fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

Resubmissions

30/10/2024, 06:30

241030-g9zgsaycjm 10

05/04/2023, 14:51

230405-r75wwshd6w 10

Analysis

max time kernel
115s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2023, 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a26ae5eb4e86ca54a1d338220318c43b.exe
Size

321KB
MD5

a26ae5eb4e86ca54a1d338220318c43b
SHA1

ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256

fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512

0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd
SSDEEP

6144:1RmCttlxSX8YOKPnzxx7YyRRYz4OjnYDh+OHYQmrBQ4rQbFZUzEo1V:vmJMYt/czYDh+OOQMQbT

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	RuntimeBroker.exe

Process spawned unexpected child process 44 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	4972	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	4972	schtasks.exe	20

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	a26ae5eb4e86ca54a1d338220318c43b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 1 IoCs

pid	Process
4652	RuntimeBroker.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe	a26ae5eb4e86ca54a1d338220318c43b.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\5940a34987c991	a26ae5eb4e86ca54a1d338220318c43b.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe	a26ae5eb4e86ca54a1d338220318c43b.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\6cb0b6c459d5d3	a26ae5eb4e86ca54a1d338220318c43b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4868	schtasks.exe
2244	schtasks.exe
4100	schtasks.exe
5108	schtasks.exe
3488	schtasks.exe
4044	schtasks.exe
5008	schtasks.exe
4816	schtasks.exe
4376	schtasks.exe
2108	schtasks.exe
324	schtasks.exe
4668	schtasks.exe
3384	schtasks.exe
4240	schtasks.exe
2224	schtasks.exe
1216	schtasks.exe
4404	schtasks.exe
4500	schtasks.exe
3932	schtasks.exe
2664	schtasks.exe
4900	schtasks.exe
3708	schtasks.exe
2780	schtasks.exe
3944	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	a26ae5eb4e86ca54a1d338220318c43b.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2376	a26ae5eb4e86ca54a1d338220318c43b.exe
2376	a26ae5eb4e86ca54a1d338220318c43b.exe
2376	a26ae5eb4e86ca54a1d338220318c43b.exe
2376	a26ae5eb4e86ca54a1d338220318c43b.exe
2376	a26ae5eb4e86ca54a1d338220318c43b.exe
2376	a26ae5eb4e86ca54a1d338220318c43b.exe
2376	a26ae5eb4e86ca54a1d338220318c43b.exe
2376	a26ae5eb4e86ca54a1d338220318c43b.exe
2376	a26ae5eb4e86ca54a1d338220318c43b.exe
2376	a26ae5eb4e86ca54a1d338220318c43b.exe
2376	a26ae5eb4e86ca54a1d338220318c43b.exe
2376	a26ae5eb4e86ca54a1d338220318c43b.exe
2376	a26ae5eb4e86ca54a1d338220318c43b.exe
4652	RuntimeBroker.exe
4652	RuntimeBroker.exe
4652	RuntimeBroker.exe
4652	RuntimeBroker.exe
4652	RuntimeBroker.exe
4652	RuntimeBroker.exe
4652	RuntimeBroker.exe
4652	RuntimeBroker.exe
4652	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	a26ae5eb4e86ca54a1d338220318c43b.exe
Token: SeDebugPrivilege	4652	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1896	2376	a26ae5eb4e86ca54a1d338220318c43b.exe	110
PID 2376 wrote to memory of 1896	2376	a26ae5eb4e86ca54a1d338220318c43b.exe	110
PID 2376 wrote to memory of 1896	2376	a26ae5eb4e86ca54a1d338220318c43b.exe	110
PID 1896 wrote to memory of 1156	1896	cmd.exe	112
PID 1896 wrote to memory of 1156	1896	cmd.exe	112
PID 1896 wrote to memory of 1156	1896	cmd.exe	112
PID 1156 wrote to memory of 4884	1156	w32tm.exe	113
PID 1156 wrote to memory of 4884	1156	w32tm.exe	113
PID 1896 wrote to memory of 4652	1896	cmd.exe	117
PID 1896 wrote to memory of 4652	1896	cmd.exe	117
PID 1896 wrote to memory of 4652	1896	cmd.exe	117
PID 4652 wrote to memory of 2472	4652	RuntimeBroker.exe	139
PID 4652 wrote to memory of 2472	4652	RuntimeBroker.exe	139
PID 4652 wrote to memory of 2472	4652	RuntimeBroker.exe	139
PID 2472 wrote to memory of 2836	2472	cmd.exe	141
PID 2472 wrote to memory of 2836	2472	cmd.exe	141
PID 2472 wrote to memory of 2836	2472	cmd.exe	141
PID 2836 wrote to memory of 4508	2836	w32tm.exe	142
PID 2836 wrote to memory of 4508	2836	w32tm.exe	142

