Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
897s -
max time network
896s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
30/01/2025, 22:30
Behavioral task
behavioral1
Sample
Server.exe
Resource
win11-20241023-en
General
-
Target
Server.exe
-
Size
93KB
-
MD5
cc560bdc2869ccf4ae0e939a1aa7f1b4
-
SHA1
f16b12272a26df1bb2dffe5ebbd8483b30d59ee5
-
SHA256
88438e680d7127491c1bed3f762ac9fc7839e08e710cb8f9da9d1cfbaf772f68
-
SHA512
d57d6e8e1d27d41c01f3a6c6bcdb8f522748527678539f816b94da3b5cba8a75a96b8d1b0677ef77925eb579d2c7d374f50b91df9887f734ff288a303ddbae12
-
SSDEEP
1536:PUwC+xhUa9urgOBPRNvM4jEwzGi1dDxD8gS:PUmUa9urgObdGi1dNV
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2400 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 3452 tmp1BB4.tmp.bat 4780 tmp7648.tmp.bat -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp1BB4.tmp.bat Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7648.tmp.bat Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3908 msedge.exe 3908 msedge.exe 1200 msedge.exe 1200 msedge.exe 3624 msedge.exe 3624 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2784 Server.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe Token: SeIncBasePriorityPrivilege 2784 Server.exe Token: 33 2784 Server.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 2784 Server.exe 2784 Server.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe 1200 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3172 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2784 wrote to memory of 2400 2784 Server.exe 77 PID 2784 wrote to memory of 2400 2784 Server.exe 77 PID 2784 wrote to memory of 2400 2784 Server.exe 77 PID 2784 wrote to memory of 1200 2784 Server.exe 94 PID 2784 wrote to memory of 1200 2784 Server.exe 94 PID 1200 wrote to memory of 1960 1200 msedge.exe 95 PID 1200 wrote to memory of 1960 1200 msedge.exe 95 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 2920 1200 msedge.exe 96 PID 1200 wrote to memory of 3908 1200 msedge.exe 97 PID 1200 wrote to memory of 3908 1200 msedge.exe 97 PID 1200 wrote to memory of 2756 1200 msedge.exe 98 PID 1200 wrote to memory of 2756 1200 msedge.exe 98 PID 1200 wrote to memory of 2756 1200 msedge.exe 98 PID 1200 wrote to memory of 2756 1200 msedge.exe 98 PID 1200 wrote to memory of 2756 1200 msedge.exe 98 PID 1200 wrote to memory of 2756 1200 msedge.exe 98 PID 1200 wrote to memory of 2756 1200 msedge.exe 98 PID 1200 wrote to memory of 2756 1200 msedge.exe 98 PID 1200 wrote to memory of 2756 1200 msedge.exe 98 PID 1200 wrote to memory of 2756 1200 msedge.exe 98 PID 1200 wrote to memory of 2756 1200 msedge.exe 98 PID 1200 wrote to memory of 2756 1200 msedge.exe 98 PID 1200 wrote to memory of 2756 1200 msedge.exe 98 PID 1200 wrote to memory of 2756 1200 msedge.exe 98 PID 1200 wrote to memory of 2756 1200 msedge.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=_Zkdx51bexo2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff90a63cb8,0x7fff90a63cc8,0x7fff90a63cd83⤵PID:1960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,18283423952388269997,2094212473506957976,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:23⤵PID:2920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,18283423952388269997,2094212473506957976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,18283423952388269997,2094212473506957976,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:83⤵PID:2756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18283423952388269997,2094212473506957976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:13⤵PID:2168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18283423952388269997,2094212473506957976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:13⤵PID:1380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18283423952388269997,2094212473506957976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:13⤵PID:1164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18283423952388269997,2094212473506957976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:13⤵PID:5076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,18283423952388269997,2094212473506957976,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5724 /prefetch:83⤵PID:4140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,18283423952388269997,2094212473506957976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3624
