Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 21:39
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://workupload.com/file/e3Ntgx8nVXy
Resource
win10v2004-20240802-en
General
-
Target
https://workupload.com/file/e3Ntgx8nVXy
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7488189478:AAH6VIMvTK1qt_asd4dAuNYuoUWUeh-2Kvg/sendPhot
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TiWorker.exe\"" ProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TiWorker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\services.exe\"" ProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TiWorker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\services.exe\", \"C:\\SurrogateFontsavesMonitor\\RuntimeBroker.exe\"" ProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TiWorker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\services.exe\", \"C:\\SurrogateFontsavesMonitor\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\csrss.exe\"" ProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TiWorker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\services.exe\", \"C:\\SurrogateFontsavesMonitor\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\csrss.exe\", \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\wininit.exe\"" ProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TiWorker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\services.exe\", \"C:\\SurrogateFontsavesMonitor\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\csrss.exe\", \"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\wininit.exe\", \"C:\\SurrogateFontsavesMonitor\\ProviderInto.exe\"" ProviderInto.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5592 2832 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5628 2832 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5648 2832 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5368 2832 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3464 2832 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4464 2832 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5956 2832 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 2832 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2832 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 2832 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5976 2832 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4748 2832 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3524 2832 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2832 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2832 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4412 2832 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2832 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 2832 schtasks.exe 101 -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 6056 powershell.exe 1584 powershell.exe 3628 powershell.exe 1428 powershell.exe 2308 powershell.exe 3824 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraBootstrapper.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ProviderInto.exe -
Executes dropped EXE 3 IoCs
pid Process 2996 SolaraBootstrapper.exe 1216 ProviderInto.exe 5332 services.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\SurrogateFontsavesMonitor\\RuntimeBroker.exe\"" ProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\SurrogateFontsavesMonitor\\RuntimeBroker.exe\"" ProviderInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ProviderInto = "\"C:\\SurrogateFontsavesMonitor\\ProviderInto.exe\"" ProviderInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\VideoLAN\\VLC\\skins\\services.exe\"" ProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\VideoLAN\\VLC\\skins\\services.exe\"" ProviderInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\csrss.exe\"" ProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\csrss.exe\"" ProviderInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\wininit.exe\"" ProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\SystemResources\\Windows.UI.BlockedShutdown\\pris\\wininit.exe\"" ProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ProviderInto = "\"C:\\SurrogateFontsavesMonitor\\ProviderInto.exe\"" ProviderInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TiWorker = "\"C:\\Recovery\\WindowsRE\\TiWorker.exe\"" ProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TiWorker = "\"C:\\Recovery\\WindowsRE\\TiWorker.exe\"" ProviderInto.