hxxps://files[.]catbox[.]moe/548e27[.]bat

Resubmissions

14/09/2024, 19:03

240914-xqjvzszgjl 4

14/09/2024, 19:00

240914-xnsp4szfjm 3

14/09/2024, 18:55

240914-xk9jfszfpd 3

Analysis

max time kernel
104s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
14/09/2024, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://files.catbox.moe/548e27.bat

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 785907.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\548e27.bat:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
668	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5004	msedge.exe
5004	msedge.exe
3448	msedge.exe
3448	msedge.exe
1460	msedge.exe
1460	msedge.exe
2864	msedge.exe
2864	msedge.exe
916	identity_helper.exe
916	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1892	WMIC.exe
Token: SeSecurityPrivilege	1892	WMIC.exe
Token: SeTakeOwnershipPrivilege	1892	WMIC.exe
Token: SeLoadDriverPrivilege	1892	WMIC.exe
Token: SeSystemProfilePrivilege	1892	WMIC.exe
Token: SeSystemtimePrivilege	1892	WMIC.exe
Token: SeProfSingleProcessPrivilege	1892	WMIC.exe
Token: SeIncBasePriorityPrivilege	1892	WMIC.exe
Token: SeCreatePagefilePrivilege	1892	WMIC.exe
Token: SeBackupPrivilege	1892	WMIC.exe
Token: SeRestorePrivilege	1892	WMIC.exe
Token: SeShutdownPrivilege	1892	WMIC.exe
Token: SeDebugPrivilege	1892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1892	WMIC.exe
Token: SeRemoteShutdownPrivilege	1892	WMIC.exe
Token: SeUndockPrivilege	1892	WMIC.exe
Token: SeManageVolumePrivilege	1892	WMIC.exe
Token: 33	1892	WMIC.exe
Token: 34	1892	WMIC.exe
Token: 35	1892	WMIC.exe
Token: 36	1892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1892	WMIC.exe
Token: SeSecurityPrivilege	1892	WMIC.exe
Token: SeTakeOwnershipPrivilege	1892	WMIC.exe
Token: SeLoadDriverPrivilege	1892	WMIC.exe
Token: SeSystemProfilePrivilege	1892	WMIC.exe
Token: SeSystemtimePrivilege	1892	WMIC.exe
Token: SeProfSingleProcessPrivilege	1892	WMIC.exe
Token: SeIncBasePriorityPrivilege	1892	WMIC.exe
Token: SeCreatePagefilePrivilege	1892	WMIC.exe
Token: SeBackupPrivilege	1892	WMIC.exe
Token: SeRestorePrivilege	1892	WMIC.exe
Token: SeShutdownPrivilege	1892	WMIC.exe
Token: SeDebugPrivilege	1892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1892	WMIC.exe
Token: SeRemoteShutdownPrivilege	1892	WMIC.exe
Token: SeUndockPrivilege	1892	WMIC.exe
Token: SeManageVolumePrivilege	1892	WMIC.exe
Token: 33	1892	WMIC.exe
Token: 34	1892	WMIC.exe
Token: 35	1892	WMIC.exe
Token: 36	1892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4756	WMIC.exe
Token: SeSecurityPrivilege	4756	WMIC.exe
Token: SeTakeOwnershipPrivilege	4756	WMIC.exe
Token: SeLoadDriverPrivilege	4756	WMIC.exe
Token: SeSystemProfilePrivilege	4756	WMIC.exe
Token: SeSystemtimePrivilege	4756	WMIC.exe
Token: SeProfSingleProcessPrivilege	4756	WMIC.exe
Token: SeIncBasePriorityPrivilege	4756	WMIC.exe
Token: SeCreatePagefilePrivilege	4756	WMIC.exe
Token: SeBackupPrivilege	4756	WMIC.exe
Token: SeRestorePrivilege	4756	WMIC.exe
Token: SeShutdownPrivilege	4756	WMIC.exe
Token: SeDebugPrivilege	4756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4756	WMIC.exe
Token: SeRemoteShutdownPrivilege	4756	WMIC.exe
Token: SeUndockPrivilege	4756	WMIC.exe
Token: SeManageVolumePrivilege	4756	WMIC.exe
Token: 33	4756	WMIC.exe
Token: 34	4756	WMIC.exe
Token: 35	4756	WMIC.exe
Token: 36	4756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4756	WMIC.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1036	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 3900	3448	msedge.exe	80
PID 3448 wrote to memory of 3900	3448	msedge.exe	80
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 4336	3448	msedge.exe	81
PID 3448 wrote to memory of 5004	3448	msedge.exe	82
PID 3448 wrote to memory of 5004	3448	msedge.exe	82
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83
PID 3448 wrote to memory of 1540	3448	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://files.catbox.moe/548e27.bat
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb6db3cb8,0x7ffcb6db3cc8,0x7ffcb6db3cd8
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,18226451689253829227,13295928304395501159,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,18226451689253829227,13295928304395501159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,18226451689253829227,13295928304395501159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18226451689253829227,13295928304395501159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18226451689253829227,13295928304395501159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,18226451689253829227,13295928304395501159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18226451689253829227,13295928304395501159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,18226451689253829227,13295928304395501159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,18226451689253829227,13295928304395501159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18226451689253829227,13295928304395501159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18226451689253829227,13295928304395501159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18226451689253829227,13295928304395501159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,18226451689253829227,13295928304395501159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1924,18226451689253829227,13295928304395501159,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1876 /prefetch:8
  2⤵
  PID:4456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4160