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1BB4.tmp.bat"C:\Users\Admin\AppData\Local\Temp\tmp1BB4.tmp.bat"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3452
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7648.tmp.bat"C:\Users\Admin\AppData\Local\Temp\tmp7648.tmp.bat"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4780
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:2364
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:2768
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:3000
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3172
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:3484
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1004
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4300
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1384
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004D41⤵PID:3904
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD57bed1eca5620a49f52232fd55246d09a
SHA1e429d9d401099a1917a6fb31ab2cf65fcee22030
SHA25649c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e
SHA512afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8
-
Filesize
152B
MD55431d6602455a6db6e087223dd47f600
SHA127255756dfecd4e0afe4f1185e7708a3d07dea6e
SHA2567502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763
SHA512868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize456B
MD5be955444a65f409f4933b474fba1996a
SHA1589db8fa67498d27998796f2f489cdcf20051db7
SHA2565911ecde408dcd58c5abb515a50751a2292ec0562ac9718dd134add74cd6ad51
SHA51272f2d2e825b19457045573b77555a8a14f4277e7bc3a4a52acca4771a5e76ef9cbd9476842b00da6d40dab771579b7e1af33defdcf8a28155f6bea6fcf5426d1
-
Filesize
3KB
MD5b5a72392441e820c5a967268959d82ea
SHA10fcecdcc467c78fc46dd1ba5758c56e10823bb5b
SHA256e4869f5b0289b0e8f17d92d9fb5f9319e310957394380f4793b5d24ff998b1c9
SHA512958803da6a37f569de613988e0cfc98224cd9a25c64984387d3776efaab083c57f0ac7725a1bc8b8eee8d577338b734bcbc977d524bf6abcbf0bc8ae81aed7f2
-
Filesize
5KB
MD5e77250d5727467deeba09b7a4b6ee57b
SHA19c1a09c28738318268e6eb262425c8370c9d6492
SHA256f58de32449b433ac14099929d9af44bf03dd5d85aca8cc21824ac265346d6448
SHA5122fa77bc2319d5426afe218bac4cf275fc7502aa83785f62ebd7032173d5809512133bdea6a0949ce7de74450ec0dae3d1a7b4dcb0820a6f89f94aedd6ef528b8
-
Filesize
6KB
MD5f94864b78bf44786e0c5d4123229ef79
SHA1ea6d384cfec4e95d737182f17a023a773fb3878e
SHA2562bd4f9631ee6f666225785cf98659906f84ad70577203b81ec3a343129425154
SHA512ffa32cbc747ef6fa63692f61658eac47384d442699673b019c4f9ed2d3ba64fc69f66166611a49c45994be2f5c01a29c569e19aa3cb3da315d7666556a26140a
-
Filesize
6KB
MD5b29661d36060cb3ccfd2107b8daed705
SHA1fe8256d250cdd3e77a9bb2179e89268a5ce45b59
SHA256053fe9dea63f2e64c77183043ba5c71f841e0f12d64ed200d4ebad54082d061d
SHA5125f929b75c4783d9942ff082b5d24bcc96ea220ebad859e08cdaa4f62be1034a0f50fe8d4cd91a3bcf3872200c25d291f7fdc33bc8b5b1021c54279f85d84a606
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e9c9af8c-4f48-4314-a6bf-2760b8d09d9d\index-dir\the-real-index
Filesize2KB
MD5fdfdba2a453c3b51af25f8660f6399e8
SHA19ab7ba0fac89087342d2d85974a291cfb4d30aec
SHA25688b6d8e134ea211f855a2c4a18f8deab286b0cdc3194b38133844331edf54cc6
SHA512d8e058f3c534851b8a98b3a80aa37ebbdeac39f9582f47ac6d29e00400885e854a8a44abeec0bf24607cacc1075b7b91045bf53447427fe3d3a911fa687a5cc1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e9c9af8c-4f48-4314-a6bf-2760b8d09d9d\index-dir\the-real-index~RFe5d9453.TMP
