Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
08/08/2024, 14:11
General
-
Target
https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqbVBRbG1oT1pEenhHWVVjUGF5bFh0a2cyLW80QXxBQ3Jtc0trUWFNYTA4OUs4OFBjTTNVVnFidVBvY3BOOUtSZ3gtWEhSRXE4UW9ydnlzaWxmRUxrZHNGTWVHWUJFbVhvbkswRF9BSzdDRzE4RDU0VG5zY2FFZ2NoeE1XU0xGQzhRUjBneWpOLTN5ckhhUl9JOXZfRQ&q=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1Shm-HYd0t9jmxPbpECqzXm8ws4Z2VjZI%2Fview%3Fusp%3Ddrive_link%2F
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 7 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqbVBRbG1oT1pEenhHWVVjUGF5bFh0a2cyLW80QXxBQ3Jtc0trUWFNYTA4OUs4OFBjTTNVVnFidVBvY3BOOUtSZ3gtWEhSRXE4UW9ydnlzaWxmRUxrZHNGTWVHWUJFbVhvbkswRF9BSzdDRzE4RDU0VG5zY2FFZ2NoeE1XU0xGQzhRUjBneWpOLTN5ckhhUl9JOXZfRQ&q=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1Shm-HYd0t9jmxPbpECqzXm8ws4Z2VjZI%2Fview%3Fusp%3Ddrive_link%2F1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb974046f8,0x7ffb97404708,0x7ffb974047182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2740 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,7470028927068535560,11310574665712932516,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5784 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\FATALITY.rar"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7zO423D8649\FATALITY.exe"C:\Users\Admin\AppData\Local\Temp\7zO423D8649\FATALITY.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hypercontainercomponentWebSvc\VLXpgOnK6BQOfyhxECWDnl4UWKuDVhYTdqmkV0eXxIA.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hypercontainercomponentWebSvc\hBcd1D55xkRp9oNoi.bat" "4⤵
- System Location Discovery: System Language Discovery
-
C:\hypercontainercomponentWebSvc\BrowserReview.exe"C:\hypercontainercomponentWebSvc/BrowserReview.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3l134zjw\3l134zjw.cmdline"6⤵
- Drops file in System32 directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE797.tmp" "c:\Windows\System32\CSC7E6DE7F077E94666A37CF3ED3BBF9F96.TMP"7⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RtJySLyAL1.bat"6⤵
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Recovery\WindowsRE\cmd.exe"C:\Recovery\WindowsRE\cmd.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO4236BCB9\FATALITY.exe"C:\Users\Admin\AppData\Local\Temp\7zO4236BCB9\FATALITY.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hypercontainercomponentWebSvc\VLXpgOnK6BQOfyhxECWDnl4UWKuDVhYTdqmkV0eXxIA.vbe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO42399FD9\FATALITY.exe"C:\Users\Admin\AppData\Local\Temp\7zO42399FD9\FATALITY.