bf17843d7b4820828188de09cf351f6be435de32c6876fffc7952a63b9a71bde

Analysis

max time kernel
717s
max time network
694s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inst.exe
Size

3.9MB
MD5

f9f52016bd031244dd8228708ae070e0
SHA1

85b2e0f45ead4169c9fe1b1afcfdb345a050f307
SHA256

bf17843d7b4820828188de09cf351f6be435de32c6876fffc7952a63b9a71bde
SHA512

6a91ca5bc6abb094076004551f77d3efa3b470ff9eba2fffa2273441b73c4d4d570235d1ca6416e84711e1ec7c72a51429e2498efebd942c4a02b7072a6be8d4
SSDEEP

98304:FlBo/r7J2a4FL8VdL0hvADfHraEk1qhJonrnYVIq:NoD7x4yVdDfLa8kg

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	inst.exe

Executes dropped EXE 1 IoCs

pid	Process
4976	AgreementViewer.exe

Loads dropped DLL 3 IoCs

pid	Process
3460	inst.exe
3460	inst.exe
4976	AgreementViewer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	inst.exe
File opened for modification	\??\PHYSICALDRIVE0	inst.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\360\360Safe\{024B8CF6-DD8A-45ad-A848-7BB52C70BF6B}.tf	inst.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgreementViewer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 195626.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3460	inst.exe
3460	inst.exe
980	msedge.exe
980	msedge.exe
4824	msedge.exe
4824	msedge.exe
3540	identity_helper.exe
3540	identity_helper.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3460	inst.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3460	inst.exe
3460	inst.exe
3460	inst.exe
3460	inst.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
3460	inst.exe
3460	inst.exe
3460	inst.exe
3460	inst.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3460	inst.exe
4976	AgreementViewer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 4976	3460	inst.exe	98
PID 3460 wrote to memory of 4976	3460	inst.exe	98
PID 3460 wrote to memory of 4976	3460	inst.exe	98
PID 3460 wrote to memory of 1408	3460	inst.exe	99
PID 3460 wrote to memory of 1408	3460	inst.exe	99
PID 3460 wrote to memory of 1408	3460	inst.exe	99
PID 1160 wrote to memory of 4824	1160	explorer.exe	101
PID 1160 wrote to memory of 4824	1160	explorer.exe	101
PID 4824 wrote to memory of 4300	4824	msedge.exe	103
PID 4824 wrote to memory of 4300	4824	msedge.exe	103
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 1120	4824	msedge.exe	104
PID 4824 wrote to memory of 980	4824	msedge.exe	105
PID 4824 wrote to memory of 980	4824	msedge.exe	105
PID 4824 wrote to memory of 4164	4824	msedge.exe	106
PID 4824 wrote to memory of 4164	4824	msedge.exe	106
PID 4824 wrote to memory of 4164	4824	msedge.exe	106
PID 4824 wrote to memory of 4164	4824	msedge.exe	106
PID 4824 wrote to memory of 4164	4824	msedge.exe	106
PID 4824 wrote to memory of 4164	4824	msedge.exe	106
PID 4824 wrote to memory of 4164	4824	msedge.exe	106
PID 4824 wrote to memory of 4164	4824	msedge.exe	106
PID 4824 wrote to memory of 4164	4824	msedge.exe	106
PID 4824 wrote to memory of 4164	4824	msedge.exe	106
PID 4824 wrote to memory of 4164	4824	msedge.exe	106
PID 4824 wrote to memory of 4164	4824	msedge.exe	106