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 136 ipinfo.io 137 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC2A8C58511EB844FF85F19FD22CD7530.TMP csc.exe File created \??\c:\Windows\System32\h920ln.exe csc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe ProviderInto.exe File created C:\Program Files (x86)\Windows Multimedia Platform\886983d96e3d3e ProviderInto.exe File created C:\Program Files\VideoLAN\VLC\skins\services.exe ProviderInto.exe File created C:\Program Files\VideoLAN\VLC\skins\c5b4cb5e9653cc ProviderInto.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\System\Speech\taskhostw.exe ProviderInto.exe File created C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\wininit.exe ProviderInto.exe File opened for modification C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\wininit.exe ProviderInto.exe File created C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\56085415360792 ProviderInto.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SolaraBootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings SolaraBootstrapper.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings ProviderInto.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings taskmgr.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 5532 NOTEPAD.EXE 5628 Notepad.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5648 schtasks.exe 4748 schtasks.exe 5592 schtasks.exe 3524 schtasks.exe 2532 schtasks.exe 2480 schtasks.exe 4412 schtasks.exe 2004 schtasks.exe 5956 schtasks.exe 4504 schtasks.exe 5976 schtasks.exe 5628 schtasks.exe 5368 schtasks.exe 3464 schtasks.exe 4464 schtasks.exe 4364 schtasks.exe 2264 schtasks.exe 2156 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3856 msedge.exe 3856 msedge.exe 4136 msedge.exe 4136 msedge.exe 4152 identity_helper.exe 4152 identity_helper.exe 2316 msedge.exe 2316 msedge.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 4312 taskmgr.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe 1216 ProviderInto.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeRestorePrivilege 5228 7zG.exe Token: 35 5228 7zG.exe Token: SeSecurityPrivilege 5228 7zG.exe Token: SeSecurityPrivilege 5228 7zG.exe Token: SeDebugPrivilege 4312 taskmgr.exe Token: SeSystemProfilePrivilege 4312 taskmgr.exe Token: SeCreateGlobalPrivilege 4312 taskmgr.exe Token: SeRestorePrivilege 5448 7zG.exe Token: 35 5448 7zG.exe Token: SeSecurityPrivilege 5448 7zG.exe Token: SeSecurityPrivilege 5448 7zG.exe Token: SeDebugPrivilege 1216 ProviderInto.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 3628 powershell.exe Token: SeDebugPrivilege 6056 powershell.exe Token: SeDebugPrivilege 1428 powershell.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeDebugPrivilege 3824 powershell.exe Token: SeDebugPrivilege 5332 services.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 5228 7zG.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4136 msedge.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4136 wrote to memory of 4092 4136 msedge.exe 84 PID 4136 wrote to memory of 4092 4136 msedge.exe 84 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 2940 4136 msedge.exe 85 PID 4136 wrote to memory of 3856 4136 msedge.exe 86 PID 4136 wrote to memory of 3856 4136 msedge.exe 86 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 PID 4136 wrote to memory of 2056 4136 msedge.