Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06-07-2024 10:48
Static task
static1
Behavioral task
behavioral1
Sample
10092d3106ee645c3b2d9d18b6198298.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
10092d3106ee645c3b2d9d18b6198298.exe
Resource
win10v2004-20240704-en
General
-
Target
10092d3106ee645c3b2d9d18b6198298.exe
-
Size
3.4MB
-
MD5
10092d3106ee645c3b2d9d18b6198298
-
SHA1
5c8a5432e12df1ecdb33499e0c142a6ba37165f0
-
SHA256
b1ab7ae36965a9b7bfe0f46123cabeee9260f0816b118cf102deb4480b63b86a
-
SHA512
82e71b255671e08199986101747092359a2be592344058e4ddc264b6f65d2033fa41051e7a7b853df78cc27aaaba4da6080b1f3bac67cb563fb550d7f0aacb98
-
SSDEEP
49152:IBJTrDS1bJ+05CiD5LIYUcfjEGJT8TpIfYttDqrWEn5PjfHyejpdQ8y7uBxbPEKF:y9rGrXZTjupIf2ODxzSeFP64EKIjFZE/
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\uk-UA\\System.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\SppExtComObj.exe\", \"C:\\Users\\Public\\Libraries\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Offline\\SppExtComObj.exe\"" HyperServerFont.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\uk-UA\\System.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\SppExtComObj.exe\", \"C:\\Users\\Public\\Libraries\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Offline\\SppExtComObj.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRAR\\HyperServerFont.exe\"" HyperServerFont.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\uk-UA\\System.exe\"" HyperServerFont.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\uk-UA\\System.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\SppExtComObj.exe\"" HyperServerFont.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\uk-UA\\System.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\SppExtComObj.exe\", \"C:\\Users\\Public\\Libraries\\StartMenuExperienceHost.exe\"" HyperServerFont.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\uk-UA\\System.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\SppExtComObj.exe\", \"C:\\Users\\Public\\Libraries\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\Registry.exe\"" HyperServerFont.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4128 1612 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4756 1612 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 1612 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 1612 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 1612 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3108 1612 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 728 1612 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 1612 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 1612 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 1612 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 1612 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 1612 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 1612 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3288 1612 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 1612 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 1612 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 1612 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 1612 schtasks.exe 89 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation HyperServerFont.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation 10092d3106ee645c3b2d9d18b6198298.exe -
Executes dropped EXE 2 IoCs
pid Process 4420 HyperServerFont.exe 1008 SppExtComObj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HyperServerFont = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinRAR\\HyperServerFont.exe\"" HyperServerFont.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HyperServerFont = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinRAR\\HyperServerFont.exe\"" HyperServerFont.exe Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Media Player\\uk-UA\\System.exe\"" HyperServerFont.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\SppExtComObj.exe\"" HyperServerFont.exe Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Public\\Libraries\\StartMenuExperienceHost.exe\"" HyperServerFont.