Analysis
-
max time kernel
33s -
max time network
40s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 18:57
Static task
static1
General
-
Target
ReanProject.exe
-
Size
1.5MB
-
MD5
40a341513f036e4d5a356f70db6afb15
-
SHA1
2bde15455a425f52fa221577c22db34f217a69a5
-
SHA256
6858bca15eed33e61fdc4be3f87a0dfe63ccab54a659de551fcb5df52af060f4
-
SHA512
2610c45c2683f4773238a99e674aba88d64a45ba3f6bb97a13fc763d13d778519727bcf6087d552d40ad80de2e7cdf23379970fc3ee90bb969fe3c9a0216aa3e
-
SSDEEP
49152:CzS8CQJK7u2Bg76XDnjmj+e8PgnaADNAr:0SxQJK7XG6L8+e8PIaADNAr
Malware Config
Signatures
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3520 4488 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 4488 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 4488 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3788 4488 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 4488 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3648 4488 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 4488 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 4488 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 824 4488 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 4488 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3824 4488 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5044 4488 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 4488 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4556 4488 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3840 4488 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4284 4488 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4292 4488 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4300 4488 schtasks.exe 86 -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 232 powershell.exe 2248 powershell.exe 4476 powershell.exe 468 powershell.exe 4880 powershell.exe 624 powershell.exe 4884 powershell.exe 4520 powershell.exe 1740 powershell.exe 4236 powershell.exe 2848 powershell.exe 2008 powershell.exe 2568 powershell.exe 1640 powershell.exe 1132 powershell.exe 452 powershell.exe 2700 powershell.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ReanProject.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation bluestacks.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation Bluestacks.exe -
Executes dropped EXE 3 IoCs
pid Process 4308 bluestacks.exe 412 Bluestacks.exe 5340 RuntimeBroker.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ipinfo.io 31 ipinfo.io -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe Bluestacks.exe File created C:\Program Files (x86)\Internet Explorer\en-US\6ccacd8608530f Bluestacks.exe File created C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe Bluestacks.exe File created C:\Program Files (x86)\Windows Multimedia Platform\9e8d7a4ca61bd9 Bluestacks.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\diagnostics\scheduled\winlogon.exe Bluestacks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ReanProject.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bluestacks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4252 PING.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings bluestacks.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings Bluestacks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4252 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4284 schtasks.exe 2320 schtasks.exe 3648 schtasks.exe 3020 schtasks.exe 3824 schtasks.exe 908 schtasks.exe 3520 schtasks.exe 3788 schtasks.exe 4300 schtasks.exe 552 schtasks.exe 4328 schtasks.exe 4556 schtasks.exe 3840 schtasks.exe 2204 schtasks.exe 1836 schtasks.exe 824 schtasks.exe 5044 schtasks.exe 4292 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe 412 Bluestacks.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 1432 ReanProject.exe Token: SeDebugPrivilege 412 Bluestacks.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 4884 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 4520 powershell.exe Token: SeDebugPrivilege 624 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 4236 powershell.exe Token: SeDebugPrivilege 452 powershell.exe Token: SeDebugPrivilege 468 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 2248 powershell.exe Token: SeDebugPrivilege 232 powershell.exe Token: SeDebugPrivilege 4476 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 4880 powershell.exe Token: SeDebugPrivilege 5340 RuntimeBroker.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1432 ReanProject.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 1432 wrote to memory of 4308 1432 ReanProject.exe 87 PID 1432 wrote to memory of 4308 1432 ReanProject.exe 87 PID 1432 wrote to memory of 4308 1432 ReanProject.exe 87 PID 4308 wrote to memory of 1380 4308 bluestacks.exe 89 PID 4308 wrote to memory of 1380 4308 bluestacks.exe 89 PID 4308 wrote to memory of 1380 4308 bluestacks.exe 89 PID 1380 wrote to memory of 3900 1380 WScript.exe 90 PID 1380 wrote to memory of 3900 1380 WScript.exe 90 PID 1380 wrote to memory of 3900 1380 WScript.exe 90 PID 3900 wrote to memory of 412 3900 cmd.exe 92 PID 3900 wrote to memory of 412 3900 cmd.exe 92 PID 412 wrote to memory of 2008 412 Bluestacks.exe 113 PID 412 wrote to memory of 2008 412 Bluestacks.exe 113 PID 412 wrote to memory of 232 412 Bluestacks.exe 114 PID 412 wrote to memory of 232 412 Bluestacks.exe 114 PID 412 