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://workupload.com/file/e3Ntgx8nVXy1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebbe046f8,0x7ffebbe04708,0x7ffebbe047182⤵PID:4092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵PID:2940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:2056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵PID:464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:1788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:82⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:1052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:12⤵PID:2536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3412 /prefetch:82⤵PID:840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵PID:2852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵PID:3300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:12⤵PID:60
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:12⤵PID:5308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:12⤵PID:5560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:12⤵PID:5576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵PID:5660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵PID:5984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11128414709767725649,8336206558992278506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:12⤵PID:5248
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2424
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4660
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2872
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SolaraBootstrapper\" -spe -an -ai#7zMap30531:98:7zEvent64801⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5228
-
C:\Users\Admin\Downloads\SolaraBootstrapper\SolaraBootstrapper.exe"C:\Users\Admin\Downloads\SolaraBootstrapper\SolaraBootstrapper.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\SurrogateFontsavesMonitor\t5yJBPVpMtfS5Dt2mh2uGFn.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\SurrogateFontsavesMonitor\DKJr3MNjVDR1qneh6ELWUMeDWcnK8FGizjUQ7CRm3l0LL5J0EDSITahYbF.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:3548 -
C:\SurrogateFontsavesMonitor\ProviderInto.exe"C:\SurrogateFontsavesMonitor/ProviderInto.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\np3t35wr\np3t35wr.cmdline"5⤵
- Drops file in System32 directory
PID:5896 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8855.tmp" "c:\Windows\System32\CSC2A8C58511EB844FF85F19FD22CD7530.TMP"6⤵PID:5932
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TiWorker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\SurrogateFontsavesMonitor\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\SurrogateFontsavesMonitor\ProviderInto.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6056
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUBMxsXhn.bat"5⤵PID:5724
-
C:\Windows\system32\chcp.comchcp 650016⤵PID:5224
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3952
-
-
C:\Program Files\VideoLAN\VLC\skins\services.exe"C:\Program Files\VideoLAN\VLC\skins\services.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5332
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4312
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SolaraBootstrapper\SolaraBootstrapper\" -spe -an -ai#7zMap14009:136:7zEvent104721⤵
- Suspicious use of AdjustPrivilegeToken
