Overview
overview
10Static
static
10dc/10.exe
windows10-2004-x64
10dc/12.exe
windows10-2004-x64
7dc/13.exe
windows10-2004-x64
10dc/15.exe
windows10-2004-x64
8dc/16.exe
windows10-2004-x64
10dc/17.exe
windows10-2004-x64
3dc/19.exe
windows10-2004-x64
10dc/22.exe
windows10-2004-x64
10dc/23.exe
windows10-2004-x64
10dc/3.exe
windows10-2004-x64
10dc/4.exe
windows10-2004-x64
3dc/5.exe
windows10-2004-x64
10dc/6.exe
windows10-2004-x64
10dc/7.exe
windows10-2004-x64
9dc/9.exe
windows10-2004-x64
10Analysis
-
max time kernel
55s -
max time network
62s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-08-2024 01:25
Behavioral task
behavioral1
Sample
dc/10.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
dc/12.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
dc/13.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
dc/15.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
dc/16.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
dc/17.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
dc/19.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
dc/22.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
dc/23.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
dc/3.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
dc/4.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
dc/5.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
dc/6.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral14
Sample
dc/7.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
dc/9.exe
Resource
win10v2004-20240802-en
General
-
Target
dc/19.exe
-
Size
2.1MB
-
MD5
3e2a24aaa5d0f9bb10bfad986ce31279
-
SHA1
23aa6c2a838eb744f2cee356835eb1f04879e97c
-
SHA256
dcef31131a10eb3765f1da688fb233fe5fd82aecada26a5a4c003ed848f4ef5e
-
SHA512
bec737c6d27c77755ec962b46c69832bd25856e1029a54c3f79f4620e6123d9b63277b5c470bc921edfbe1503532f26c882b84315dc701874dc62c04bae4ac26
-
SSDEEP
49152:IBJ5BGELU3i6oUt8vLD51ncebaIFZRDiXP:ybFgS7U+lZPGIhD2
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\BrowserwinRef\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\"" HyperComponentbrowserwinRuntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\BrowserwinRef\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\"" HyperComponentbrowserwinRuntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\BrowserwinRef\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\"" HyperComponentbrowserwinRuntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\BrowserwinRef\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\BrowserwinRef\\HyperComponentbrowserwinRuntime.exe\"" HyperComponentbrowserwinRuntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" HyperComponentbrowserwinRuntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\BrowserwinRef\\sppsvc.exe\"" HyperComponentbrowserwinRuntime.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4136 5016 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 5016 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 5016 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4308 5016 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 5016 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4336 5016 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4628 5016 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 5016 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 5016 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 5016 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 5016 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5052 5016 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 388 5016 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4244 5016 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3360 5016 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 5016 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4896 5016 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 5016 schtasks.exe 92 -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation 19.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation HyperComponentbrowserwinRuntime.exe -
Executes dropped EXE 2 IoCs
