Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 01:27
Behavioral task
behavioral1
Sample
1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe
Resource
win7-20231129-en
General
-
Target
1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe
-
Size
2.2MB
-
MD5
506cd587919d4bb571795ea1c1e64d80
-
SHA1
c04c19373251eb40197975fbf901ff802e92e22d
-
SHA256
1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256
-
SHA512
ab9577410cb2eb1e0fd3e71c2c5d3d13a38563db70e7017734f5067171442b561b1297bf339ddfa54ae266c720a383c7e4c7a63b23a6cdb433651b7ed8cbc30b
-
SSDEEP
24576:2TbBv5rUyXVl6fDEs25370/5lJHI2cxaSzXykO0eW66f3XEWpEmEQ/2VmCthZ2yt:IBJEECrHjxdXZsUWzuUQME46LMEQ70
Malware Config
Signatures
-
Detect ZGRat V1 5 IoCs
resource yara_rule behavioral2/files/0x0007000000023216-10.dat family_zgrat_v1 behavioral2/files/0x0007000000023216-11.dat family_zgrat_v1 behavioral2/memory/4448-12-0x0000000000A20000-0x0000000000C0C000-memory.dmp family_zgrat_v1 behavioral2/files/0x000a000000023121-42.dat family_zgrat_v1 behavioral2/files/0x0007000000023216-70.dat family_zgrat_v1 -
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\Users\\Public\\AccountPictures\\StartMenuExperienceHost.exe\", \"C:\\Windows\\DiagTrack\\Settings\\upfc.exe\", \"C:\\HyperchainserverRefBroker\\dwm.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\csrss.exe\", \"C:\\HyperchainserverRefBroker\\hyperportServerFontdhcp.exe\"" hyperportServerFontdhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\"" hyperportServerFontdhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\Users\\Public\\AccountPictures\\StartMenuExperienceHost.exe\"" hyperportServerFontdhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\Users\\Public\\AccountPictures\\StartMenuExperienceHost.exe\", \"C:\\Windows\\DiagTrack\\Settings\\upfc.exe\"" hyperportServerFontdhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\Users\\Public\\AccountPictures\\StartMenuExperienceHost.exe\", \"C:\\Windows\\DiagTrack\\Settings\\upfc.exe\", \"C:\\HyperchainserverRefBroker\\dwm.exe\"" hyperportServerFontdhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\Users\\Public\\AccountPictures\\StartMenuExperienceHost.exe\", \"C:\\Windows\\DiagTrack\\Settings\\upfc.exe\", \"C:\\HyperchainserverRefBroker\\dwm.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\csrss.exe\"" hyperportServerFontdhcp.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 3372 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 3372 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 3372 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3492 3372 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4764 3372 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4756 3372 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 3372 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5056 3372 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 412 3372 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4296 3372 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 3372 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 3372 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 3372 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 3372 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 3372 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4696 3372 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 3372 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 3372 schtasks.exe 99 -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation hyperportServerFontdhcp.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe -
Executes dropped EXE 2 IoCs
pid Process 4448 hyperportServerFontdhcp.exe 2856 hyperportServerFontdhcp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\csrss.exe\"" hyperportServerFontdhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyperportServerFontdhcp = "\"C:\\HyperchainserverRefBroker\\hyperportServerFontdhcp.exe\"" hyperportServerFontdhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyperportServerFontdhcp = "\"C:\\HyperchainserverRefBroker\\hyperportServerFontdhcp.exe\"" hyperportServerFontdhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\"" hyperportServerFontdhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Public\\AccountPictures\\StartMenuExperienceHost.exe\"" hyperportServerFontdhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\DiagTrack\\Settings\\upfc.exe\"" hyperportServerFontdhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\DiagTrack\\Settings\\upfc.exe\"" hyperportServerFontdhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\csrss.exe\"" hyperportServerFontdhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\"" hyperportServerFontdhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Public\\AccountPictures\\StartMenuExperienceHost.exe\"" hyperportServerFontdhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\HyperchainserverRefBroker\\dwm.exe\"" hyperportServerFontdhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\HyperchainserverRefBroker\\dwm.exe\"" hyperportServerFontdhcp.