C:\Users\Admin\AppData\Local\Temp\inst.exe
"C:\Users\Admin\AppData\Local\Temp\inst.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Local\Temp\{D5B6DB7F-DDA1-4f63-9188-E144B3B070F4}.tmp\AgreementViewer.exe
  "C:\Users\Admin\AppData\Local\Temp\{D5B6DB7F-DDA1-4f63-9188-E144B3B070F4}.tmp\AgreementViewer.exe" /Content="C:\Users\Admin\AppData\Local\Temp\{D5B6DB7F-DDA1-4f63-9188-E144B3B070F4}.tmp\letter.rtf" /Title="致360安全卫士用户的一封信" /ShowERC
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4976
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" "http://sfdw.360safe.com/setup.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://sfdw.360safe.com/setup.exe
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff8271746f8,0x7ff827174708,0x7ff827174718
    3⤵
    PID:4300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,6361923415907554391,2712424032879424396,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
    3⤵
    PID:1120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,6361923415907554391,2712424032879424396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,6361923415907554391,2712424032879424396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
    3⤵
    PID:4164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6361923415907554391,2712424032879424396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:2788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6361923415907554391,2712424032879424396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:2672
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,6361923415907554391,2712424032879424396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
    3⤵
    PID:2264
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,6361923415907554391,2712424032879424396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,6361923415907554391,2712424032879424396,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4156 /prefetch:8
    3⤵
    PID:4892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6361923415907554391,2712424032879424396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1
    3⤵
    PID:4656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,6361923415907554391,2712424032879424396,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5764 /prefetch:8
    3⤵
    PID:5116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6361923415907554391,2712424032879424396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
    3⤵
    PID:1944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6361923415907554391,2712424032879424396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
    3⤵
    PID:724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6361923415907554391,2712424032879424396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
    3⤵
    PID:5236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6361923415907554391,2712424032879424396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
    3⤵
    PID:5244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,6361923415907554391,2712424032879424396,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5664 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
38d8b98c206b7dca830185106df85a75

SHA1
f99fd6a9f2482ec02c294bfb1bea4b817a9841c8

SHA256
629d4b95c2e60e755c668301b8cb2f70a098efd72a6e15dd5ab540ed62ef4e56

SHA512
35943045270bec16c77a9b0adad2d2aa6769d33531492cf49e288f505a1f374522821ecc6a529524bc8c62dc448c032bf0b4c0d254f95dcd83164c5fa462333e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
05a45f34bcf1500c3ae884f55bda78ff

SHA1
82ac5afd74df6cfa2a411d9e8bd046edb2edc37a

SHA256
12cd9dd728e18c3c2b27ed2bd6ef9f0c427833de37c4352fdb65ebea78d5b377

SHA512
79288f4c74b27edcddd3b7b07effe5da3b794efb8d5c9de12b59cf896d1a2af48067f08b07b2bf70913e5f4bfa5d6b9c0bdaa976b2d8c46619b44215fff53965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bcbe601b5a42c8513b604bf4a5d7da1d

SHA1
6e59541bedd0c7dba4efd2a907a05fff460cb8fe

SHA256
4884488cf652748916c251c8bb8c04d880015b25088268b2ab237c13fb9847de

SHA512
9da9a44de82d37c38d8342160414cdd59ab0bb23c71b5b02dd72d71e224004645a53038de1b8bd9a01fd626e50776cc422f839e65ec4750f52904b7db423e1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{118D6E3F-13AD-41d1-B380-706239B28190}.tmp\360P2SP.dll

Filesize
688KB

MD5
d875875eb3282b692ab10e946ea22361

SHA1
34bcef8a8cb0e1db44671892ac3cbd74d3c541a8

SHA256
0eca2e140f973b2011c633d4d92e512a1f77e1da610cfe0f4538c0b451270016

SHA512
972466310d3c145141320584b5f3e431c6888bda2ba1036f85e68e534ed6fb97ba04cbd46d8d9c401dc5857100dc1bff1bad82b50514f3e5c582522f22fd2b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2BFC8D20-1B79-41c7-A0F0-A73C320E573E}.tmp

Filesize
15KB

MD5
3641846128e0a27a28ca0dba8942b896

SHA1
88c40c9923ab48e0c01883a773e297541ce49882

SHA256
cbf7cd45fe193e0a438ce14b0176077762e984f897091a682f9e866983da9174

SHA512
15910e5a279f17ea06618cb8dcbb64fe8f8e6f5061fc14bca6a92ff2795cf64eaceb2067104358a014079550ca1b4f24200935e2f10b1ede6622d94794047550