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Common Files\\System\\Registry.exe\"" HyperServerFont.exe Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Offline\\SppExtComObj.exe\"" HyperServerFont.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Media Player\\uk-UA\\System.exe\"" HyperServerFont.exe Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\SppExtComObj.exe\"" HyperServerFont.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Public\\Libraries\\StartMenuExperienceHost.exe\"" HyperServerFont.exe Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Common Files\\System\\Registry.exe\"" HyperServerFont.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Offline\\SppExtComObj.exe\"" HyperServerFont.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC22BACF47879245AD9AD825E8A43462B0.TMP csc.exe File created \??\c:\Windows\System32\hunyxs.exe csc.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Offline\SppExtComObj.exe HyperServerFont.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Offline\e1ef82546f0b02 HyperServerFont.exe File created C:\Program Files (x86)\Common Files\System\Registry.exe HyperServerFont.exe File created C:\Program Files (x86)\Common Files\System\ee2ad38f3d4382 HyperServerFont.exe File created C:\Program Files\Windows Media Player\uk-UA\System.exe HyperServerFont.exe File created C:\Program Files\Windows Media Player\uk-UA\27d1bcfc3c54e0 HyperServerFont.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Offline\SppExtComObj.exe HyperServerFont.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\BitLockerDiscoveryVolumeContents\SppExtComObj.exe HyperServerFont.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\e1ef82546f0b02 HyperServerFont.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings 10092d3106ee645c3b2d9d18b6198298.exe Key created \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings HyperServerFont.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2532 schtasks.exe 2296 schtasks.exe 4952 schtasks.exe 2324 schtasks.exe 2116 schtasks.exe 1532 schtasks.exe 4964 schtasks.exe 1336 schtasks.exe 2684 schtasks.exe 4128 schtasks.exe 4756 schtasks.exe 2596 schtasks.exe 3108 schtasks.exe 728 schtasks.exe 2012 schtasks.exe 1788 schtasks.exe 3288 schtasks.exe 1572 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe 4420 HyperServerFont.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1008 SppExtComObj.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4420 HyperServerFont.exe Token: SeDebugPrivilege 1008 SppExtComObj.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1228 wrote to memory of 1128 1228 10092d3106ee645c3b2d9d18b6198298.exe 85 PID 1228 wrote to memory of 1128 1228 10092d3106ee645c3b2d9d18b6198298.exe 85 PID 1228 wrote to memory of 1128 1228 10092d3106ee645c3b2d9d18b6198298.exe 85 PID 1128 wrote to memory of 1708 1128 WScript.exe 86 PID 1128 wrote to memory of 1708 1128 WScript.exe 86 PID 1128 wrote to memory of 1708 1128 WScript.exe 86 PID 1708 wrote to memory of 4420 1708 cmd.exe 88 PID 1708 wrote to memory of 4420 1708 cmd.exe 88 PID 4420 wrote to memory of 892 4420 HyperServerFont.exe 93 PID 4420 wrote to memory of 892 4420 HyperServerFont.exe 93 PID 892 wrote to memory of 1780 892 csc.exe 95 PID 892 wrote to memory of 1780 892 csc.exe 95 PID 4420 wrote to memory of 3228 4420 HyperServerFont.exe 111 PID 4420 wrote to memory of 3228 4420 HyperServerFont.exe 111 PID 3228 wrote to memory of 4568 3228 cmd.exe 113 PID 3228 wrote to memory of 4568 3228 cmd.exe 113 PID 3228 wrote to memory of 3860 3228 cmd.exe 114 PID 3228 wrote to memory of 3860 3228 cmd.exe 114 PID 3228 wrote to memory of 1008 3228 cmd.exe 115 PID 3228 wrote to memory of 1008 3228 cmd.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\10092d3106ee645c3b2d9d18b6198298.exe"C:\Users\Admin\AppData\Local\Temp\10092d3106ee645c3b2d9d18b6198298.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRAR\zAABOcyJ2bBgkpH6Xhk3lnmdvCX3caSCc9GQdkeF.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WinRAR\Teg6emHMlLt57vxkHLDGu6vtBrgy1f5AzyvH4iCxDeNGgB7UyEG1SG.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Roaming\WinRAR\HyperServerFont.exe"C:\Users\Admin\AppData\Roaming\WinRAR/HyperServerFont.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1vsw3cyb\1vsw3cyb.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5CE.tmp" "c:\Windows\System32\CSC22BACF47879245AD9AD825E8A43462B0.TMP"6⤵PID:1780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1XUw9gQ9nf.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4568
