hxxps://files[.]catbox[.]moe/548e27[.]bat

Resubmissions

14/09/2024, 19:03

240914-xqjvzszgjl 4

14/09/2024, 19:00

240914-xnsp4szfjm 3

14/09/2024, 18:55

240914-xk9jfszfpd 3

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://files.catbox.moe/548e27.bat

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 98412.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4584	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4120	msedge.exe
4120	msedge.exe
2632	msedge.exe
2632	msedge.exe
3328	identity_helper.exe
3328	identity_helper.exe
2344	msedge.exe
2344	msedge.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1588	WMIC.exe
Token: SeSecurityPrivilege	1588	WMIC.exe
Token: SeTakeOwnershipPrivilege	1588	WMIC.exe
Token: SeLoadDriverPrivilege	1588	WMIC.exe
Token: SeSystemProfilePrivilege	1588	WMIC.exe
Token: SeSystemtimePrivilege	1588	WMIC.exe
Token: SeProfSingleProcessPrivilege	1588	WMIC.exe
Token: SeIncBasePriorityPrivilege	1588	WMIC.exe
Token: SeCreatePagefilePrivilege	1588	WMIC.exe
Token: SeBackupPrivilege	1588	WMIC.exe
Token: SeRestorePrivilege	1588	WMIC.exe
Token: SeShutdownPrivilege	1588	WMIC.exe
Token: SeDebugPrivilege	1588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1588	WMIC.exe
Token: SeRemoteShutdownPrivilege	1588	WMIC.exe
Token: SeUndockPrivilege	1588	WMIC.exe
Token: SeManageVolumePrivilege	1588	WMIC.exe
Token: 33	1588	WMIC.exe
Token: 34	1588	WMIC.exe
Token: 35	1588	WMIC.exe
Token: 36	1588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1588	WMIC.exe
Token: SeSecurityPrivilege	1588	WMIC.exe
Token: SeTakeOwnershipPrivilege	1588	WMIC.exe
Token: SeLoadDriverPrivilege	1588	WMIC.exe
Token: SeSystemProfilePrivilege	1588	WMIC.exe
Token: SeSystemtimePrivilege	1588	WMIC.exe
Token: SeProfSingleProcessPrivilege	1588	WMIC.exe
Token: SeIncBasePriorityPrivilege	1588	WMIC.exe
Token: SeCreatePagefilePrivilege	1588	WMIC.exe
Token: SeBackupPrivilege	1588	WMIC.exe
Token: SeRestorePrivilege	1588	WMIC.exe
Token: SeShutdownPrivilege	1588	WMIC.exe
Token: SeDebugPrivilege	1588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1588	WMIC.exe
Token: SeRemoteShutdownPrivilege	1588	WMIC.exe
Token: SeUndockPrivilege	1588	WMIC.exe
Token: SeManageVolumePrivilege	1588	WMIC.exe
Token: 33	1588	WMIC.exe
Token: 34	1588	WMIC.exe
Token: 35	1588	WMIC.exe
Token: 36	1588	WMIC.exe
Token: SeDebugPrivilege	5864	taskmgr.exe
Token: SeSystemProfilePrivilege	5864	taskmgr.exe
Token: SeCreateGlobalPrivilege	5864	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	5244	WMIC.exe
Token: SeSecurityPrivilege	5244	WMIC.exe
Token: SeTakeOwnershipPrivilege	5244	WMIC.exe
Token: SeLoadDriverPrivilege	5244	WMIC.exe
Token: SeSystemProfilePrivilege	5244	WMIC.exe
Token: SeSystemtimePrivilege	5244	WMIC.exe
Token: SeProfSingleProcessPrivilege	5244	WMIC.exe
Token: SeIncBasePriorityPrivilege	5244	WMIC.exe
Token: SeCreatePagefilePrivilege	5244	WMIC.exe
Token: SeBackupPrivilege	5244	WMIC.exe
Token: SeRestorePrivilege	5244	WMIC.exe
Token: SeShutdownPrivilege	5244	WMIC.exe
Token: SeDebugPrivilege	5244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5244	WMIC.exe
Token: SeRemoteShutdownPrivilege	5244	WMIC.exe
Token: SeUndockPrivilege	5244	WMIC.exe
Token: SeManageVolumePrivilege	5244	WMIC.exe
Token: 33	5244	WMIC.exe
Token: 34	5244	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 3520	2632	msedge.exe	83
PID 2632 wrote to memory of 3520	2632	msedge.exe	83
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 2900	2632	msedge.exe	84
PID 2632 wrote to memory of 4120	2632	msedge.exe	85
PID 2632 wrote to memory of 4120	2632	msedge.exe	85
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86
PID 2632 wrote to memory of 4484	2632	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://files.catbox.moe/548e27.bat
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaba0546f8,0x7ffaba054708,0x7ffaba054718
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16032330434098605946,4166847379293123754,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,16032330434098605946,4166847379293123754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,16032330434098605946,4166847379293123754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16032330434098605946,4166847379293123754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16032330434098605946,4166847379293123754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16032330434098605946,4166847379293123754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16032330434098605946,4166847379293123754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,16032330434098605946,4166847379293123754,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16032330434098605946,4166847379293123754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16032330434098605946,4166847379293123754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16032330434098605946,4166847379293123754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16032330434098605946,4166847379293123754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16032330434098605946,4166847379293123754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,16032330434098605946,4166847379293123754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\548e27.bat" "
  2⤵
  PID:3384
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get Model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\system32\findstr.exe
    findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
    3⤵
    PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16032330434098605946,4166847379293123754,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1304 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5336