pid Process 404 HyperComponentbrowserwinRuntime.exe 3968 HyperComponentbrowserwinRuntime.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\"" HyperComponentbrowserwinRuntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\"" HyperComponentbrowserwinRuntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HyperComponentbrowserwinRuntime = "\"C:\\BrowserwinRef\\HyperComponentbrowserwinRuntime.exe\"" HyperComponentbrowserwinRuntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" HyperComponentbrowserwinRuntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" HyperComponentbrowserwinRuntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\BrowserwinRef\\sppsvc.exe\"" HyperComponentbrowserwinRuntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Migration\\WTR\\Idle.exe\"" HyperComponentbrowserwinRuntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HyperComponentbrowserwinRuntime = "\"C:\\BrowserwinRef\\HyperComponentbrowserwinRuntime.exe\"" HyperComponentbrowserwinRuntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\BrowserwinRef\\sppsvc.exe\"" HyperComponentbrowserwinRuntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Migration\\WTR\\Idle.exe\"" HyperComponentbrowserwinRuntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\"" HyperComponentbrowserwinRuntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\"" HyperComponentbrowserwinRuntime.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCA69C83CEE1434EF5BC32C069D2DB711.TMP csc.exe File created \??\c:\Windows\System32\eemqzy.exe csc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\7-Zip\Lang\unsecapp.exe HyperComponentbrowserwinRuntime.exe File created C:\Program Files\7-Zip\Lang\29c1c3cc0f7685 HyperComponentbrowserwinRuntime.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Migration\WTR\Idle.exe HyperComponentbrowserwinRuntime.exe File created C:\Windows\Migration\WTR\6ccacd8608530f HyperComponentbrowserwinRuntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4432 PING.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings HyperComponentbrowserwinRuntime.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings 19.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4432 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4308 schtasks.exe 1952 schtasks.exe 3320 schtasks.exe 4244 schtasks.exe 1364 schtasks.exe 4336 schtasks.exe 4348 schtasks.exe 388 schtasks.exe 4136 schtasks.exe 2372 schtasks.exe 3360 schtasks.exe 4896 schtasks.exe 536 schtasks.exe 1896 schtasks.exe 4628 schtasks.exe 1928 schtasks.exe 5052 schtasks.exe 1084 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 404 HyperComponentbrowserwinRuntime.exe 3968 HyperComponentbrowserwinRuntime.exe 3968 HyperComponentbrowserwinRuntime.exe 3968 HyperComponentbrowserwinRuntime.exe 3968 HyperComponentbrowserwinRuntime.exe 3968 HyperComponentbrowserwinRuntime.exe 3968 HyperComponentbrowserwinRuntime.exe 3968 HyperComponentbrowserwinRuntime.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 404 HyperComponentbrowserwinRuntime.exe Token: SeDebugPrivilege 3968 HyperComponentbrowserwinRuntime.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3148 wrote to memory of 3132 3148 19.exe 86 PID 3148 wrote to memory of 3132 3148 19.exe 86 PID 3148 wrote to memory of 3132 3148 19.exe 86 PID 3132 wrote to memory of 448 3132 WScript.exe 96 PID 3132 wrote to memory of 448 3132 WScript.exe 96 PID 3132 wrote to memory of 448 3132 WScript.exe 96 PID 448 wrote to memory of 404 448 cmd.exe 98 PID 448 wrote to memory of 404 448 cmd.exe 98 PID 404 wrote to memory of 2540 404 HyperComponentbrowserwinRuntime.exe 102 PID 404 wrote to memory of 2540 404 HyperComponentbrowserwinRuntime.exe 102 PID 2540 wrote to memory of 3924 2540 csc.exe 104 PID 2540 wrote to memory of 3924 2540 csc.exe 104 PID 404 wrote to memory of 2204 404 HyperComponentbrowserwinRuntime.exe 120 PID 404 wrote to memory of 2204 404 HyperComponentbrowserwinRuntime.exe 120 PID 2204 wrote to memory of 3036 2204 cmd.exe 122 PID 2204 wrote to memory of 3036 2204 cmd.exe 122 PID 2204 wrote to memory of 4432 2204 cmd.exe 123 PID 2204 wrote to memory of 4432 2204 cmd.exe 123 PID 2204 wrote to memory of 3968 2204 cmd.exe 124 PID 2204 wrote to memory of 3968 2204 cmd.exe 124 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc\19.exe"C:\Users\Admin\AppData\Local\Temp\dc\19.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BrowserwinRef\tHfYIcJEPrAe4W4Mb92xXs3G610U6bqi.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BrowserwinRef\tgoBzi59fjjPhHwozUoC.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448 -