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe
"C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TJ7YMgAEku.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:4884
- - C:\odt\RuntimeBroker.exe
    "C:\odt\RuntimeBroker.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Music\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "a26ae5eb4e86ca54a1d338220318c43b" /f
1⤵
- Process spawned unexpected child process
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "a26ae5eb4e86ca54a1d338220318c43ba" /f
1⤵
- Process spawned unexpected child process
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "Idle" /f
1⤵
- Process spawned unexpected child process
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "IdleI" /f
1⤵
- Process spawned unexpected child process
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "spoolsv" /f
1⤵
- Process spawned unexpected child process
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "spoolsvs" /f
1⤵
- Process spawned unexpected child process
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "WmiPrvSE" /f
1⤵
- Process spawned unexpected child process
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrss" /f
1⤵
- Process spawned unexpected child process
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "WmiPrvSEW" /f
1⤵
- Process spawned unexpected child process
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrssc" /f
1⤵
- Process spawned unexpected child process
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBroker" /f
1⤵
- Process spawned unexpected child process
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBrokerR" /f
1⤵
- Process spawned unexpected child process
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhost" /f
1⤵
- Process spawned unexpected child process
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhostd" /f
1⤵
- Process spawned unexpected child process
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "wininit" /f
1⤵
- Process spawned unexpected child process
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "wininitw" /f
1⤵
- Process spawned unexpected child process
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dwm" /f
1⤵
- Process spawned unexpected child process
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dwmd" /f
1⤵
- Process spawned unexpected child process
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBroker" /f
1⤵
- Process spawned unexpected child process
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBrokerR" /f
1⤵
- Process spawned unexpected child process
PID:2388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\RedistList\6cb0b6c459d5d3

Filesize
829B

MD5
4349513c8114ff75f4bbd07c4d1cc56f

SHA1
d5f5f1a0de34662728f6910369f320cc9aa362c5

SHA256
299dd89a5248761bec06e0f79ec3e533e5ef157e88fb5adc1f4e676b1e46daa2

SHA512
e6176584e14dd302f0ad1f616e830b0c73c1aff2ca472bff66c93dc74213b0cfb07ea74c96f69aa9a38b3a3323efe14f40a3d98b5c408fc0e67499c79e2a046d

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe

Filesize
321KB

MD5
a26ae5eb4e86ca54a1d338220318c43b

SHA1
ba66b537f8b7289acf611e67e1f3b20fb5bb48db

SHA256
fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

SHA512
0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\5940a34987c991

Filesize
15B

MD5
7b93aee8c1996a466672025adbcb60b4

SHA1
379df80d381965caf0593593ec060393bd1f1ab2

SHA256
93e47e74f838790334019f7db3c572e531fcba1b3139d6d4f4a75020abe026fa

SHA512
2556979b777a17e941d7c324e13ac7da32ab7f547338965a8708a04170f736ee3258385d02ac6f7d0b19e9c6e9cc4cf248b903d390fc7acaf25d04d2b0e70f4b