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\548e27.bat" "
1⤵
PID:3384
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get Model
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5244
- C:\Windows\system32\findstr.exe
  findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
  2⤵
  PID:5252

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\548e27.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
184B

MD5
4d51125fce3ecd7edbe3e2350f8247fc

SHA1
0d3ec182988c57f5258a70930459f4c426c890f5

SHA256
97245f386df2d8468498e7f90245e6726c0cb4ba4aab85fe06d4229ec4b64b91

SHA512
9ac2699b7d87b01ae61c95326eb686c3aba5d740c5748f6ba80c07128b4f5a8f987823500426833951ed0ff8e69fe22e37dca9d366a8c9333f6b9e0f56ae5c75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8838ec118fcce09b14c7b64b68f2b6d8

SHA1
7701de23689c652990e5b368e8648e3267b21db3

SHA256
5870582b113981ce80b9b4f76da2e2bde42c6d2a4cd9d2e0c673a170ba1ed5d9

SHA512
f61345683080fc7106e00ee997c951d7773bf36587ad06e7caa27fc0457ca483a6c6c6517fa9363459a883cb26bf7a9420a47643272fba1f40103f2d05099470

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
523228d6e0d8822033efaba0e4f6aaec

SHA1
33fb54c099f5ee841dab76267ba4380d5862907f

SHA256
330946bb7e23359e331983f7c2aa3014f1b06bccd59023606f071adfbd11794d

SHA512
0cb11412b107cfadd3f7e3f82c16f8b621d81c2168159ad834a5d97bfcfca62056d433e64a0fc7379a3880339cba22f489df65c99af11e7b98cdad1d532ef51f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5214cfb9c793f2378c003ac01a4b8698

SHA1
b6b123345db4fd7fcf0a83b2e7eeb754d22d9468

SHA256
95478d6ca3b8df661e71072d7ac35a8fb642a626630ce3d10e083f1a1c119946

SHA512
6a92e7f1a2cfd8acd1030d4d9d8c040c6371aa005c61be0ec6623c1866d5c4362e48089314ad225346da3042d4be16e0d9c37295b73a631581392ca4e71f6da9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
10e214e5b77a2c3a44d47b35e7ff8a6c

SHA1
9807e7bbc30d4fa2e13583b9d82ba4ef25a0c9da

SHA256
42681e6848b8d99364966d1a01449f6f8f0419566912744577f512a9400963af

SHA512
b585df54d4f4323ae639d682786a497a300ad442fda7a983c9d20635487e3d8a488af60fc2c151609ea92c1baab68e4947633047033c6743c5d7a0fb7ce51a34

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 98412.crdownload

Filesize
3.4MB

MD5
8060a10b7a0dd79762120ce7a646ae86

SHA1
27530385aa5f4cc34c298d9110d24fe3feccae5c

SHA256
a8012c20cf2e60fb05675e0382bc5e698f23feceb2457188e981c2b69c18df24

SHA512
0c14c9514527317979bb580b2ab08b243824051318c00c02a7c36af5bac451e212d66f3afeed30f6c53b1c146c971875a084dc26cdf81a1d1dd051ccf6e848c8

Download Submit
memory/5864-131-0x000002052D2E0000-0x000002052D2E1000-memory.dmp

Filesize
4KB

Download
memory/5864-133-0x000002052D2E0000-0x000002052D2E1000-memory.dmp

Filesize
4KB

Download
memory/5864-137-0x000002052D2E0000-0x000002052D2E1000-memory.dmp

Filesize
4KB

Download
memory/5864-143-0x000002052D2E0000-0x000002052D2E1000-memory.dmp

Filesize
4KB

Download
memory/5864-142-0x000002052D2E0000-0x000002052D2E1000-memory.dmp

Filesize
4KB

Download
memory/5864-141-0x000002052D2E0000-0x000002052D2E1000-memory.dmp

Filesize
4KB

Download
memory/5864-140-0x000002052D2E0000-0x000002052D2E1000-memory.dmp

Filesize
4KB

Download
memory/5864-139-0x000002052D2E0000-0x000002052D2E1000-memory.dmp

Filesize
4KB

Download
memory/5864-138-0x000002052D2E0000-0x000002052D2E1000-memory.dmp

Filesize
4KB

Download
memory/5864-132-0x000002052D2E0000-0x000002052D2E1000-memory.dmp

Filesize
4KB

Download