PID:5448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TiWorkerT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TiWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TiWorker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TiWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TiWorkerT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TiWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\skins\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\SurrogateFontsavesMonitor\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\SurrogateFontsavesMonitor\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\SurrogateFontsavesMonitor\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ProviderIntoP" /sc MINUTE /mo 6 /tr "'C:\SurrogateFontsavesMonitor\ProviderInto.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ProviderInto" /sc ONLOGON /tr "'C:\SurrogateFontsavesMonitor\ProviderInto.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ProviderIntoP" /sc MINUTE /mo 7 /tr "'C:\SurrogateFontsavesMonitor\ProviderInto.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SolaraBootstrapper\SolaraBootstrapper\DKJr3MNjVDR1qneh6ELWUMeDWcnK8FGizjUQ7CRm3l0LL5J0EDSITahYbF.bat1⤵
- Opens file in notepad (likely ransom note)
PID:5532
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\SolaraBootstrapper\SolaraBootstrapper\t5yJBPVpMtfS5Dt2mh2uGFn.vbe1⤵
- Opens file in notepad (likely ransom note)
PID:5628
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88B
MD5b218180bed2af04d85507f0fbc168c9e
SHA1a269e4b3a5e3529d6360fc042b9e59a48b82ce50
SHA25639db898fef28721b8ff5ef62c06e0ea1e356247eb52d402b19093cf20a8be15b
SHA512769b9675172c9e8c1cb820e85bf71a18a3f3999d6f3f85a66fd76a721c6cf69d6c0d3965f26d0d48e5007ed137a62fa2917b771896db2bc08e468c24b49eb4c8
-
Filesize
1.8MB
MD5ee848b0fdaa811eba94c2b625126fc32
SHA1b82f5fe11abfcbaf665c64e0bf8f780f968919c5
SHA2562e87fe4c6529e9ad5f615fe3dae33a8858dc9f6ada7b7fda6d6a2791128f0e70
SHA512a9ccd913877609fc153b5749f1bc9058cd046add51b345e59ec34defcbdc63af9e687953da617e92f09ce713ade3e57a712d714f4856b64547cf3427085c38a7
-
Filesize
262B
MD5f9219e38a39666704836adfff5f13122
SHA115874c2fb0511dabc8e942239fee9155fb05e823
SHA2566ea2af03758dec0a423186cf0ef4546a94f41c6e11769a4aba0c2b5c9b8a7092
SHA512f9b5ad2bb5aafbddf83536d4df9e23541755621709b4b1a6658f61fc0ef776e9da3ce9346472dad198360b871a8e8a10b47e8a464d68d68a3b90c47cb684d1bd
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5ecf7ca53c80b5245e35839009d12f866
SHA1a7af77cf31d410708ebd35a232a80bddfb0615bb
SHA256882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687
SHA512706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696
-
Filesize
152B
MD54dd2754d1bea40445984d65abee82b21
SHA14b6a5658bae9a784a370a115fbb4a12e92bd3390
SHA256183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d
SHA51292d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5b09e4ad42d2d561b9e02b663b7eb297d
SHA1539c75d43b55f0a44fcf4f73d4e380e247323c55
SHA256d61581d12602a7fbc36aefdb6350be187db0b9ef2bc17250bf9be2f8d8c8eb44
SHA512299431718d380b2cab5a739fa3e9f5ccab14e368d53daeb677573223d0ee10fa8acf7732098d57af843ef9131c0cc51ae886f3b39916bc080ad1fdd61209c4a7
-
Filesize
1KB
MD5049ea397331c1b9d84a4293d451d55bf
SHA13a8e88eb7d3f11a6d97fa547603afbc2966cd216
SHA256e910542b94540158458656e53e02943f487943e800e6f9abe943b150fdb2570b
SHA512eb120c694c2394dda75aaa1ffa5160abc12fee91473b738317aabeb502eb5a480153d76b7fd8e2c6bb63471fc4b9f1ba2ae7b29edbf8dbfc7af2b05fa7d53185
-
Filesize
6KB
MD5c75f42f3f1225b08d91a43f84b7887ab
SHA1a30f46b13f4528d5259c3ec5b28bfe7a1dcf842f
SHA2567b130500d4afb32ee79e734089a7e015ce35d86ca65077219f984b92b762f862
SHA5121f6e67072a1ddb915592be2b82b1bcab9fa24eaef836170532bd69b5d27ae0edc46a7c1784a0210d9338f255c48a768cea534180d378aeec959351ed1d6b2200
-
Filesize
7KB
MD57e3dae9340717d034ec34afd4161f90b
SHA1a083e7e4cfccdf5127d05c43a9e1b0edf07a0564
SHA2567bbb871649a5ee18d2c794b10386ef84c0123118dff335414c4d791cf865e408
SHA51200dad7f2bb85d0a02d059713e197ab709888900e61df240704208bdd8ad6465e5001d0769bca53a5012347df96c38721b14e1d48fae3fa86e76ceba5142b5252
-
Filesize
7KB
MD5e136068e8ecb1e34865bda6e35c494f3
SHA1a07a95ac5416fa3650b0b20d8625847f8403b6a9
SHA25621590e2b75060c6d416c9c9d604ebac1aca85281be8770913cbe9c4d63706dc9