wrote to memory of 468 412 Bluestacks.exe 115 PID 412 wrote to memory of 468 412 Bluestacks.exe 115 PID 412 wrote to memory of 4520 412 Bluestacks.exe 116 PID 412 wrote to memory of 4520 412 Bluestacks.exe 116 PID 412 wrote to memory of 2848 412 Bluestacks.exe 117 PID 412 wrote to memory of 2848 412 Bluestacks.exe 117 PID 412 wrote to memory of 4884 412 Bluestacks.exe 118 PID 412 wrote to memory of 4884 412 Bluestacks.exe 118 PID 412 wrote to memory of 2700 412 Bluestacks.exe 119 PID 412 wrote to memory of 2700 412 Bluestacks.exe 119 PID 412 wrote to memory of 452 412 Bluestacks.exe 120 PID 412 wrote to memory of 452 412 Bluestacks.exe 120 PID 412 wrote to memory of 4236 412 Bluestacks.exe 121 PID 412 wrote to memory of 4236 412 Bluestacks.exe 121 PID 412 wrote to memory of 1132 412 Bluestacks.exe 123 PID 412 wrote to memory of 1132 412 Bluestacks.exe 123 PID 412 wrote to memory of 624 412 Bluestacks.exe 124 PID 412 wrote to memory of 624 412 Bluestacks.exe 124 PID 412 wrote to memory of 1740 412 Bluestacks.exe 125 PID 412 wrote to memory of 1740 412 Bluestacks.exe 125 PID 412 wrote to memory of 2568 412 Bluestacks.exe 128 PID 412 wrote to memory of 2568 412 Bluestacks.exe 128 PID 412 wrote to memory of 4476 412 Bluestacks.exe 129 PID 412 wrote to memory of 4476 412 Bluestacks.exe 129 PID 412 wrote to memory of 2248 412 Bluestacks.exe 131 PID 412 wrote to memory of 2248 412 Bluestacks.exe 131 PID 412 wrote to memory of 4880 412 Bluestacks.exe 132 PID 412 wrote to memory of 4880 412 Bluestacks.exe 132 PID 412 wrote to memory of 1640 412 Bluestacks.exe 134 PID 412 wrote to memory of 1640 412 Bluestacks.exe 134 PID 412 wrote to memory of 2432 412 Bluestacks.exe 147 PID 412 wrote to memory of 2432 412 Bluestacks.exe 147 PID 2432 wrote to memory of 5892 2432 cmd.exe 149 PID 2432 wrote to memory of 5892 2432 cmd.exe 149 PID 2432 wrote to memory of 4252 2432 cmd.exe 150 PID 2432 wrote to memory of 4252 2432 cmd.exe 150 PID 2432 wrote to memory of 5340 2432 cmd.exe 151 PID 2432 wrote to memory of 5340 2432 cmd.exe 151 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ReanProject.exe"C:\Users\Admin\AppData\Local\Temp\ReanProject.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Roaming\ReanProject\bluestacks.exe"C:\Users\Admin\AppData\Roaming\ReanProject\bluestacks.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\PMSfvDOp4bMoWBuUDDFKFsa.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\NAJnMTtNtQp6YRoMQ0Y3XZDYJKnU0fTOAfa5c5spQzAjX6iCI.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\Bluestacks.exe"C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951/bluestacks_nxt/Bluestacks.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dwm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\Bluestacks.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\layPRQ2iQf.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:5892
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4252
-
-
C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe"C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5340
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BluestacksB" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\Bluestacks.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Bluestacks" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\Bluestacks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BluestacksB" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\Bluestacks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
238B
MD5c8557de570db17257ed426ffc2ea0a98
SHA1c82dfb41e43734a3112f526dccc4e9b9e61018d4
SHA256a56b977cf5f01e53c968fb4c0067f1e5797ba2b5180e40ef051ae518c6ed318f
SHA512d37f6acbf2caecdc76c5c671a5a4ece6a65cd7749e4e4e4510e3f70977e755533cfbb837570916d68faeadbda9fcd1a586afbd79fb333260f724f6948b38e72f
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5aaaac7c68d2b7997ed502c26fd9f65c2
SHA17c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA2568724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\NAJnMTtNtQp6YRoMQ0Y3XZDYJKnU0fTOAfa5c5spQzAjX6iCI.bat
Filesize108B
MD5de4e36f99cbe930e00821c18f8c288c1
SHA14d6a0d1437f1c9bd4c9dfcb9c20946ecebf38237
SHA256bbdb49ae619b6682362e2716011b7749e6d8a54cd5817a42299f774b41323c97
SHA512d4ac2e72e2b651622c894c5853cff3cfd3d31e4dd8f2522d3d3f9ea51a449609506abed5a8e9d1d8e72768fb93c9a69325439c191a7c3e1a48dcc243eb6956af
-
C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\PMSfvDOp4bMoWBuUDDFKFsa.vbe
Filesize271B
MD563c111a2284dba9e6b768dad6bbdb9a9
SHA1fbe6e265184162b23f4cbb0585c2516f8972af3b
SHA256e2bda9ddb3fbb6b70c936a2398b6e1a42a7eb2fc52afdc68c1276554cedc4d15
SHA512a348c8deb1992c541424d4764e8e804a7f3e4c068576316f2489a5381ef2d3a86c5914ef530e1a101b581db90f8e483b16fd6c6e299294a089eac6e68c11718a
-
Filesize
196B
MD57572ea21bcdda38f1d703c6758be5b79
SHA1529405456d8d6ddb5815022d4a25b246605a5428
SHA256e718e0cd9cdb52e9731b5c8ee06587bd0a60b7484d415e92dec75ae80769bf08
SHA51244bfd33b6c2d823ca54f2648f4f31b91f0d48c7642f6327851d823dd5edd0abb7a0a63dee81f3db38d3156b1eb2cd66490e374128ba6d2043885dcaaa1ad5927
-
Filesize
1.8MB
MD538f724119c083a7ea8a0c57e24e8c8d6
SHA1a9cc386dbc4a1bebbe36f868bff2b881343e7159
SHA256e3203db8a66f69987adf8a03a6ecb492f746be4c8f2bee378b7727a1d730b54b
SHA512a63e229c3e546be78208a16cb91df639fc41731c939cfd438e0e408c1af4f78f5c5556218272f902b52453255b5b638a6ccf4436c200dc42de538a2de7ab39a4