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC49505DBA1C7F4E5C8295467BA5ADD.TMP csc.exe File created \??\c:\Windows\System32\ghlptw.exe csc.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files\MSBuild\Microsoft\csrss.exe hyperportServerFontdhcp.exe File created C:\Program Files\MSBuild\Microsoft\886983d96e3d3e hyperportServerFontdhcp.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe hyperportServerFontdhcp.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\5940a34987c991 hyperportServerFontdhcp.exe File created C:\Program Files\MSBuild\Microsoft\csrss.exe hyperportServerFontdhcp.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\DiagTrack\Settings\upfc.exe hyperportServerFontdhcp.exe File created C:\Windows\DiagTrack\Settings\ea1d8f6d871115 hyperportServerFontdhcp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2744 schtasks.exe 640 schtasks.exe 2020 schtasks.exe 4092 schtasks.exe 2472 schtasks.exe 4296 schtasks.exe 2056 schtasks.exe 4764 schtasks.exe 5056 schtasks.exe 624 schtasks.exe 4588 schtasks.exe 1876 schtasks.exe 4696 schtasks.exe 3492 schtasks.exe 1032 schtasks.exe 412 schtasks.exe 2712 schtasks.exe 4756 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings 1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings hyperportServerFontdhcp.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4968 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe 4448 hyperportServerFontdhcp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2856 hyperportServerFontdhcp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4448 hyperportServerFontdhcp.exe Token: SeDebugPrivilege 2856 hyperportServerFontdhcp.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2412 wrote to memory of 5068 2412 1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe 91 PID 2412 wrote to memory of 5068 2412 1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe 91 PID 2412 wrote to memory of 5068 2412 1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe 91 PID 5068 wrote to memory of 3676 5068 WScript.exe 93 PID 5068 wrote to memory of 3676 5068 WScript.exe 93 PID 5068 wrote to memory of 3676 5068 WScript.exe 93 PID 3676 wrote to memory of 4968 3676 cmd.exe 94 PID 3676 wrote to memory of 4968 3676 cmd.exe 94 PID 3676 wrote to memory of 4968 3676 cmd.exe 94 PID 3676 wrote to memory of 4448 3676 cmd.exe 95 PID 3676 wrote to memory of 4448 3676 cmd.exe 95 PID 4448 wrote to memory of 4540 4448 hyperportServerFontdhcp.exe 103 PID 4448 wrote to memory of 4540 4448 hyperportServerFontdhcp.exe 103 PID 4540 wrote to memory of 396 4540 csc.exe 105 PID 4540 wrote to memory of 396 4540 csc.exe 105 PID 4448 wrote to memory of 2840 4448 hyperportServerFontdhcp.exe 123 PID 4448 wrote to memory of 2840 4448 hyperportServerFontdhcp.exe 123 PID 2840 wrote to memory of 4144 2840 cmd.exe 122 PID 2840 wrote to memory of 4144 2840 cmd.exe 122 PID 2840 wrote to memory of 2124 2840 cmd.exe 124 PID 2840 wrote to memory of 2124 2840 cmd.exe 124 PID 2840 wrote to memory of 2856 2840 cmd.exe 127 PID 2840 wrote to memory of 2856 2840 cmd.exe 127 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe"C:\Users\Admin\AppData\Local\Temp\1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\HyperchainserverRefBroker\15rdJvHs8fLqyO2NujCXYGmVvYkYhVqPlDU.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\HyperchainserverRefBroker\aChfOVIZNk46BVBd6tQOJDuZO9i8SfzQwF1KcbSw3gaIMh1jz.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:4968
-
-
C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe"C:\HyperchainserverRefBroker/hyperportServerFontdhcp.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gvruf24u\gvruf24u.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AC4.tmp" "c:\Windows\System32\CSC49505DBA1C7F4E5C8295467BA5ADD.TMP"6⤵PID:396
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tdrrHire7S.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2124