Filesize48B
MD5f89377a2853e24bf3ba34b3d8c943922
SHA12bd9cc28091a910bb64035231e6e4c6718a07066
SHA2567d2a5c0ebe763f89f38017ec4c5913bd35e1c3e7b78ed962e5423f56d526ec25
SHA512d7db5c94c7141f5c74e0a8e152057ff81bca55c1eddf6dfde4b223ec86d651eaf890ca0d50d40d0af8f781b295ee618c871ac361b82edc86dd47801c580c9034
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize82B
MD50add543b7f16a40c1dc2a62594dd8c27
SHA124c90fb4e85e1d1e5c46ff8aac5168ba298e12f5
SHA25627d890a9bb9e06a955b957275cac16fdee3b5e106389680ac7090e6bd39c0a85
SHA5127d92fd268fa5b1f4fdf75a43fb07153b7320849515838682a4cc9e70a86acce174b7474bbfc446c9ba9eff3b0e48474fdb033deec529aa84a01959e817f0eaf2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize84B
MD51f30158a6e18e86c8821872edc674bf7
SHA1766ab6262260e8c9536504870e9befe77fea9f95
SHA256cb1e328ea407735afbe5bfa23a7fe41f9d3ea2a97f58a99d398fea6f0735a55e
SHA5127d0166aef2a173010d1f167ec69c12ed7b7f6af521824ed140b977b9bf30a8107d97cd0c4d5f9abf5a38154f68689825d86975fca6beb7f99a7feb14d7677a1a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize146B
MD50cfbbfdf5217724b12df941c330937be
SHA1ac830248a6a80ea50d9f9d4712613f4ec8167ab5
SHA256c92dfcc51c0920ce0979d45360aa5313771b678f0dcbb9870a302b9bdc3a2d54
SHA51259e137622155e0468fcf739275ef860f0fa579e27ab0f39a240a547f0d7a5ead239249633115a9ba31349fa40e28c8a8ea2bad04f6ee6703d9fdbf08612dd8ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5d6db1.TMP
Filesize89B
MD5032df55fced363f7d1a1c450a52191d1
SHA1bfc4ebf5851faa93aeea3e3d0c09a54e47a70042
SHA256590694240aec2d765170f2db58b36ed05859d4678549b46364e5b5ec2fe10ec1
SHA512da523443016c731391528c557467e56c650a1c4114479bc2ac84318d455021995f288f216c614266ba5740bb18bc13ae5b4a95f6dd9d63262b3ba1df2e9cac86
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD51316f5bbefa5176669e229ebb670dd4a
SHA19a7efb3b7ee8e04ff58a1bf28649aff8524f6dfc
SHA2562aa109a05208259b44f094b096180befecd07845da52b6ff5861094c285c3078
SHA512a9e9d5a4f5a5246fbcbfd7fc43f5a1cc6b6d19288674d68f0bc1a1ae6acd7cdf5efb9096864e8550bf23b2e9c475cd7ee6cea1845d76c230fe7487830c963ed2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5d9453.TMP
Filesize48B
MD55389121b2974ab01e2c121439556fb7d
SHA174b2b8a4879595afcb215140869482c8735d029f
SHA256f9123724d9a8c64421d26d94e58b76ccd4d00aa2a67fbc123c6795bb1efd15d4
SHA5126c8899459161b3017b9340ba423f475feba7087529a8a09aa31ba161f970b6af2815b8faf4f1cc0e42fc4a35146364d492eb0c68be6d74f2b184d43b2dde9456
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5adee11017d4ac81b7abebb9707f06e09
SHA104987bea9207f80d7c4fc86e4d152e9070b7c6f9
SHA256f73063af56df3146352da9de560866c4cf4742bb6d700bcf7b1241cb3d8902ce
SHA512ead220016526ba0db2b1f373256228d73392b247e4f359a8ae1c4bcca26d62104edb35bcfb885b2b10b649fa453736800d5d30257e88031412fa664f4673edbc
-
Filesize
10KB
MD579820b6e99d422457dac864e25a4e8af
SHA13070beb815906d4eda729f9d5755284b0e20104b
SHA2563d59df2fddcbb69bae8f774317b31738356a66a74276cac66b3ff25d59e3a500
SHA51287d19a88a1d3a1e2d6524bfc7ac5f4839e1c30826dfb7e9a9195d8bd6eec5ca828dafe64e55c0a05a9e73956ad62914840bf7e62328933894c2b835f6376a011
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\45bedea6-d049-4423-899f-0c25de21c4ac.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD51301a13a0b62ba61652cdbf2d61f80fa
SHA11911d1f0d097e8f5275a29e17b0bcef305df1d9e
SHA2567e75ad955706d05f5934810aebbd3b5a7742d5e5766efd9c4fc17ee492b2f716
SHA51266aa4261628bb31ee416af70f4159c02e5bbfbe2f7645e87d70bb35b1f20fa915d62b25d99cd72c59580d1f64e6c6b5ad36ace6600d3bcdb67f45036d768ed8b
-
Filesize
100KB
MD56032ce8ceea46af873b78c1f323547da
SHA18c5bd4a70e0f21aeba41c07976ace2919b64fd80
SHA25619dc8c66d04d1a1d781e59107e2a1db5fd6288761c9dfd0c6909e533e79d04e7
SHA5123ada1663cb730f43b44e32ceade5d0b9cae20d1c20001691a1d226d99c82510e001581f67f5131d6c21e0e0cf98e5089c3d0f22a6a1e3347053ed73304ccc6fe