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3860
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\SppExtComObj.exe"C:\Windows\BitLockerDiscoveryVolumeContents\SppExtComObj.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\uk-UA\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\uk-UA\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\uk-UA\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\System\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\System\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Offline\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Offline\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Offline\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperServerFontH" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\WinRAR\HyperServerFont.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperServerFont" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\WinRAR\HyperServerFont.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperServerFontH" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\WinRAR\HyperServerFont.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236B
MD5a59b231088770867c61291747e4bd7b7
SHA17000fa65fa7cd67c40dca4564e1ca3faaec25d3f
SHA256a01d11444151e8eeceee3dd067103d4a167c7dc8c45a583c67ae6c2df5efe789
SHA512131769454eaa3f0e2c800220e262f7ae4ce86f2725db5a437d05fb2b3b0abed31fbbe177cf3a9080e1aa6496d812304caa23eceee1ccf1854adae7c541c5dc33
-
Filesize
1KB
MD589a1c873edfd962807488661fea1848a
SHA13e64ccc4f7f171ee4d313889f983d9892742408b
SHA256079ab119817fd2f5c2a86bc16150a4979f369c81c9e179f505824aae6a72d4bf
SHA51207e0ed65aca9ebeb6f1ad7877af0b6be0c49adf10025a191c9fc6b4f43d1ac3edb16ec522e9ff27d8aaf6c12a4f920ab1bfb2f49c5c6ab136228b7d7fa086b63
-
Filesize
3.5MB
MD5e6096483a8f2600535d5c540898501ee
SHA1988f6c02d6d8fc54ef7c74e2982b606229f084c9
SHA2564abfb6c4719bf650b60ce4e9088ab59a24a33f06627a8a5cbddd4ed5ab59c14d
SHA5129e682b3bd8984b8f72f129c1f79f6c53b38ee2291ebfaa892a40f282f0bba5e17bdf144fdbc10953f9e0c14b657febe3daa860ba871070f8d61e5282ddb3a90e
-
Filesize
85B
MD56fb0cede604bc60a8b56d06517fc275b
SHA12ff60f4528e919d7c8856a96d8ab2ecf8adec2d1
SHA2566e320f0bbc930d2f1106e791a79547b0b14507ccefd9154571a4a4d4c2105c80
SHA512d54e559522844b79e7c396d2eaffcdb093c71779c248fc2637fa067ce21149b0f3d4a2d1ad2295d6c685f9e280be86b931c95efe0cf9b84a942c33f126885d25
-
Filesize
245B
MD511d88d852b26c866aa883701afb373ec
SHA1a88acf9a42805f23575bf4bfc518d8ae6db11a36
SHA256c2d4bc12a60d049699f9693568a1a14d3849257966470b28978d9922ff17b12a
SHA5122851d70cb66c93b87fa35ee9684d66ec884acaa12ddde5b38cad802e623b02b6cf49fc9ab18876c4885615a9915f47fbce64de6ab75d0f7be3b7dea8ca217283
-
Filesize
386B
MD5f876b6ad980274a3e19aec822816cd56
SHA1d77ef8ae5f9bf1ab65671e4598e99ed4899ec667
SHA256addf279495417be4ec6ed78d93171df57077924224d6736b1e106b75841b7fd0
SHA512403f92d82cabf94e990722863dacea62f632e0f466280113e41272acc062765fa15f4ac7479fbdef0a4e22dee00b8db158ab208d68c90593cc7260818e6c1697
-
Filesize
235B
MD50720dc6a73bd5c1668a41533b34c3007
SHA1eb750bf0b02796daba05e77d858cc21c97746644
SHA25647138c4dba11fa2bd700396e273142b272ba24dec050d55b3b2db8d86e1a8287
SHA51203fe77404aae6c66b7ec4197798314a2a3ddae6f7a3a02af0aa65d70331409e8f51617f3c269f3762a156bfeff598cff2f424b01577b08b43128a81e7019f670
-
Filesize
1KB
MD5274448e414a8f9abf7ae8326763fc7af
SHA1a83308f00001919f86ffba6b8a8a4a60354a43f8
SHA25619f23ddbfafb74b79f35796ca686cd32b63f75a1f5c449837c0fcedef9729c9f
SHA5122cd04ccd5e2793620de005d42172238081964efd1d184f3627a5df6c37ba19386d3b008acddf37e2f01ea1c7694788e17f2bdf5ce1ac75e1c1ff189dd580b41a