SHA5122daafff741a34e626e4fee65542b7c77f9532a23ac24d2b244728218f204620423cb7bcbe1779db9e78aa988d3641eb0d4d16d6f3b8d69730035dd4848055c48
-
Filesize
6KB
MD5ed6bb8e6c6f7190a94a7de7626857b24
SHA1d1f002942a18480efc073ff40c3ff5cf01bff9a2
SHA256366ebda4d795bab4de2aef20f001dfcc557ad57cf924907470323386b1ff08b2
SHA51244bf0f14cd4972d6bef7d3544db5235cf8438ad4fa29a58a95e889ef175c0c5b5e437a3e8ac68706ddec796f8f893323c222831075fdd0d926e3063c10e49339
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD547be4bbb76a01de2b248c64d422262ff
SHA1274e031331af3daad0498fc3f1bf97668cfb4e42
SHA2566d79c273efe4bb9835ffe1ee134903821dbae900eb23452a0ea9516670fd212f
SHA51294de561592935552eb4c91f10c0b26beb005ae63ed707742dbacce86748186c3fa9c72b3e54052164840a7e524d1462442366042c7490a46366caccdc05e89f9
-
Filesize
11KB
MD5e6b5b2049d646a54c01a40f6ed9321ad
SHA160fc63e2f189c4d89b1009888a316c336cc09806
SHA256dbda0b14876597d6688888440d936ed9ffb66e2cccf74c5e9ffca5740df10004
SHA5123b86fa6a949a5a03129910977d049ec2e56c8235251dccdc47aca32ab1b5c219dd2e786a48bd773aa54add4aadfd60c78c72221cf5c862f4e98f7586d639b129
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
104B
MD5c3d5e9a6b46c457a2e9ed4776da216b9
SHA1d5f96d4fe38478a64696e91be9e479c4ac8c3b26
SHA25635d14b81697459efe199eddc1c5715d34e253b4f15d99e10589e6fc680866f24
SHA5124c375c0bf406546774fb0ce31597727dffd5b799b09446dd7a90845aafa0419f25793d370b259a78ce13378cee22f55e76c3fcec9ec2fc682e6c15f1ac9325a1
-
Filesize
1KB
MD5a563c642d6d40d17b5a5366f09e3ef6d
SHA12cf0b81912e76ee7e9458ae5ce8c50b7b88337a6
SHA2567faf2585f89e0606cb5eb3bb16d9c58fada759a5187fdde4a77f404f2a328e04
SHA512d2e287456fe4ebca5ea317b115236b6f55c33d2f8cd29d48c064354ac3fd49e13fc2f66a5a59be92dde76247d44dd085e9fdfd8813d1f2fe1d0ae13e68758657
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
224B
MD50ca7d32c4a5ed9c4d7440ed716edffef
SHA1aa3cf6f751ad34981c853818e144a61d038dd210
SHA25602b8dc6bdd1572d03f5e32b238c293e19e0319ae45bf710da2e2a4334fcfe6d9
SHA512ccb7bbe2e4c0551564474ea75c2d91171a3c00a26195c179d5f068fe0cbf60fceba5c4116dcbfa4fd1f58224f52f07b09750ad56ab5f9957ba46b1193f9eca84
-
Filesize
1.6MB
MD57cd7c7f07ba796cf223fb66e288ec73a
SHA1634aa76bb9c09df693601cbb3239da497fbc2c47
SHA256faa5ea1d26079085f5b5f627d1f8e09fc7f350df3db76b28c5f855efd3150e6c
SHA512d57d866c03682af547ed91303ae0a0d0af56e73cb6f601e10dbd358bbc30663aea58319a7b7aa8752887148132f22e1ee413783759d0a58de0e891ee3537a37f
-
Filesize
2.1MB
MD5105991ce02358995ea190b0ab9119d02
SHA10335dd31909e4dcd04be7d365e4ad7dac5520a8e
SHA2565367822efad1a46cfd82e82731e2d6841fb9be7bd7862f9993d7b7c85d045e67
SHA5127d3cee2772cdffc16cf84151b23958d5ff2c94aa25b83275623254b87d925fc109bbc88f9fb9037b3e913d16f4c3d0505d845debe9664370c358a2b3f168d028
-
Filesize
4KB
MD5d6e8d40dea2f1294bd6a69dd33fc2d5e
SHA19cc3ea5b85eb704884d3e6240ac7cbfa09931f6d
SHA256cddcc18dc13728fc9efe21f4582986f673d85e599f33e668044ff3561aaa3b51
SHA512590b7fdedf12d003b3dc600eb231cdc3fbaf4469829f91bbafb4c90246559799b9456f71b8679e3847f46d565357a14219cb6f16e39c8c904f3ae7f9f8981b96
-
Filesize
366B
MD5ea3f67482c8c086f455885010acbf653
SHA12b885603892c632065fe0131eb857bcdbf3e4162
SHA256b1dbea7730031fb96eb76e037d7a93689ee8de7e2b5dc0bde4982f5d06b4e7e8
SHA512324cd127dad1c0c59de390b5b1a5f40a3da09ac3e425517bbf6fe225a3de351f00c34c9a307bbde33decd53427eaf66c737369812044244145156223f8c372a0
-
Filesize
235B
MD571269e923c78c8975542806a6e844b52
SHA191ea46a4c516be9433fb3cac6adb60ea2cbf8642
SHA256f3a8987d0373b9f7659eb7cbb7ca3c4c9a9ba0ffcaf2f129eee079a6d3b92b54
SHA51218f03b6063f98c2acc296ee4ac1515994f329ef67baf26d80bbb7ea5a0174f3660808c18318a9aa0e7c2061c0350b9ff7deecb91f5a39b62c86c48a1d60abdad
-
Filesize
1KB
MD5acf0a5c902f3dd3bd7790cdb4484d7b3
SHA1cdebcde6ce451177576b39f24e62b134678daf75
SHA25630a40cd52450f1fc314048db7431d96464002bfa5a204d1969c6b563c4715622
SHA5129559b21b7acb3ed32bba7556a7c68b034a2e9f784bd818d5731cff6c54d81f954d5babf71d2264a82fe463f1314e36e0e227a63a63cc68a00c3fe6d3b2a66fe8