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hypercontainercomponentWebSvc\VLXpgOnK6BQOfyhxECWDnl4UWKuDVhYTdqmkV0eXxIA.vbe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO4230C2C9\FATALITY.exe"C:\Users\Admin\AppData\Local\Temp\7zO4230C2C9\FATALITY.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hypercontainercomponentWebSvc\VLXpgOnK6BQOfyhxECWDnl4UWKuDVhYTdqmkV0eXxIA.vbe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO42380DF9\FATALITY.exe"C:\Users\Admin\AppData\Local\Temp\7zO42380DF9\FATALITY.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hypercontainercomponentWebSvc\VLXpgOnK6BQOfyhxECWDnl4UWKuDVhYTdqmkV0eXxIA.vbe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Cursors\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD553bc70ecb115bdbabe67620c416fe9b3
SHA1af66ec51a13a59639eaf54d62ff3b4f092bb2fc1
SHA256b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771
SHA512cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921
-
Filesize
152B
MD5e765f3d75e6b0e4a7119c8b14d47d8da
SHA1cc9f7c7826c2e1a129e7d98884926076c3714fc0
SHA256986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89
SHA512a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079
-
Filesize
408B
MD5a17cdd780f828e81be833634eb091778
SHA1ea77800f7422d91f4c2eda637a9720d5b9a44e0e
SHA256edd855a823f3903d22f23ae5c6a6fd54005acd54e5fc395cb71cff319e64c93c
SHA51225f287c688b9e3298c537852a3d127fd9286e204f482cbd16d4daa1ad6e9b1afe27bf9ea472b5eef9a9c2bf3174f68cf61ad56af6c5e4beeb5ece8bbad530c5a
-
Filesize
3KB
MD5daf9d6e6be88974164ce69dd2ff6aa1f
SHA1549abc857c71d63c57a3ee87bd6d2ab1cf33bdeb
SHA25694f863eb69e937ca2148dee0c7e8a339350632c942ff920d0132978f258293aa
SHA51220067bd993f78af4f61b4786b6e63d6054668c46c428bfd89cb1138d223bf6f401294d6d87a5e81c796b1860c43a4539f635652b3bfcccb35a10ba0091e26e72
-
Filesize
3KB
MD517ba82bdc4311051df873ebfa67b0c27
SHA154cf059008a920b9ea7b04095fe5c07482135089
SHA256e071a8d1953bc1e359e18335d6f6f2ab56a4792a5fe4e9bf59196942d3189dd9
SHA5122f13c3642c72bead9cf008909ee907ac781a171cf04ecaa61339c16082958ea7bdeac45d690bb033ea9cecfcc49f7cab5cf4c65994e66218d9d4036e6739e3eb
-
Filesize
6KB
MD57e3e0c9b82383adea9170921a915535b
SHA106d457f55a803c0162ad51b89046ad781626c1d3
SHA256fcd678adb9ed41d165c8f711fc3e864ffdd40b5352158a8bfd3178b48bc4125a
SHA512896f11084820c4c9827dc1365e47134f95e05a22b0b715b68e95261e3c97fe7a4772489af9bca3a61b808f374539f9c76fc16cb5ad87647aac2fee8285e6273a
-
Filesize
6KB
MD5cffa1d5bf13eecbd8bfc793d4fd7b6b8
SHA14358284abf0775ebee82e0bf0dc148ef691e98ec
SHA2566a5c15e913f04e9ede5d3acaaa85031cfaf227b96e78c911cc5443bb2b9432ac
SHA512f48965eacf352091af7d4ba920bf29e31ebee5c5251f536d491a4b6279ce82713c4a15013b5372a6285756171afe985180d08b75e3f8544a994958e1654ba381
-
Filesize
7KB
MD50fc5265e8885b1ce6f5b5222ed110927
SHA1cfce4df52b49fc43b31eaccee7c577c5210e9d40