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\548e27.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\548e27.bat" "
1⤵
PID:5028
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get Model
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\system32\findstr.exe
  findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
  2⤵
  PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\548e27.bat" "
1⤵
PID:2956
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get Model
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- C:\Windows\system32\findstr.exe
  findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
  2⤵
  PID:2772

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
184B

MD5
ef24ca0e1e706d2665491f3a53117c1d

SHA1
c7f9111ada98cce49b30f403a361d3250360f311

SHA256
0b4c25d901799ab136b3dc0c1ae621d7dc55e1cb0f4b0892918b330472942060

SHA512
68dea3e89d5501bebd0cbd207579adccd30266da0fcf4b8b35685e3813dd04b8c9e5d1cacb9aea114b137530a8dc73aac4143fe0303c5aa3eca667f2b8d62d5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
588afc7353d540d76859d605ea76cae5

SHA1
727ed5ec4bfeeb94a44c66ea1b3991a444f23b89

SHA256
cb191d7a4f38f6fda7ae5b0acabb572be421d019df4490b69135be5dbe2fc0d6

SHA512
66549fa899edfa2eedbec026937c33102432e0d29046c6a1b38455516a89e888032b86c889471332ddcbf519a08b0c52688a383e453388c5f34614a3d8a722f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bc8d939b85a418fc92e6d0121125894b

SHA1
ad287513190d2db9b7839a1e933b57448d2a86bd

SHA256
6d0169fb31aced0efb7ec6dab75966a8e6fea7246b02c4785e248b775b9880e5

SHA512
384474b115eef0dabfd687f6cf1e56125ba233d528a05a5370cec4c82ae4baf980f0686d4b712558b671ab2e7087ddb084f1faa72ad21892c2b9306c4df525dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b5cae34cbfcaae73d1bd6c06a5bea7ef

SHA1
e9e23b13e98d9b969d816202057727b27709db7b

SHA256
5365fbc72282f6af385ec21b8031cbc8d7449c3d8a7de3a4f3ec1a6424ddca10

SHA512
90de2c1419395e91c115a74f092a86f6f632572debd6b557018bb416a1dc3e70ca316685b70b412e355027d659525617d7001a10fe3a4452203396135750529a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cfbd421af5b0d5ec0299a2f05b53eeba

SHA1
dd534369274bdcdc2244792cb560b08b618fec43

SHA256
e4cf48a4713b7867fe287a688769dc27a069f5fa3a8b17fea3eead27de869cb0

SHA512
8df2225987cf5d0c4c07e6896c8d22b24986fe86ea44d5ec1b51283c99e0a5cd462a8473b60ec4876a72cf46dec9ac102f3f9bfad9c6657756244c3b669a5b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
13c0f1c4b9248be4827accf728b54549

SHA1
0af2e26f5f40f10475c14de9461dc43b45e9ee36

SHA256
da5307074bd052bcdd30ba9d6dec818118bf4dd55f402134755aef60cd79fcf9

SHA512
eab166499c42ce2884b9c713a6953d45283c7eeb0efc442ae10ecf06a6a4add1f48175f22031608251310ba229420eccf375b09eed63a91d64a609114f14c5b1

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
a7f391566ceb7d310b04c1376aa66a07

SHA1
eda88e9134d3de209152481c9e8aa02054d4c2eb

SHA256
8ecb81fa22792fa6bb09abc86b9b5afb50773e2c5537def45dd8ba297f6c714e

SHA512
163bad20eaa9108286367367e6a54a9ac612026954ee2466b8f88f732a992695fe160d3fb5f092976ef15c1c1b71400e577a9a4833dfa616d7c9ee6a8237033c

Download Submit
C:\Users\Admin\Downloads\548e27.bat:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 785907.crdownload

Filesize
3.4MB

MD5
8060a10b7a0dd79762120ce7a646ae86

SHA1
27530385aa5f4cc34c298d9110d24fe3feccae5c

SHA256
a8012c20cf2e60fb05675e0382bc5e698f23feceb2457188e981c2b69c18df24

SHA512
0c14c9514527317979bb580b2ab08b243824051318c00c02a7c36af5bac451e212d66f3afeed30f6c53b1c146c971875a084dc26cdf81a1d1dd051ccf6e848c8

Download Submit