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe

Filesize
321KB

MD5
a26ae5eb4e86ca54a1d338220318c43b

SHA1
ba66b537f8b7289acf611e67e1f3b20fb5bb48db

SHA256
fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

SHA512
0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

Download Submit
C:\Users\Admin\886983d96e3d3e

Filesize
252B

MD5
72eec52096b2c75f58c6be6ed09e5ad7

SHA1
e06cea168510c28811c10d2fe07e95f4b2a5c3ae

SHA256
5206b0935e9f4d2832cf7d1d7e2ca5fdfba9cdc8ed92e71f36657e9509117bca

SHA512
875e008a4ac02ae558c85c4f4a06a7b7fce118ffe98a684d838dfd4bf24f006a79dc99e042ab07e9cecaca6d4b4803c88f6032c521c8eb4277447b364f6d800d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat

Filesize
231B

MD5
0073dbb00341e9fb6f485eadbb258059

SHA1
f4784db159f188c6e0720c2f2f7d0b53a97a4e82

SHA256
1594512c5581f14cb6440efe04dc7db67226365edbd4f12bb8cb64986fb42ec1

SHA512
69e7b78788d9ab792ab31bdfd5504009a6c6dc5fc8b21e066e883e4019c39104e61097c13892ef709b0524454fe30d3a2f0c4e58b1793a28d70eb525e9a442fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TJ7YMgAEku.bat

Filesize
189B

MD5
d83fcecd6786ead9604fd45820f55c10

SHA1
8f20540d1a971110f20b1fd00f8c7c7a9cde9bd3

SHA256
4ed777c804c31df0ba67341808bc126e8164e53ec09ff044aae5f1bfdf5735a3

SHA512
659235b38abc105ea223ba3da2a82d0d7161a911b6dae31f1daaba72c4eec3974b37e1541b70f1ecfec15e072a5cffdff4407a3edcfc375caedd0ab56f0284a7

Download Submit
C:\Users\Admin\csrss.exe

Filesize
321KB

MD5
a26ae5eb4e86ca54a1d338220318c43b

SHA1
ba66b537f8b7289acf611e67e1f3b20fb5bb48db

SHA256
fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

SHA512
0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

Download Submit
C:\Users\All Users\6ccacd8608530f

Filesize
752B

MD5
073b4026177f64bc5dcf973c2e9cde8f

SHA1
b9ab6de016dd6f9bf8fe90897bba9b37915eaf44

SHA256
e7f992e95b5d1050cb4e1405da8567fa513c1bfd2b0ec390b607397c2d2559a8

SHA512
f57cc091e6ce91e126a30ed4f36c919b78059da7e68df943575b916f85894399f472767c0c7d6c3224c360c2cabad31a6022d811bdaa9f92673913532142bb4d

Download Submit
C:\Users\All Users\Idle.exe

Filesize
321KB

MD5
a26ae5eb4e86ca54a1d338220318c43b

SHA1
ba66b537f8b7289acf611e67e1f3b20fb5bb48db

SHA256
fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

SHA512
0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

Download Submit
C:\Users\Default\56085415360792

Filesize
769B

MD5
ec8d7b9bc65d3e7888c71690eb1554b8

SHA1
ad88963195d23a02500287cb761d7542434e6aa2

SHA256
f63685c23453555e694d531b03c66306c06850afb47022a0148e9f1949505162

SHA512
fb61bba06e35f5b9bbd2333237bc7a03046ddc82e9890d63cdc4622042000ceafae85c00c1a96953c7eed1742644331e4f023570bd42faf03ba77bce84541efd

