Analysis
-
max time kernel
85s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2024 04:36
Static task
static1
Behavioral task
behavioral1
Sample
YT Tools v3.8.rar
Resource
win10v2004-20240226-en
General
-
Target
YT Tools v3.8.rar
-
Size
272.4MB
-
MD5
2d0e61ac1ab014a5ea1da333370a9ccc
-
SHA1
c23988ea432f83bc098f37ccf67068bb91157c68
-
SHA256
8d18fe99fa89a0e433dc5bb2a714f9ad8585508bd951de48e8c407321e19b63d
-
SHA512
e4749399a4bf3590cd0ac7b139ea2d2014779fe1ba7f5b85a9ddd9904a4db264c379acf4fe661b953c6972b15ee00f45f57574609667090d19586ae66236c409
-
SSDEEP
6291456:HsX0d3HUosm001aSlfMZqJzCYEIastSoc7sykPvtJ:HskdkN0fSqRE5ylc7DkNJ
Malware Config
Signatures
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4228 3668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 3668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 3668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3728 3668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 3668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 3668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3516 3668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4836 3668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 3668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 3668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 3668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 3668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 652 3668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 3668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 3668 schtasks.exe -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\yt_surrogateServercomponentRuntimedll.exe family_purelog_stealer behavioral1/memory/5056-26-0x00000000007E0000-0x00000000008BC000-memory.dmp family_purelog_stealer -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeYT_ViewTools_v3.8.exeyt_surrogateServercomponentRuntimedll.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation YT_ViewTools_v3.8.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation yt_surrogateServercomponentRuntimedll.exe -
Executes dropped EXE 2 IoCs
Processes:
YT_ViewTools_v3.8.exeyt_surrogateServercomponentRuntimedll.exepid process 2180 YT_ViewTools_v3.8.exe 5056 yt_surrogateServercomponentRuntimedll.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
YT_ViewTools_v3.8.exepid process 2180 YT_ViewTools_v3.8.exe -
Drops file in Program Files directory 5 IoCs
Processes:
yt_surrogateServercomponentRuntimedll.exedescription ioc process File created C:\Program Files\Windows NT\Accessories\en-US\7zFM.exe yt_surrogateServercomponentRuntimedll.exe File created C:\Program Files\Windows NT\Accessories\en-US\5887102d7b29d4 yt_surrogateServercomponentRuntimedll.exe File created C:\Program Files (x86)\Windows Media Player\Icons\RuntimeBroker.exe yt_surrogateServercomponentRuntimedll.exe File created C:\Program Files\Windows Portable Devices\TrustedInstaller.exe yt_surrogateServercomponentRuntimedll.exe File created C:\Program Files\Windows Portable Devices\04c1e7795967e4 yt_surrogateServercomponentRuntimedll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1448 schtasks.exe 652 schtasks.exe 1200 schtasks.exe 2928 schtasks.exe 4492 schtasks.exe 1968 schtasks.exe 1228 schtasks.exe 4512 schtasks.exe 4228 schtasks.exe 2084 schtasks.exe 3056 schtasks.exe 3516 schtasks.exe 2024 schtasks.exe 4836 schtasks.exe 3728 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
cmd.exeyt_surrogateServercomponentRuntimedll.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings yt_surrogateServercomponentRuntimedll.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
yt_surrogateServercomponentRuntimedll.exe7zFM.exepowershell.exepowershell.exepid process 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 4544 7zFM.exe 4544 7zFM.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 3688 powershell.exe 3688 powershell.exe 3892 powershell.exe 3892 powershell.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 3892 powershell.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 3688 powershell.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe 5056 yt_surrogateServercomponentRuntimedll.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 4544 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
7zFM.exeyt_surrogateServercomponentRuntimedll.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeRestorePrivilege 4544 7zFM.exe Token: 35 4544 7zFM.exe Token: SeSecurityPrivilege 4544 7zFM.exe Token: SeSecurityPrivilege 4544 7zFM.exe Token: SeDebugPrivilege 5056 yt_surrogateServercomponentRuntimedll.exe Token: SeDebugPrivilege 3688 powershell.exe Token: SeDebugPrivilege 3892 powershell.exe Token: SeDebugPrivilege 3848 powershell.exe Token: SeDebugPrivilege 4784 powershell.exe Token: SeDebugPrivilege 3576 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
7zFM.exepid process 4544 7zFM.exe 4544 7zFM.exe 4544 7zFM.exe 4544 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
YT_ViewTools_v3.8.exepid process 2180 YT_ViewTools_v3.8.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