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3D880128-2181-4cb4-BCEB-ABFA70CD3842}.tmp

Filesize
1KB

MD5
bbf46f99e48e0c21241025dfd79f1a87

SHA1
e8644f8faa90edf7e7f06d327e6bf2112d92bee7

SHA256
c0ec75b44dbecb80d621d4600d124544536efb0a5e40b4cd927f9f8145c61f94

SHA512
64f02d1ff552cff477f41978c00e257a96abcc1f5a589d3f0113118e5dcd5c74dacf38898c9d9152537b0a112823abdfbbc005cec069b140607d9d2af4e73f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{410971CE-3ACC-4643-AC9E-1FDE85831940}.tmp

Filesize
631B

MD5
b3e4f2b3bfd945dcfb8b89597d62c33a

SHA1
3671807b21cfa22a9f22e97b91c55c5b45b50059

SHA256
6c393360869431bd8d770afad267493bf9c4ed25080983b2e4608f51bb3e258c

SHA512
315779049170da71baab255f14a1ac2e0b0fb914a9ba023b3d7e1189b9d42bb0636c78d4d10771fe194c78424cf06f1e267037dab67b12d370dffe41c3756dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{760D4005-1AA9-4f71-B520-F2FB2D24B081}.tmp

Filesize
14KB

MD5
10af715dfb97b8a187f81555c8e6068b

SHA1
c108e08d53a6ec711f1ba70fdbd7561ce483cbcd

SHA256
ee7f804a1c73b6d6935ff731ae87aefbbd1abe16dc5ff315c5d8d91e283c902d

SHA512
fdca596438fdd60c88de69367abc70d6cbff318d8381eb4155fa257690f26d95c9a13131f676654bed27be458a6df67cbe1d713de9826cf955723f6a92fc5bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8A59A7D9-A7F5-44ab-9623-D4967BBF2B49}.tmp

Filesize
4KB

MD5
fb5980c478894a0d0999e0541b2eb1d3

SHA1
05a5f8499a04c2898ea4bb896934dde343020293

SHA256
5d297c94d94529bb652405c76bfdd7b2d8365cc6cddc72310ab250242ea12145

SHA512
8a4facd941685cafa4878992e59bf31c2288cb722d69f3b4fbee43d0ce8d4d8563c7d6f01a40b578fed0393d21b7007b018ed0b7bf3a7933e319290db0ec7009

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dll

Filesize
1.4MB

MD5
a2ff2c72e739e0cf4c73b623444ca39d

SHA1
ff886e63c894a20f30c136a8264cfa33d41b8331

SHA256
c1eb83993c85e01ee6ae84eb6e05744ff8c3ccc02c41d09c22286e3012ef46fc

SHA512
844dab35a1625d5bf1bd814a36fb80d5670d3dfee5cf65ad8be53784b486dcc08898b7577a323c7c7e1e83655f861ea86c5453cfa4c3d55353d329ef3af6320b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes\NewInstallAir\NewInstallAir.ui

Filesize
1.1MB

MD5
44c8df596b52856eb1d3fe2e37cbde4d

SHA1
4aadbeef9dc6cd4ccac758ebdb852915c09545df

SHA256
ecdda2fb9eb27f1b56349e2abfe90ce2f8741b982a3dd6d248e7d93e6b75de2c

SHA512
ea94ed1662efd2f6d91b4d05059dfadd8f290eedbb45433e33f3b4e3729822a40e0c63d319f2041f3f1738650219200d594ced9e36b558aff0a494fab53a0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes\theme_NewInstallAir.xml

