Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 14:12
Static task
static1
Behavioral task
behavioral1
Sample
7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe
Resource
win10v2004-20240426-en
General
-
Target
7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe
-
Size
2.0MB
-
MD5
20d1a291ba22e0d37ba1c9ef7c4f2a8e
-
SHA1
977deb9b18a8599aac68cfd86fd95219a54fc8c4
-
SHA256
7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a
-
SHA512
662369dcf70c1abe0142a139f950df672d62b3dbda910a804b6ef6a76280fa543aba4d1a9e52bea1584cdc0c674110b7a11fb0948be82e27c77e92b465f16d42
-
SSDEEP
24576:2y2KxiKAGfq78Qh7zCIU1D6hynUlAqFzATZAguEkVm2nc6DKcPGsiSbBydwBFrUm:2K1WlU1D6hk8RFzAZ5+m21Kc+sPbVT
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\ja-JP\\BackgroundTransferHost.exe\"" 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\ja-JP\\BackgroundTransferHost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\SearchApp.exe\"" 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\ja-JP\\BackgroundTransferHost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\SearchApp.exe\", \"C:\\Windows\\L2Schemas\\upfc.exe\"" 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\ja-JP\\BackgroundTransferHost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\SearchApp.exe\", \"C:\\Windows\\L2Schemas\\upfc.exe\", \"C:\\Windows\\Offline Web Pages\\RuntimeBroker.exe\"" 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\ja-JP\\BackgroundTransferHost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\SearchApp.exe\", \"C:\\Windows\\L2Schemas\\upfc.exe\", \"C:\\Windows\\Offline Web Pages\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\smss.exe\"" 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 4444 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3096 4444 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 4444 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1176 4444 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 4444 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3136 4444 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 4444 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 4444 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4632 4444 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3416 4444 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3184 4444 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4564 4444 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 4444 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3544 4444 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 4444 schtasks.exe 85 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe -
Executes dropped EXE 1 IoCs
pid Process 2504 SearchApp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\L2Schemas\\upfc.exe\"" 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Offline Web Pages\\RuntimeBroker.exe\"" 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\dotnet\\host\\fxr\\smss.exe\"" 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BackgroundTransferHost = "\"C:\\Program Files\\Windows Media Player\\ja-JP\\BackgroundTransferHost.exe\"" 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\SearchApp.exe\"" 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\L2Schemas\\upfc.exe\"" 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Offline Web Pages\\RuntimeBroker.exe\"" 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\dotnet\\host\\fxr\\smss.exe\"" 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BackgroundTransferHost = "\"C:\\Program Files\\Windows Media Player\\ja-JP\\BackgroundTransferHost.exe\"" 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\SearchApp.exe\"" 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC3FA59D6F4674283A142CBCBDF86EAD8.TMP csc.exe File created \??\c:\Windows\System32\cjmmco.exe csc.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\dotnet\host\fxr\smss.exe 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe File created C:\Program Files\dotnet\host\fxr\69ddcba757bf72 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe File created C:\Program Files\Windows Media Player\ja-JP\BackgroundTransferHost.exe 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\BackgroundTransferHost.exe 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe File created C:\Program Files\Windows Media Player\ja-JP\766532ba8a13d2 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\38384e6a620884 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Offline Web Pages\9e8d7a4ca61bd9 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe File created C:\Windows\L2Schemas\upfc.exe 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe File created C:\Windows\L2Schemas\ea1d8f6d871115 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe File created C:\Windows\Offline Web Pages\RuntimeBroker.exe 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2976 schtasks.exe 3544 schtasks.exe 4144 schtasks.exe 3136 schtasks.exe 4632 schtasks.exe 3416 schtasks.exe 1176 schtasks.exe 3096 schtasks.exe 2776 schtasks.exe 3184 schtasks.exe 4564 schtasks.exe 1552 schtasks.exe 2828 schtasks.exe 1460 schtasks.exe 1360 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2504 SearchApp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe Token: SeDebugPrivilege 2504 SearchApp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2504 SearchApp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1512 wrote to memory of 4188 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 89 PID 1512 wrote to memory of 4188 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 89 PID 4188 wrote to memory of 5012 4188 csc.exe 91 PID 4188 wrote to memory of 5012 4188 csc.exe 91 PID 1512 wrote to memory of 4516 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 104 PID 1512 wrote to memory of 4516 1512 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe 104 PID 4516 wrote to memory of 212 4516 cmd.exe 106 PID 4516 wrote to memory of 212 4516 cmd.exe 106 PID 4516 wrote to memory of 5108 4516 cmd.exe 107 PID 4516 wrote to memory of 5108 4516 cmd.exe 107 PID 4516 wrote to memory of 2504 4516 cmd.exe 112 PID 4516 wrote to memory of 2504 4516 cmd.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe"C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gtbqvaux\gtbqvaux.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E32.tmp" "c:\Windows\System32\CSC3FA59D6F4674283A142CBCBDF86EAD8.TMP"3⤵PID:5012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bFI9bmS0b9.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:212
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:5108
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2504
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BackgroundTransferHostB" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\ja-JP\BackgroundTransferHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BackgroundTransferHost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\BackgroundTransferHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BackgroundTransferHostB" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\ja-JP\BackgroundTransferHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\L2Schemas\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\host\fxr\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\host\fxr\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD520d1a291ba22e0d37ba1c9ef7c4f2a8e
SHA1977deb9b18a8599aac68cfd86fd95219a54fc8c4
SHA2567e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a
SHA512662369dcf70c1abe0142a139f950df672d62b3dbda910a804b6ef6a76280fa543aba4d1a9e52bea1584cdc0c674110b7a11fb0948be82e27c77e92b465f16d42
-
Filesize
1KB
MD5d111cefaa2e132a433bd265310351148
SHA1397af57e8ac90f89dca5f4a1cee7f0689f3fdbdf
SHA2561386452aa5b8ce6f5501988b6d7308d49d135d8d7c873a0c614b914df70b409f
SHA512a717006e2e55fed38d9684bd911c74ca1c0a8bc8b920d6c5e13b42e7236fd62cbfe2b68b5fc07de09ffcfa3ba73d76f0bfc8cf9395b16f6f66edbb1ed4e883bf
-
Filesize
243B
MD5047eaea9b53b2712d0f1c81fd2b29ab1
SHA1d201aa817091945e49ee6473aa189fa1dd4b94ae
SHA25646f27e9670b1a09f5f65d7128ceb7dfc7e1ae2f7c959ec21a3e7ad2dfe70d449
SHA5129f7545228e206ae0bd8ee50e3cce603583daba3b0e59f07e94975ce2e1a9fd4e01c333c7d309c96b2c136a587a1cd08c3e46325bd3c706f748e86c964c72e8d2
-
Filesize
402B
MD598e4ad8f3f577e69a7ec66e82dce6472
SHA1cd7272b0ce9af065055f834823c4af1808d00116
SHA256a37d681ac80bb09e54efc8f588904ed5db91e13fe3ed7b9e0ecea2bdad32bc2c
SHA512824b14647297a12ba1013a228079662e9ea3f430c42f179510b0403c75971563ca706a3aba0c8ccde5dd3768954674d5f2df90a2ce7f19bd6407a946e54d9e83
-
Filesize
235B
MD543eaf735f8ad2557325442ae4f32bd76
SHA11ca98fe954036deb5bfbee9ef3e949373be16b47
SHA25608f4b0687cc37ae031bad573ced77070e3f5d3290e4cb8ef8e5d634d19f3fdff
SHA5121988a8d5781242e5d03b94c032b509a05447cfda95b9688a42903122558596fe8bd4d9449fa4d080622f484177413f551aa09507c2909f26309df23e6967f3b9
-
Filesize
1KB
MD50e0a242f8f023c943e845e3326f7e233
SHA10e271c02e32fa6b6b4b0b27c8cdc4e4afb5b2d78
SHA25631740b218505867f934d13c16295f7c1a57045d8e4c0079799b9caa067b2411c
SHA512b7528fd87e6964e8e7c2743dca777d9f905750eaab7ef2683cb49e5b3b42cdce20736fce312856117af968a9c24e8cfee05f453cdbfa3cc12136dbb4a34d71db