Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
19/02/2024, 16:03
240219-thbb4aga25 1019/02/2024, 15:59
240219-tfg2vsfh53 619/02/2024, 15:56
240219-tdfe9afg83 6Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/02/2024, 16:03
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Endermanch/MalwareDatabase
Resource
win10v2004-20231215-en
Errors
General
-
Target
https://github.com/Endermanch/MalwareDatabase
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" NoEscape.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NoEscape.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Users\Public\Desktop\desktop.ini NoEscape.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini NoEscape.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 31 camo.githubusercontent.com 64 raw.githubusercontent.com 65 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" NoEscape.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\winnt32.exe NoEscape.exe File created C:\Windows\winnt32.exe NoEscape.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "85" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2240 msedge.exe 2240 msedge.exe 4168 msedge.exe 4168 msedge.exe 2380 identity_helper.exe 2380 identity_helper.exe 2304 msedge.exe 2304 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4800 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4168 wrote to memory of 1040 4168 msedge.exe 80 PID 4168 wrote to memory of 1040 4168 msedge.exe 80 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 3264 4168 msedge.exe 86 PID 4168 wrote to memory of 2240 4168 msedge.exe 85 PID 4168 wrote to memory of 2240 4168 msedge.exe 85 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87 PID 4168 wrote to memory of 664 4168 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb757f46f8,0x7ffb757f4708,0x7ffb757f47182⤵PID:1040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,2278486074564892745,2002050039115636307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2278486074564892745,2002050039115636307,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵PID:3264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,2278486074564892745,2002050039115636307,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:82⤵PID:664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2278486074564892745,2002050039115636307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:3240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2278486074564892745,2002050039115636307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2278486074564892745,2002050039115636307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:82⤵PID:408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2278486074564892745,2002050039115636307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2278486074564892745,2002050039115636307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵PID:3008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,2278486074564892745,2002050039115636307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,2278486074564892745,2002050039115636307,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4136 /prefetch:82⤵PID:2116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2278486074564892745,2002050039115636307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵PID:4584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2278486074564892745,2002050039115636307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:12⤵PID:2348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2278486074564892745,2002050039115636307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:12⤵PID:3208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2278486074564892745,2002050039115636307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:12⤵PID:5020
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4652
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2488
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:4760
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39a1055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4800
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fa070c9c9ab8d902ee4f3342d217275f
SHA1ac69818312a7eba53586295c5b04eefeb5c73903
SHA256245b396ed1accfae337f770d3757c932bc30a8fc8dd133b5cefe82242760c2c7
SHA512df92ca6d405d603ef5f07dbf9516d9e11e1fdc13610bb59e6d4712e55dd661f756c8515fc2c359c1db6b8b126e7f5a15886e643d93c012ef34a11041e02cc0dc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD55f3b6c9eb13e90c4112d97d7bbb2c943