-
-
C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe"C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\HyperchainserverRefBroker\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\HyperchainserverRefBroker\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\HyperchainserverRefBroker\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\DiagTrack\Settings\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperportServerFontdhcp" /sc ONLOGON /tr "'C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperportServerFontdhcph" /sc MINUTE /mo 5 /tr "'C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperportServerFontdhcph" /sc MINUTE /mo 9 /tr "'C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Windows\DiagTrack\Settings\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\chcp.comchcp 650011⤵PID:4144
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252B
MD54a61f0d242786b7e9caa34fa552a0791
SHA147a7114f25574bf8ba482e561c395c2d942f40d8
SHA2565db96d7ae442161d7e6b12f9bd1380030d7e951cdebfb198bdd3bf76ce514c2f
SHA5124262524a95b9a7756d327ae338d065565c38dd3548679b21ed7593293f2e8703084439dff9fb44d7c8667115adeda4f262ccbbe43dd39e215d77e51369ddd042
-
Filesize
210B
MD5bdec11d125abfe788f5249bd9f8e8453
SHA1e5850a47337f36270fdc5bb49c57a4f81358730b
SHA256836e8052513d49530612a8f405e1eeef196834e6431b345eaebd09dc23693c50
SHA5129c8418bec2565a82f200d40cf9254d3219f9f81da1a55e1d4c88bab0de3947986c94168c4db53c6e49191030c81c9284ecb4c3429d3d0cfe48421a26de7c623f
-
Filesize
412KB
MD53a4f6040758ab110510d0394c69a15cf
SHA117aab858dfaf1aca771c95cd1cda6cfa1a464b7c
SHA256f5f402ea1a46680dfe81dccc757c24da05b411b66e10bc45cd0ae4ef65baa129
SHA51228f987cd0341f52237d53aef2efaa1fa3662a1e982d6f4b3ae2f3944ef6e3a8c207cf70a6aca50f57954dbf3c8b0f4922552b1789f84d327ca06594c9ad3f0e0
-
Filesize
399KB
MD52afbfe897f8baf58dc2c6a4bd4cfc918
SHA1ca8102cb40ec5eac8ad3c35243cabc3ab286656a
SHA2560b1c50c3a0a4c7045b7e427a76dd8fac5b5d5d04dd2dc1c781c3072b42a8c5ed
SHA5122c6943ab0468e7dbaa15a2f302e1c0360bb47044a308c12c2419d3e7919a8f72250c0df2a9953f1b3486a2b1f471e02dae7d0f6f6564a00b0e5c72894b44262f
-
Filesize
406KB
MD58c357fefc799b17ab591e2ed9a1a25da
SHA16d54f3b1c85615a6407f00501f1cf35bd0be68e0
SHA2569616f8c7d5fd6e85c9ea2fc214830324b137236c152e2def75297548317ebcb7
SHA512a1a2bf500874afef2b58d49f3f63556ec0d311c53f75b5103e702f807a8440d29e6ba8d545506d88686fb72d0a188f87d956a6c9d04e34fff754c235650eab40
-
Filesize
424KB
MD54f9c20cbcc54f92d48b8b93657ce536d
SHA103d87bc44a6debc93d531c842b0af0960e6a0e84
SHA2567c1dfef42365e412be181a04391143b707d0b5d2113c39804faa07404487ef3b
SHA5128ed757c140ad1bc16ed25d1a33f715d4aed1ab056b30de31361198d40ad3cd3b17e903a75f0d546fa4f24aa20a7f7a2f2930a6e926b6a17ab5341b7bec58f349
-
Filesize
1KB
MD5af6acd95d59de87c04642509c30e81c1
SHA1f9549ae93fdb0a5861a79a08f60aa81c4b32377b
SHA2567521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6
SHA51293ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a
-
Filesize
1KB
MD54deda59dc214656e93b7a83296e37499
SHA1bb0f8dc9c03dc728b8517d32d8df1881fa80c5c8
SHA256995de7014dbe3c924ef35f923bc9de7c483991bc5fe45ad8eebbf28e7fbcd1f6
SHA5120f6c6a9dde35f4e91e42701646eb47c42f5b03582a567dcece675a2a2792fbb27a9285e9a5bc90d479fb1c36fd25f31d19033b17d107b983e5915a5968c96530
-
Filesize
232B
MD5d3399ccb3dc4ceab7d158ffb06bb9a5c
SHA10b9cbfeda68430712d67d5edff7cf35c510de68d
SHA25621ca6ef3266ebc7a667f01eff6d33264915710a4e0d3b465574372d96a8dd1a4
SHA512408ff37deb7b4682210df6b1f48f0d0303ecffefd9e2a3478d575c3a970021ccfcb854dda318c9d218fbd57c0679507c9c1c4d5cf7453db68ff401cf64965ad5
-
Filesize
412B
MD5a57269c8170ac8313d9a29456b442b03
SHA1a9ac1dcc033ddff745f0fa1d4e18dade56f1b14e
SHA256ffc05f9adfa7e0709fd7dc3da58a74d344e283610ec4e2e8ceb21e891375c24c
SHA512a0832a9cf25ad09c5b8f8a83bdfdf1d24711ef02d202d1b84be4845dfbd0c16ba6445815030e9133d03be8881b8587c846dbb6bfb96e2ade1ba36d7d7802807d
-
Filesize
235B
MD578fd2e419c844d4d736c78e4fe8e5e7c
SHA16414a5f4cd1936c5eec76aee93f90370305ea077
SHA25661a0b0309788d610849070d33d8ec95ae8633a4b13a24156e6545f41bf6106a9
SHA512153bc7f81e59d1eb3d83e01c8e74c14d7c1b8d7f2b0dd6d96edfe925199498a99e58da15e45e038b67037bbc46c20bd055d61f077c91c1b14017dfce1f809f6b
-
Filesize
1KB
MD55bc7fffeb74f6ba57a2071934d353745
SHA1fb8fae919b698ac12d3ec7d66cdb691f5763c146
SHA2565146249f8fbc8b152593329b29ba45f4c96ff5eef3c1885dd4f2c4ed36804285
SHA512e053f2d895ffc4324bca69ead2366f51f94e1dcd9bd43ed712068f73a45df02d39bdf29699b8401b03d7f2d5646d779197d027af21e0f317f232bf3e05526ac8