Download Submit
C:\Users\Default\wininit.exe

Filesize
321KB

MD5
a26ae5eb4e86ca54a1d338220318c43b

SHA1
ba66b537f8b7289acf611e67e1f3b20fb5bb48db

SHA256
fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

SHA512
0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

Download Submit
C:\Users\Public\Music\24dbde2999530e

Filesize
19B

MD5
3a957720e24eb61b512792318f49b7cb

SHA1
131e62f95e9f659fe38e1a7add67475d2b50cfc9

SHA256
780e64bb4ca666c7e21014b14218b39ec821e85f074cd2cb95d48add4dde8e83

SHA512
9b6a24995d1d329bc5432399b1454b9322b780d52d918a45a244930506183f4c50c17dea72f11afc7fa6970142dff54d4e13eaf3b8f4fb5318220afd7a41515b

Download Submit
C:\Users\Public\Music\WmiPrvSE.exe

Filesize
321KB

MD5
a26ae5eb4e86ca54a1d338220318c43b

SHA1
ba66b537f8b7289acf611e67e1f3b20fb5bb48db

SHA256
fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

SHA512
0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

Download Submit
C:\Users\Public\f3b6ecef712a24

Filesize
697B

MD5
cb97993e05a105bc8bb6925664f20ecd

SHA1
31326c204512fcddbf41f4d4865956e513c0c57c

SHA256
13e7c13cba6bfd0f38ae318b3e9701f2454cc465b0e38e02fd0122f7663edc72

SHA512
ba8ed27548a7d29c588266c41f372fae295523f0bc88558e341b2eb03b551223e8c260902819e9e07adade48d367e0df587b0c8516e80f7a15be486cf53f3555

Download Submit
C:\Users\Public\spoolsv.exe

Filesize
321KB

MD5
a26ae5eb4e86ca54a1d338220318c43b

SHA1
ba66b537f8b7289acf611e67e1f3b20fb5bb48db

SHA256
fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

SHA512
0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

Download Submit
C:\odt\9e8d7a4ca61bd9

Filesize
898B

MD5
cf1c5e0cc5d03981f71df39bbd2b7fb0

SHA1
0c808e8e6793eafe9018323a4047143b093187a3

SHA256
db27bfb9cb363c02ba95fcccbc2d95736cbab23b51e911a397538706d2025c8d

SHA512
efdc16b1e4e3bd25f536cd14103fe677005413c764ad3d0b20d7781c89f8fe67e73bb61aa8a1848dc39f628975a8430aff6cb9514a53a5184204c56d3d0a1ab9

Download Submit
C:\odt\RuntimeBroker.exe

Filesize
321KB

MD5
a26ae5eb4e86ca54a1d338220318c43b

SHA1
ba66b537f8b7289acf611e67e1f3b20fb5bb48db

SHA256
fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

SHA512
0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

Download Submit
C:\odt\RuntimeBroker.exe

Filesize
321KB

MD5
a26ae5eb4e86ca54a1d338220318c43b

SHA1
ba66b537f8b7289acf611e67e1f3b20fb5bb48db

SHA256
fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

SHA512
0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

Download Submit
C:\odt\RuntimeBroker.exe

Filesize
321KB

MD5
a26ae5eb4e86ca54a1d338220318c43b

SHA1
ba66b537f8b7289acf611e67e1f3b20fb5bb48db

SHA256
fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

SHA512
0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

Download Submit
memory/2376-139-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/2376-142-0x0000000005EE0000-0x0000000005F46000-memory.dmp

Filesize
408KB

Download
memory/2376-138-0x0000000007D00000-0x0000000007D56000-memory.dmp

Filesize
344KB

Download
memory/2376-137-0x0000000007A30000-0x0000000007A3A000-memory.dmp

Filesize
40KB

Download
memory/2376-136-0x0000000007B00000-0x0000000007B92000-memory.dmp

Filesize
584KB

Download
memory/2376-135-0x00000000080B0000-0x0000000008654000-memory.dmp

Filesize
5.6MB

Download
memory/2376-134-0x0000000007A60000-0x0000000007AFC000-memory.dmp

Filesize
624KB

Download
memory/2376-133-0x0000000000A70000-0x0000000000AC6000-memory.dmp

Filesize
344KB

Download