SHA25665a273edfb262790f78de03749c4d312ea3b8ebbffd45493ef813a81f7f04f84
SHA51286ade529400ad539e58745b63a2f39f936ae7995585308ecca3d8be7b1757e6e0c381611025c91c6f43bd532dbf7861a5846be8842b2cb218ffbc28efb50bc71
-
Filesize
7KB
MD5c9aeb42ad936899d7b5186afa47559f3
SHA1ea4ee68bc79508958d70c0343f3fa582e4f0496d
SHA256d2419c8026b876d23cd55444b7b67cd7d267ac724c666907ebd2cb0635b5fedb
SHA5121d84264d7b35a3f7a280fbd81d709f9b3055e1a657c5f41a74cc890e3b42b1a10fda8cf3d2737de5e3ed3dad216c02524b84e828fd0dcbc969643b8f7f25460a
-
Filesize
1KB
MD503e524d512bab8a97798afdb28bb6326
SHA14371d78db1936d0db53ed5afcb8b79de2e64a50c
SHA256035b9291fe0b934c74ce6e774a6a91f305425c60af07ec00eae685a31256b272
SHA51255bc0d10f1ab4adf314034dcc508a4cc25f3dc57c24e61a29fc5892bb3aeec5dbb588bfb948470da21686f091f55f4ac76cf0cb7a87e7e210e7e57326eac4c2b
-
Filesize
204B
MD5ccad994f99ca8e425412086ddb6eface
SHA1ada9874cd437f5dab62d7fd53087dbae61f1753e
SHA2568ccf8d9c8d9fecbcbc49c0d15f5a3f643536f02d736f188fcde121ca21d7ee67
SHA51250d6b37cde19951da606443f6942f50c199d41efd46815e0a127fd8c4c1a5a0a4b1157cec87855af8d918e2240d1795ac29298c26ccc9db4502272f589b0c5a3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5e584b374a94991756e3fb1c8055e35a0
SHA1e1a7c62c0fc2fc6f994108f5aadd1df99fd58a20
SHA2569bfb92c90538f2a5f185b8524e53d985c105552beec68a7f9fda012adc1c1d13
SHA512f40fb25a88bc1b7c53e65c4936fe92b5d7f17078a5ad7024680250c4187b47133f1f4e91b8b92755b0775630b408ba07e3d48c72b05cdc9c7f48266d32a4a402
-
Filesize
11KB
MD533f8dbd6e48d8a27ab621dc1ee161cb5
SHA1940951fbe51262f967ac8391e8231976fe53771c
SHA2567f951d17123c77b4ec8fdcacb3fbe2372ac86361c749c1a7f337c1534d960b4d
SHA512059709e5bdbce40897f146a0586346b519c6cea896c6e25477972d7e67a2ae5ff45dbf0c9a53ffcfc9f0325841e2ee30145633f8dccbbad5ada5469ce4d472d3
-
Filesize
3.4MB
MD5c3647d64a9b92ebbe8e141f464a76632
SHA1a3aed1eccdd326841da5d0a4a1cbc2537ed37885
SHA2563e91acb09c81e1d670b88c474fcc3e58041de686eb57883c5dea0596a1d9d94a
SHA512602bd6f7e656e21107b12405642e76cf8d449d1742220c568e8a7bd4ccdff5c5cdc1467bbf6c5e5f650810d066a150d40dd5ec3bc19e7a4b469d5a1619da1124
-
Filesize
1KB
MD5adf4b47e486baa08624cd093ca210465
SHA1a7c9515aa60b52c6152d17b55568c22d0faf75a8
SHA256b3ca4dae5af431056bf0dfb7724a8b0931cedc21c9de2fcae05c91f7d4340715
SHA5120a95dc653dbe1c6ab83e7bfe668f84c98a4866c0af51e2c349b290b454ded3ac3b6257a24c795395122a48cdeced8704ca638ed141a7f78fed65d81b04f11958
-
Filesize
205B
MD58659a9102bce0d9866d0aab15b034727
SHA1ef250c3cf8c786c5f2135fc717963e2e1bc4ea5a
SHA256bea4cf68d4f42d2b81e06eb43aa88bd931e33a65c1c8b6b79e5b19ca7dcca97c
SHA512b3ff2cdfdfa762a8014af1e877f1c813780434a4e08fd52868ac1de6ee2ca139297196453fa5e951cfdf41d1154165fbdbdec2b661728134c12d16a11572dfdc
-
Filesize
3.3MB