SHA112461b90d6b13775b31188618f545df4ed38d54d
SHA25624f4290a5e604ee1d4832cc78eda55cf6677ae62b78de663769e188319bf2469
SHA5125b90bed41f54a0cbe74a17d3663fe766939f709bb47c4b407bdce2a5b7662b9ac9fcdcfa19fef08063442c5d2b446950076f3acd969bbf3c76cde88d5bb4aa33
-
Filesize
579B
MD5d6e3bf37c442b2d39e58f791930e5310
SHA18320df56dcc995ad18a087e3bce42bb574653689
SHA256ce37006c5534f3037bcaf0609401c0e0e7b35625d49aff65bc1e9577e01a95b0
SHA5127f59b78af656aa8f9bf3152dae5056586c5d79f35cefc29699f57c5832a4cc2ebfe6bd9ecc7587fccde524a4ea31d4e4aa9b8a0d50279ca6a52883b70bf2da28
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD536aad0167d4935b2dffd16caf3770908
SHA19dcdb2f073edc3301a64c8b4b6828f3e7098b5aa
SHA256d935fd4df6d83b791ce0533377849d036c8ea57183fd7ebd4c759b86f487907d
SHA512e72ad8270c4cbb1a11a986a9883b7e371b3019556821692828b27ae9a8987e295c24f517bd4803e0be35560fc5a2ddfe59dfc6d88b55c04e09610212531a3863
-
Filesize
6KB
MD5776544f9b25847bf294cdf0dc0f0ed79
SHA18bae0b32e31b7fbe773deb6221f5f28bec06bb05
SHA256a5ab0bdf8ba5b894615637fa602b48b168312e68559bf1958d0e76c7d39e9bb1
SHA5125ad0d7e76cc3b5eb9e2da39d4cdfb98e47e5358c393462e2c4e861ee5183783abd06a58f427a3bf3d5994227359cb8009c876f383a3625acfaee65139af40a15
-
Filesize
5KB
MD5da22e691cf8d39a53cfb88b0e5b4e79d
SHA11b2bdc153437feb11255557538549f2a5767fdea
SHA2569c1bbea7b946862f1f79806b772ed934b672288459fa74fef1a0e674cf4fe8e4
SHA512627a87db49b1c6d3721705b30cd23b3333cbceed3551501530e4dc283a77665715f78ba18f7f92420ddd534f20559a9ee3054b80c1adb25502d3d136e4de9ac8
-
Filesize
5KB
MD5d119fa164f9ea2dd0f2395616b20a26a
SHA188e594327bd61e2599300b421dcef7b8b68b8fd0
SHA256018018d934159a16fc4b83e7a30ce9973487725cd0c6b000b931b1886fa63336
SHA5120f9ca9f1e63b133b316d8fc624bc486582482b95eae9f0967f0d211c512c8804045ba9bedf42ece442c35f0651e6f7fcb736fbedbc0733e0a98925b1b249332c
-
Filesize
6KB
MD5a269b7bfcdb846029dc6852e7070b106
SHA1367279b2e07cea32f46fe16b4aaed644dd35f5dd
SHA256f5cfe565cf1af1d6f2c08bcdea44f36af0b7d0b4e67108917ffbda2e880556be
SHA512478b53c419e8dc4f7b11f69e8fe1c0df2ff3b9803bdea22e0582e5d2dd840ef2f21385a7d7c18e7bf69d216d5810ac758ac516240941704c5549b27b0bab76d2
-
Filesize
24KB
MD5917dedf44ae3675e549e7b7ffc2c8ccd
SHA1b7604eb16f0366e698943afbcf0c070d197271c0
SHA2569692162e8a88be0977395cc0704fe882b9a39b78bdfc9d579a8c961e15347a37
SHA5129628f7857eb88f8dceac00ffdcba2ed822fb9ebdada95e54224a0afc50bccd3e3d20c5abadbd20f61eba51dbf71c5c745b29309122d88b5cc6752a1dfc3be053
-
Filesize
1KB
MD50eef62bbff55478be42b5be01d6caeb6
SHA1152a6f5ed6e746b370f57a4eb10d27d4ee385da7
SHA256eb1284d938fb1ad2434a02dbb999d44c9872914055c03adc74c344beb437e3e5
SHA512565d89dcaf4300136ef212ee106c1b1d7c85d31b891ca6dd9a4273dcd14e19aace911144df8515c7c612c1955e691cbe8ef29a5580061d53c7457caa3d218bde
-
Filesize
1KB
MD5bd92912bde9a5cc6ab231acd2e073dd7
SHA182c52b68d1a524cdc0744e8668a22a7e8a2e2052
SHA256d5623750a2d4ef6957822ef3bf9b83284ccaeb38940c5d9a88dc8a89cc4430c9
SHA5124a1ff8fd8b7b49e7575eb6894d7a782d89cac7df6f22c7fd1227844ba08674b1bbd7f122bb594ad13ee7430265c956638dd5131d9ffe215b1a3a5f875dc3cb32
-
Filesize
1KB
MD5e754a9daf206b8aed38a4bdb2675c14d
SHA187348aca617d11e7931534f10b65b86e3f51e244
SHA256499489430e936e28b794632d912c6f06ac36192fc1908390f0c341f2e948546e
SHA5124d539d64748a4116bc9d7e88faee4a6d9b94cc3611b788e6bb2dbadc56e5c4602547e27004a9cb4a7506d7f087bee8276b570a937da839e15c0a4d3dcafc053a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5a6d4659bc9d3edd363bfcde19dd7ff27
SHA13388e8fa4a48749011d47b39f1b1a16bce9d7fec
SHA256690eb04af22c7560a994cc73fb396eaaf1070ca6dfd8573074be607b52fb786a
SHA512777c17e42848c27ec578156a0ae295727fe6cf9647a04481ab9125e566e8c11d6b6f0ef82cc6ea4e30e193122392c567b7a06be35261d9dd4e2985090fa79651
-
Filesize
10KB
MD58f4c06fe8b9d622e7a9f6fc0701b7395
SHA1395f012bae65ea3d3a969edcf8cdec919b82754a
SHA256425e0fedbe0893881230f0e8b563df152f771d0c34e38cc4e31c3c79f0a5d99b
SHA512f398d93d976dc4b1d846d3dae1ce1a1de095bfff3cd2d78058f179de697018f5a3286c7067a88f56e92c383d1af31aff66902804c83ac2965c265ba72244d7a2
-
Filesize
10KB
MD5d26705c47b769727fdc9041f587262d5
SHA131b58fad0e12ebc8b97ff8b6cdedd02b65ca9666
SHA2562e3333b1b61d6e00aeb9d19971c2f691e804dfa982dc5947e4311b54ba97d6ea
SHA51207d77419774a30c3f01b692ff1f74e974c181046d8f2a1e1f2be64a7b3e9eb9e2eb771fefb5e11a1d33d0173be66ba4764b814c53bd865405cc47b54eb45de73
-
Filesize
616KB
MD5ef4fdf65fc90bfda8d1d2ae6d20aff60
SHA19431227836440c78f12bfb2cb3247d59f4d4640b
SHA25647f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8
SHA5126f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9
-
Filesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4