C:\BrowserwinRef\HyperComponentbrowserwinRuntime.exe"C:\BrowserwinRef/HyperComponentbrowserwinRuntime.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\znuiqiyh\znuiqiyh.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6AD.tmp" "c:\Windows\System32\CSCA69C83CEE1434EF5BC32C069D2DB711.TMP"6⤵PID:3924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHO8HQe0Dq.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:3036
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4432
-
-
C:\BrowserwinRef\HyperComponentbrowserwinRuntime.exe"C:\BrowserwinRef\HyperComponentbrowserwinRuntime.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\BrowserwinRef\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\BrowserwinRef\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\BrowserwinRef\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperComponentbrowserwinRuntimeH" /sc MINUTE /mo 14 /tr "'C:\BrowserwinRef\HyperComponentbrowserwinRuntime.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperComponentbrowserwinRuntime" /sc ONLOGON /tr "'C:\BrowserwinRef\HyperComponentbrowserwinRuntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperComponentbrowserwinRuntimeH" /sc MINUTE /mo 11 /tr "'C:\BrowserwinRef\HyperComponentbrowserwinRuntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5ab7bfd003313405a8ce166ede217cf0b
SHA15520cb0f72bd3c9978f30b72614976aa2c03bd4a
SHA256c7cfe7c9b93222025a69ae2ca873b12272d4d2dbccadc7e55698df163087569f
SHA5121cbfe8e7209efe88e43f80269d3b985776b1029ff20e1618ac87a0331537586cda9923e76000930a7ddf4ea7463d84788fe564a6a9c0f0c8082946b67927fdf8
-
Filesize
212B
MD58e35d244c726b8fd66aea8ac55b2bf44
SHA1ec54327244da28bcfe8abfcfe776572f11c04e9b
SHA256d9e77b54b8d87b50bb47e84b80f6051d5052e89cf89baa597d4c41bea1f5fc8f
SHA51213d9c89a8dbe030744ce2db17162d1530457c6c947c00aa846fd2424e773bf94058a04d6d88b391830ce1faa50966fec30d6864790e40b25c3d174b2c8b12723
-
Filesize
116B
MD5cd2035abc4ecf6aa875c5ead9c0a4794
SHA14d4f282cc7f06413e22d3416c9ef339c68f6200d
SHA2560b0b8d95494a628fe38d06251b7295330e3962c05e81386057521d21091cf8de
SHA5126279e14401609b3fb6a277deea15a9bae44a572650fa19aafaae8d01b764a51d1b7287a6d2fc24b4a23357f758b4299630f2b0b376162a203ec66e29ee0d8654
-
Filesize
1KB
MD5af6acd95d59de87c04642509c30e81c1
SHA1f9549ae93fdb0a5861a79a08f60aa81c4b32377b
SHA2567521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6
SHA51293ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a
-
Filesize
180B
MD5b6851c40948e6584d402942ddc13b2a5
SHA1296f9e02453e89be7223763da117f1a4b0ed3c8b
SHA256a86633e31880386fcd95fce0136b7bccb99629fd08013adc3db38ce977d77696
SHA512cdc4637af4b3023901168e5f460440f22c1d402d4e2b961acbc8106492dd23a54488f0ccf678c9f38ad0a1fdd487671b724f771c0e38fdbf6737f71c13a4a304
-
Filesize
1KB
MD5aed6f96426fecd8b6fda1be764364542
SHA18981a289bf8cb41c8ea46e1e078f5a323f333213
SHA256621331fbdc1aa168e7f12a14a07efd2560516130ab61ded4d8e218246e5f7d8b
SHA51237cb500f7dc698f14814da41e720200290e1d437c65aaff1295cf66a2823fc286d9a1a7a190890fedc2ed0bbec078b30eaec775bf3f8c682c32d161dc6b4818e
-
Filesize
376B
MD52ab3db72843623f35dc6efb7faa66861
SHA13136f08ac40b3568d9ba60434d945c0240b2a3fe
SHA2562753fc2e38a8ec91f4766a3a30b9c934901d064ee416fa9c4d92bf1144845292
SHA512b4e4f20d624ac78ea0fda9fa4d479fdc70e14dcf1d01993d69c3de613c441f1da25c065af0554af813059f720c08838008d69901d2631b95f549394fc4f77c40
-
Filesize
235B
MD516b10d147252acf57b0bfbbcf6014647
SHA1576d22416e14349b827864d19bb3ff53d3e77c5b
SHA2561f1e6831aaef8ef7819c928539cc36fec4782e884d71e367df551b459cc2232a
SHA5125f8b1e3791490151100c604e07d34fb6d6d37b63a25aa709e03c8054d8c3a60e935c9726df7f5a84aebc4c0e948fe2f66bbac6dcc657654636fbaa8cd0d0a300
-
Filesize
1KB
MD5aaedb470feff0ca43ba622b01d0e7b4f
SHA1e88615dbe9a5c74b28a0cb38666ddb91bd014dd4
SHA256deb4e21657569076441e2f2ed83756a093bb6588a75d8febbabedd64d96d183f
SHA512cf825cfd11de31c4faa0516b0d3b6bc54290f5c5d1098950a6f82fbdc02b8235c2dcae53df823c00def7d47bdada06970cceee01cb5db183ff83879d98977910