cmd.exe7zFM.exeYT_ViewTools_v3.8.exeyt_surrogateServercomponentRuntimedll.exedescription pid process target process PID 3836 wrote to memory of 4544 3836 cmd.exe 7zFM.exe PID 3836 wrote to memory of 4544 3836 cmd.exe 7zFM.exe PID 4544 wrote to memory of 2180 4544 7zFM.exe YT_ViewTools_v3.8.exe PID 4544 wrote to memory of 2180 4544 7zFM.exe YT_ViewTools_v3.8.exe PID 4544 wrote to memory of 2180 4544 7zFM.exe YT_ViewTools_v3.8.exe PID 2180 wrote to memory of 3892 2180 YT_ViewTools_v3.8.exe powershell.exe PID 2180 wrote to memory of 3892 2180 YT_ViewTools_v3.8.exe powershell.exe PID 2180 wrote to memory of 3892 2180 YT_ViewTools_v3.8.exe powershell.exe PID 2180 wrote to memory of 3688 2180 YT_ViewTools_v3.8.exe powershell.exe PID 2180 wrote to memory of 3688 2180 YT_ViewTools_v3.8.exe powershell.exe PID 2180 wrote to memory of 3688 2180 YT_ViewTools_v3.8.exe powershell.exe PID 2180 wrote to memory of 5056 2180 YT_ViewTools_v3.8.exe yt_surrogateServercomponentRuntimedll.exe PID 2180 wrote to memory of 5056 2180 YT_ViewTools_v3.8.exe yt_surrogateServercomponentRuntimedll.exe PID 5056 wrote to memory of 4372 5056 yt_surrogateServercomponentRuntimedll.exe powershell.exe PID 5056 wrote to memory of 4372 5056 yt_surrogateServercomponentRuntimedll.exe powershell.exe PID 5056 wrote to memory of 3848 5056 yt_surrogateServercomponentRuntimedll.exe powershell.exe PID 5056 wrote to memory of 3848 5056 yt_surrogateServercomponentRuntimedll.exe powershell.exe PID 5056 wrote to memory of 4784 5056 yt_surrogateServercomponentRuntimedll.exe powershell.exe PID 5056 wrote to memory of 4784 5056 yt_surrogateServercomponentRuntimedll.exe powershell.exe PID 5056 wrote to memory of 452 5056 yt_surrogateServercomponentRuntimedll.exe powershell.exe PID 5056 wrote to memory of 452 5056 yt_surrogateServercomponentRuntimedll.exe powershell.exe PID 5056 wrote to memory of 3576 5056 yt_surrogateServercomponentRuntimedll.exe powershell.exe PID 5056 wrote to memory of 3576 5056 yt_surrogateServercomponentRuntimedll.exe powershell.exe PID 5056 wrote to memory of 2820 5056 yt_surrogateServercomponentRuntimedll.exe cmd.exe PID 5056 wrote to memory of 2820 5056 yt_surrogateServercomponentRuntimedll.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\YT Tools v3.8.rar"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\YT Tools v3.8.rar"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\7zO0C1508D7\YT_ViewTools_v3.8.exe"C:\Users\Admin\AppData\Local\Temp\7zO0C1508D7\YT_ViewTools_v3.8.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAegBsACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHoAYQBuACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AdABpAG0AZQAgAEUAcgByAG8AcgAgACgAYQB0ACAALQAxADoAMAApADoAIABDAGEAbgBuAG8AdAAgAEYAaQBuAGQAIABkAGwAbAAgAEMAOgAvAFcAaQBuAGQAbwB3AHMALwBhAHMAcwBlAG0AYgBsAHkALwBhAHAAaQAtAG0AcwAtAHcAaQBuAC0AYwByAHQALQByAHUAbgB0AGkAbQBlAC0AbAAxAC0AMQAtADAALgBkAGwAbAAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAZwByAGMAIwA+AA=="4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAawBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAaAB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAdwB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAcgBhACMAPgA="4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688 -
C:\Users\Admin\AppData\Roaming\yt_surrogateServercomponentRuntimedll.exe"C:\Users\Admin\AppData\Roaming\yt_surrogateServercomponentRuntimedll.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\USOShared\yt_surrogateServercomponentRuntimedll.exe'5⤵PID:4372
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\en-US\7zFM.exe'5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\powershell.exe'5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\TrustedInstaller.exe'5⤵PID:452
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\cmd.exe'5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1RtOWmL3h.bat"5⤵PID:2820
-
C:\Windows\system32\chcp.comchcp 650016⤵PID:1612
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "yt_surrogateServercomponentRuntimedlly" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\USOShared\yt_surrogateServercomponentRuntimedll.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "yt_surrogateServercomponentRuntimedll" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\yt_surrogateServercomponentRuntimedll.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "yt_surrogateServercomponentRuntimedlly" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\USOShared\yt_surrogateServercomponentRuntimedll.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7zFM7" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\en-US\7zFM.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7zFM" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\7zFM.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7zFM7" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\en-US\7zFM.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\odt\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
17KB
MD504d1649d82e39d0ecd875d1d11b8439f
SHA190836a104b091c012cd093d8b24865b75398e36b
SHA256bcfd7f1e70b9ce350f2b73bd78ce646c12dfe11cce5e67d3aeceaa9fbc55ee08
SHA5129d180b3ad51a2e3118749de536a2d699ff9c99d81396c8519e3e7d5e62ecc8afc7642a954eb33ab290fec6d3002206265099526a6c6dde09f9615c557893c5f6
-
Filesize
3.1MB
MD5b81fab4a5b1795b79178f26c240f6ded
SHA164698efa371d4b5202e548e2174e09ba6bf2a528
SHA2563f80ca0291d4b78f82e830390f965a8c0cdd0d56052edb49e62496d83ccf601b
SHA5121216f6d89a39da2e83910927cf40e98f51adb9a7fd5bade264c7a440d460951fb47cb83680ce84c115b7d7086191e9d7835344d3fc86bab4aeada5dcdc539028
-
Filesize
142B
MD57b2d5b9a8b17089fab1bd292f095c33c
SHA1fe59504d6399d9631c92635bf6b7beaaa70ae2fe
SHA2569659c203171fc0246a7b3fd0324338745f8732f743b4cbe202ce63c90fb6d578
SHA512203f0dc2bbe189b819cd3939955ef271eacf57486fa79f06f5c6daf6544b260350131d8456c4252db9d33da4192a81d912791e1d2215678b95a113543c11d81f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
872KB
MD5c1342065fc0ce661c602ea4e0e5237a2
SHA12293f64664a2f01a36d77c40b2edd23957c4e986
SHA256c706188ca1426de2524f0a9f44424ae56dcea64b03d53d25a4653a16571eb9cb
SHA51214aa3d65e0f5f5abc075787cb0172ea245ae5dc88c6470cc97d86f779e229b8b8ee108e0e30b7f78b3b63c6323e1ac2722493424980cb57559759bd1e3d9ce88