
251c1c1c026d8d4fd1742cba226cf16428f827abcd9d32660a2cae26fdf50e80

SHA512
20b3618e99d802516c7d3a0ca5b87c222b0e5902c0aa9db7de370f70d8ef993cdd13cc520b6b9ae4f5a85cd1bda93bce9be4e4240a76fbd63bf36dd09f73fc1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
ac9d185dd19e37c1d82d8cbab0a36548

SHA1
54e8bfc2a2ff345b511a95d84131efb0229ee5fb

SHA256
7b02f289ac0ffaa63c0e0aa867faee17c034ac101d2513f8533d5cb6b2241de1

SHA512
6f3e4b44793d703eb78f6b7f945985e3617ba5c5a47a1116bc41a478e42c498ae2aebc9e4daa5ed5fac8a166eedd210542046d5cb1ac3e925aa1c7527aad86c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5812f6.TMP

Filesize
371B

MD5
d9c335c615ef2cc95e97a269bf7301f8

SHA1
2e6f9eefce004f33ca4f695c76b7b9e4a9fc9581

SHA256
cdfffe579411096122c7f42e99d112e5872178f2b50cf26594b55e940016c117

SHA512
2d22e6e85604beefe0d26381c29106eaacbf5f0583cf0635d2315b14b009b2fd158eab9aa4174a196c8914983462c70e3a9ed68bd09e379221f2a0f26bfd3436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2b49032a991071e9d074e976fd139cc8

SHA1
c25b5d49860a514207ea36b069ba09d7d64342a6

SHA256
8bd7968fd3554efd17b30c5232edb1824f9c1f4d3e104ae8a44ce7c4c2a5cf4f

SHA512
04d6f605d2718bf72ae83a6aac99e75e3bc73111a75183b9a841b48eb970a527653bd07cac0961fee892231ddacc1568fd61cfb8331461d1692433c0388253ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9297dfdddc619773fbdd4d98ebcb1028

SHA1
85e5e12dd77449102c73314da2c053c0a84c5df3

SHA256
0514270826bdcf0b4a0867efd4adc5f5f57bfc6de1a851c97932b1fe1397462a

SHA512
9d50e09a74b571f01a0560b144dd0c08e5013be3a0627556522e3dc07e64ae2844d636542d6d4cc2b8e9618313b30e18f8ae26025a82c4ad83612b3c2e69ff05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e1768726de8bab877514a0427c4df8e0

SHA1
bf8d9a11042dbb52691141be35743ff7d3acfbe6

SHA256
566bba2bdcf9f7defe7da3a6fd10b46b645063a3e58fd015c5b733a5d6a4337c

SHA512
87cbb12efebdad10be11224367b41e193b6b8b56fd70e83d7b30259384939d116c6de8908eb91ea2186ac1222177d2cb3185fb31b2d5e13ea7f3badf61b4ed03

Download Submit
C:\Users\Admin\AppData\Local\del.bat

Filesize
73B

MD5
d3c830e076f1218799413e6a2440d0f9

SHA1
b66fa7a6aaca9263fb5f80364a52fdaffe725092

SHA256
a0dceeff45a8998138fe2d61be9e4ecea705b142a81a91999366e85f24edcb9f

SHA512
c7e3bd78d17db59bfe9547d396d2a7569c1ba17a1949cdbaecb09e0a032d616e19e76a1bfb07871f535b37fcfbecc6aa70d2e02c2ad1098a6905415e36fdebcc

Download Submit
C:\Users\Admin\AppData\Local\system.exe

Filesize
315KB

MD5
320860eeb912f91a0cf38c9871c71675

SHA1
e85c815c06f42fed98efe734fa2ce1791b01054b

SHA256
2b113ee6ff867c6821fbe951f1fc6e53857157f32570a7e9290aaf4f429768c2

SHA512
5f29bba916cf19fc0cba61d19f8bd4ad2c132b893145a95897443e02f6b2a253d9a43a9456aa16c88aa58905bc4252aec7d51723d43301561c51f926133e05aa

Download Submit
C:\Users\Admin\Downloads\7ev3n.zip

Filesize
139KB

MD5
c6f3d62c4fb57212172d358231e027bc

SHA1
11276d7a49093a51f04667975e718bb15bc1289b

SHA256
ea60123ec363610c8cfcd0ad5f0ab2832934af69a3c715020a09e6d907691d4c

SHA512
0f58acac541e6dece45949f4bee300e5bbb15ff1e60defe6b854ff4fb57579b18718b313bce425999d3f24319cfb3034cd05ebff0ecbd4c55ce42c7f59169b44

Download Submit
C:\Users\Admin\Downloads\7ev3n\[email protected]

Filesize
315KB

MD5
9f8bc96c96d43ecb69f883388d228754

SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953

SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

Download Submit