Filesize
27KB

MD5
8074e9740a0e3cfda172ad1983c72a05

SHA1
b6d006adaff1fd059268517b6bd5610ef15d3ba9

SHA256
e4ed337a562aac81005d451cfd4aef721cf067ecbc6d1057601aefc41ee83e26

SHA512
f6680cf19b512060b6ed1c0f88c8ee31a1be456a37204cb63073e0ac58a2b0f544dcc0dabf0829f28687c2842043d21d41b2f172cb15698316ebf0f2bc89c445

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BBE6303C-B361-48df-AF7B-24624208971D}.tmp

Filesize
1KB

MD5
402c9d31e2079948e743562cb48af2a6

SHA1
5111e39a19e0675a44369e03d4a82132f0d12977

SHA256
d82df7afa80ab17cf1d298488c66902f192034b6bb18176f5bd5c5b74e348e79

SHA512
27510489faa6562507cbdb0b5f545d9124d6ba59d41a65224dd6089a9c8331279ce83905b26d41453255bda660fbaae957e0e17d43350dfcb86603888177c760

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C636A562-90FB-4757-87CF-7A142DE4150A}.tmp

Filesize
2KB

MD5
28a99d7f6f6331ad7912bec237d508d5

SHA1
247715d921b1d90b401d2ea4f372ef3e5ddfdf5c

SHA256
72d936e41f4c9ae8c66e5bf8e58a6b6653651372acd3f198fc9a28fc7325beec

SHA512
b8cd448f724b41dfcbad1dd4d73e7a9eb0aafdcf02229f179125dd0a76a8b180a3a88cb3a51eab5eb4fad87daeb087de2a6c188ffe22f4876334f4025f9fbb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D5B6DB7F-DDA1-4f63-9188-E144B3B070F4}.tmp\AgreementViewer.exe

Filesize
1.6MB

MD5
1d25b2913c139d96cac373f308221c27

SHA1
de255c8cf9cfd6768b08d52615935b63b02090c5

SHA256
6395b9fa2df40c5f45467a3a042a97ee48a162cd52d9a24e839d347013fedf2e

SHA512
f79de06f60895f4ca7ffd06340aed83206d0f61d16dcd61046cc265ed619e027369448fe593564df58543768ddf9c50b370d6abb9b997b50333fbfed21ca71f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D5B6DB7F-DDA1-4f63-9188-E144B3B070F4}.tmp\letter.rtf

Filesize
1KB

MD5
b25819a7e2e15a5f7af4e83aa90749f6

SHA1
646c6102018e46127837d4a3c613fd7b2f5e4700

SHA256
03501ad0692e1cba2fcfbe863f2430c345d02cddb8657f180e3d150af6823e45

SHA512
55a37ee0fa6658563681229ddc92a65a72e9cf44d5e382aed8c07666ea2790b1beeccaf9cc9eaa7093a832300603276f707fe5fb58dcb090a81c1be818bfb1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D5B6DB7F-DDA1-4f63-9188-E144B3B070F4}.tmp\sites.dll

Filesize
1.4MB

MD5
b6573421fa6713e7060af7298af28804

SHA1
59a58d8dec778c6937cf261f16a5ef3aad9de315

SHA256
23d2b040f587a2823b2aa35a1de221fa485c78f2ba230a38913ba149a0458b5d

SHA512
431f1ecb1c269bddcc4466f0c60149cab0ea7684a58e0394fb5c80180a7eefa0476f0894c9371fb889e5f20e3487e03b534624e270dba1ce2cb70acbfa248336

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D9692476-282E-429e-B6AD-7824C8066C6D}.tmp

Filesize
1KB

MD5
23545f16d9df345985bd3219e1c63186

SHA1
6135202057e821c169417ecf79dce850c1909cd5

SHA256
c0c661230b1bd30f5f76e2a68bb0120f27fb274779953a5393e22bb5a1dcc624

SHA512
8475a26e973fd49bfa22703de41996b7e95287154de030b6ed4364b0cbdbe4bef9be2f46fac649a460be6c5feb4086224323e36b7c18c6070e98d2e20e2d234b

Download Submit
memory/3460-47-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/3460-34-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4976-91-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download