MD566a97d5fde4db2a6bb553916889c9cfa
SHA18bc9ac8475c35f0fcf0b21b28fb7f05dcb8b0c2b
SHA2562cd2e04ad7d230da3c5ef4957b212fb7a0f031aee837435699a006b8b29c9a61
SHA5123002f7795aef0e20a5357217fffc7153c1bf7255899fca5f4bb155a30d2bd33a47dd23e6897ec67a11873f1cb563dc0ac11d852930427c94a2b0b546c025c248
-
Filesize
3.5MB
MD5ace38b52cadbc790279c57f8e732e43a
SHA1999e010b9dc18e2aaac8897fb8364b9294c43e59
SHA2561af6098c5db259772b6b1a965d40fa1ad70316e5729cc7f123be4c4440b2fadb
SHA5124cf165c03f0ff04c2390d3f3a88efe09fba1f3d4ed41f799745239f93f77d1eed1d7eaa8d3934d9b6d7834244b94aea7b1e4aa72093a7eaa1fd1ecfc01d92783
-
Filesize
225B
MD56ee4ae1def55b33a64e0b991b27cfbfd
SHA1da8de167547a027bb0a6c1a81b779dd77aad8c59
SHA25663041aadaf211f76b5c231e61a7ee5b072ae9075efeaf9f6cfc16a9e3356d2f8
SHA51259cad14551f94bcb869dcb91d373a9f0ef1a88d7e3f7f14d6c2a2030c562a1c11945d8c9210ccb4189530a57fe0f615a2e491baca49d33cac53657a65855b6fd
-
Filesize
85B
MD5dd2b21f807d895fe1b7024496756730d
SHA1309ed907d06f73853cd968982e40f146b5f31efc
SHA25669d11a227a22109be819f6c6035eb8a10f16a4afac34dfe2608afa101c2ea6c8
SHA512465c4de7a9a7932f6b32e51bbeed741e57a6d14aaa0c38674ecf6083d3214a141b944cd0af10f58f47e6ec4ff2eb6d8cf655fbdf0a26de8ccd35ed876d33b032
-
Filesize
4KB
MD560e6d34e3696a823ced76f9031eddace
SHA17f145e67b54637924351e12c516164eec9455596
SHA256d1fa97d6b7cf1a6e7ccf69fff602d6bf042d896bc4d94dd3ff4871eabef0fcb4
SHA51217d89632512e2ae33252f68accf6e033a9a3b466d480a13276b2a69e748dc15479a68a620efae76d916c47e8ee608530ef897a41a82c6b7de0ab3aa24829b82d
-
Filesize
364B
MD52c2acb58f50c28ba975bd4914022b81b
SHA1c2eaeb36ed3fd01d2a7818dd153e69e613564080
SHA256013f2a271b404f5d10a3f7e2baa9d1657c175a2fc03e5256d412fbf67ee574d7
SHA5121822f140375d84c5f0482c287d781a95f5ba1f6795165e8879b1a198ddb7948b372a9503102958fe8983f4b821ca80169a9e54e71b4622a9805c4ffbf780af8a
-
Filesize
235B
MD573a4b16a8eaa239d4d67aea20062f10c
SHA1af64c594a893ca57bcc1b1bfd3ce99ef120c4607
SHA256706df8fc744a192a0f57b2265817c6a9c0637c82e93f7d831ac6982141a10636
SHA512d0770301d4a2667e4c7475685e39728f222410148330196120a2dcbc4832156234fb517e159bfeb025f206f1a177c1ae33b34495a730e14758cd63138ba326e3
-
Filesize
1KB
MD56f44ad65716cf9f20a913c3cbc41db3c
SHA18668ed0bdffaf7e58508d3e529d96374c2021f6c
SHA2566e92c7dadc2900facc20e8841ab6fdda9f5cf760093d105f58878b09937f3ec8
SHA512528026beb6ed27ff023acbacfd0927c5fc5b44d181a6a9f71735c503559c17a7c2b7c44d89be55ead379974194da247682572bc4285802cb567a846e7133808c
-
Filesize
3.6MB
-
Filesize
88KB
-
Filesize
312KB
-
Filesize
96KB
-
Filesize
56KB
-
Filesize
152KB
-
Filesize
56KB
-
Filesize
112KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
5.2MB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
360KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB