Analysis
-
max time kernel
30s -
max time network
30s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 16:40
Static task
static1
Behavioral task
behavioral1
Sample
fatality.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
fatality.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
fatality.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
fatality.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
fatality.exe
Resource
win11-20240802-en
General
-
Target
fatality.exe
-
Size
3.4MB
-
MD5
19eeb3ce01f40894ced6065215d7a666
-
SHA1
6da9fb24f7560284219c0aa42134be3d76615c7c
-
SHA256
2c80f72b0be446e73b7f8f7e660750d8147a527b3e0c1316c2ddadc708e783c3
-
SHA512
9ad07ec548303e7d2db20093441710f4a08725ccc2365904ab3ef670a174030733409a4b22324eece2ba472354c32ad34bd96fb9cc095696a84caac70f0ef801
-
SSDEEP
49152:12quZB3Lyy3ok0xaAmNu2WsgAbfjHsKTJ4Nz9kP93s8+g/l7mKyftvzQBNomC6H:IHX3LyC0L7AbfjJT/l7byV4NJH
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\csrss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\StartMenuExperienceHost.exe\", \"C:\\WinruntimeBrokerDll\\dllhost.exe\", \"C:\\WinruntimeBrokerDll\\System.exe\", \"C:\\Program Files (x86)\\Windows Mail\\SppExtComObj.exe\"" AgentfontPerfNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\csrss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\StartMenuExperienceHost.exe\", \"C:\\WinruntimeBrokerDll\\dllhost.exe\", \"C:\\WinruntimeBrokerDll\\System.exe\", \"C:\\Program Files (x86)\\Windows Mail\\SppExtComObj.exe\", \"C:\\WinruntimeBrokerDll\\AgentfontPerfNet.exe\"" AgentfontPerfNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\csrss.exe\"" AgentfontPerfNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\csrss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\StartMenuExperienceHost.exe\"" AgentfontPerfNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\csrss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\StartMenuExperienceHost.exe\", \"C:\\WinruntimeBrokerDll\\dllhost.exe\"" AgentfontPerfNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\csrss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\StartMenuExperienceHost.exe\", \"C:\\WinruntimeBrokerDll\\dllhost.exe\", \"C:\\WinruntimeBrokerDll\\System.exe\"" AgentfontPerfNet.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 872 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 872 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4996 872 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3508 872 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 872 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4284 872 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 872 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 872 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 872 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 872 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3368 872 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3560 872 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4700 872 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3516 872 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 872 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4264 872 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 872 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 872 schtasks.exe 85 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation fatality.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation AgentfontPerfNet.exe -
Executes dropped EXE 2 IoCs
pid Process 4060 AgentfontPerfNet.exe 3800 csrss.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\csrss.exe\"" AgentfontPerfNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\StartMenuExperienceHost.exe\"" AgentfontPerfNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\StartMenuExperienceHost.exe\"" AgentfontPerfNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\WinruntimeBrokerDll\\System.exe\"" AgentfontPerfNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\WinruntimeBrokerDll\\System.exe\"" AgentfontPerfNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows Mail\\SppExtComObj.exe\"" AgentfontPerfNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\csrss.exe\"" AgentfontPerfNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\WinruntimeBrokerDll\\dllhost.exe\"" AgentfontPerfNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\WinruntimeBrokerDll\\dllhost.exe\"" AgentfontPerfNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows Mail\\SppExtComObj.exe\"" AgentfontPerfNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AgentfontPerfNet = "\"C:\\WinruntimeBrokerDll\\AgentfontPerfNet.exe\"" AgentfontPerfNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AgentfontPerfNet = "\"C:\\WinruntimeBrokerDll\\AgentfontPerfNet.exe\"" AgentfontPerfNet.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCC4BED7CC8BE14C318EB4AEA8943E3D.TMP csc.exe File created \??\c:\Windows\System32\9hsi6j.exe csc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 944 fatality.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Mail\SppExtComObj.exe AgentfontPerfNet.exe File opened for modification C:\Program Files (x86)\Windows Mail\SppExtComObj.exe AgentfontPerfNet.exe File created C:\Program Files (x86)\Windows Mail\e1ef82546f0b02 AgentfontPerfNet.exe File created C:\Program Files (x86)\Windows Media Player\it-IT\csrss.exe AgentfontPerfNet.exe File created C:\Program Files (x86)\Windows Media Player\it-IT\886983d96e3d3e AgentfontPerfNet.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\diagnostics\lsass.exe AgentfontPerfNet.exe File created C:\Windows\Performance\WinSAT\DataStore\StartMenuExperienceHost.exe AgentfontPerfNet.exe File created C:\Windows\Performance\WinSAT\DataStore\55b276f4edf653 AgentfontPerfNet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fatality.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings fatality.exe Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings AgentfontPerfNet.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1240 schtasks.exe 4700 schtasks.exe 4264 schtasks.exe 1932 schtasks.exe 4996 schtasks.exe 3508 schtasks.exe 4284 schtasks.exe 3560 schtasks.exe 2936 schtasks.exe 1800 schtasks.exe 552 schtasks.exe 2988 schtasks.exe 3368 schtasks.exe 2724 schtasks.exe 1188 schtasks.exe 2520 schtasks.exe 3516 schtasks.exe 4600 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 944 fatality.exe 944 fatality.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe 4060 AgentfontPerfNet.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4060 AgentfontPerfNet.exe Token: SeDebugPrivilege 3800 csrss.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 944 fatality.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 944 wrote to memory of 2504 944 fatality.exe 81 PID 944 wrote to memory of 2504 944 fatality.exe 81 PID 944 wrote to memory of 2504 944 fatality.exe 81 PID 2504 wrote to memory of 4104 2504 WScript.exe 89 PID 2504 wrote to memory of 4104 2504 WScript.exe 89 PID 2504 wrote to memory of 4104 2504 WScript.exe 89 PID 4104 wrote to memory of 4060 4104 cmd.exe 91 PID 4104 wrote to memory of 4060 4104 cmd.exe 91 PID 4060 wrote to memory of 1684 4060 AgentfontPerfNet.exe 95 PID 4060 wrote to memory of 1684 4060 AgentfontPerfNet.exe 95 PID 1684 wrote to memory of 4544 1684 csc.exe 97 PID 1684 wrote to memory of 4544 1684 csc.exe 97 PID 4060 wrote to memory of 1324 4060 AgentfontPerfNet.exe 113 PID 4060 wrote to memory of 1324 4060 AgentfontPerfNet.exe 113 PID 1324 wrote to memory of 1700 1324 cmd.exe 115 PID 1324 wrote to memory of 1700 1324 cmd.exe 115 PID 1324 wrote to memory of 388 1324 cmd.exe 116 PID 1324 wrote to memory of 388 1324 cmd.exe 116 PID 1324 wrote to memory of 3800 1324 cmd.exe 117 PID 1324 wrote to memory of 3800 1324 cmd.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinruntimeBrokerDll\GMEFyNcoiNG60wEpcxyNZ4Di23KQc0kfLK4aF.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\WinruntimeBrokerDll\ItjtUdx3t6H3YIR9PpTLl9BZRrl4Oo9QIKh5ZNyZ.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\WinruntimeBrokerDll\AgentfontPerfNet.exe"C:\WinruntimeBrokerDll/AgentfontPerfNet.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5i2fyevu\5i2fyevu.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC0A.tmp" "c:\Windows\System32\CSCC4BED7CC8BE14C318EB4AEA8943E3D.TMP"6⤵PID:4544
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JUqnwElIIJ.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1700
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:388
-
-
C:\Program Files (x86)\Windows Media Player\it-IT\csrss.exe"C:\Program Files (x86)\Windows Media Player\it-IT\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3800
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\Performance\WinSAT\DataStore\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\WinruntimeBrokerDll\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\WinruntimeBrokerDll\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\WinruntimeBrokerDll\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\WinruntimeBrokerDll\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\WinruntimeBrokerDll\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\WinruntimeBrokerDll\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentfontPerfNetA" /sc MINUTE /mo 13 /tr "'C:\WinruntimeBrokerDll\AgentfontPerfNet.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentfontPerfNet" /sc ONLOGON /tr "'C:\WinruntimeBrokerDll\AgentfontPerfNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentfontPerfNetA" /sc MINUTE /mo 12 /tr "'C:\WinruntimeBrokerDll\AgentfontPerfNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235B
MD558141225404cbee86f10d5f65e5ae1f4
SHA11d517763496f26081a3f04adda96aae076cc41ca
SHA25673baaf0f39a9ee092c7d6340ef49eb7f23fefaad419684973055313c5a417ae8
SHA512f0848260b566703f4284c64fb9452aca4a875ba08b02fe73404ec2ff822b0a164cea77cde5e846ff4ba8e0dc4cd4a443a2c58d96209a9cbf50b9c254a21bd5ba
-
Filesize
1KB
MD54d3a146227bd8d431f134a9bf13ddc4c
SHA1e2732419af6371beada3112c7794772bbb92bbe5
SHA256203126fffb04c64d2b7ff11025660aa15ed7dde4744c1a61811325278958ec6b
SHA512d4598a10625676f7243f2062cfac05908612bd755f9cd46a4f18aa7ded8eadd661fec44ec06ffcd59dae71dc88a0154f6878c930f032b0aa5ccdc5004e960634
-
Filesize
1.9MB
MD5f9779f2d70e9974ff41e46a914d7d238
SHA1ab332ae513b0170e88c0bd7d2b6664d9e8d55c8d
SHA256c901beb42e1372c73cdf25cab74e1aba0e57b51608ed8d014160df2ead86626f
SHA51219b386fd62677341eeaa5812d9d77ca40c4d9497a23c954496ccb659266528de68161ce198f7b5024f2626b435c71c2e53a8d46d075528f357d5af04d26a8cdf
-
Filesize
238B
MD5f8551118abe74fa67b41749a29f8f542
SHA118bb595f0e378727ddd92be510a211759b9ce3fc
SHA25648bb9ca4e442369517cb8a87fc02736c3ea5e02893a3f3126037eced0e192e16
SHA512c7cff3de9ad46e125ab2d6714995cf4310b178cc781f42b700fb0b54ec160701af1e99760624910ccf50c96f5efdc5d3a7bb00d3af7731a0e2f898f9db3a3864
-
Filesize
95B
MD514299ac4bcd55335ed78d9f3a839983c
SHA18519353b52599850456783e3419d132648be6ed6
SHA256ea7785252e31c7332d0baa4939895f66335d0fd638cec14ac834f42f4c65b4d3
SHA51293c5a6975a14a2a76ee9b9fd1452017b4fa7f4f70d01ce140976a9f1c44e6a44c640003209ee7d819351d9b37172cb21990bd7e15bc95024d7aedf0520c4b16e
-
Filesize
391B
MD5b7d96914e8bd72c2418e4f3742ed2378
SHA1da9df241c9a993f82cfab0613bca27482e1b26d2
SHA25643e88f3d06e21c07d9c4d63a89a3ca83b7996e5654281a3b60e1f0883409e7b7
SHA5120892ed082891dfdf1b6426ea104e091a43f55ae481c6350a8ab9f1910af728e306da35643880027c4120ff7dc2144973509afeac3da0d35d4cca133ed868e571
-
Filesize
235B
MD54dd77b0f8d807a2f09dedd4eaf140511
SHA19705850959902a9997062c9a78cefc614d811d12
SHA2564c596e064e5e95f956322bfce15217631e7719235f624b0f52fddfce8408d45e
SHA5121e3f6ce715ecd9583a05cfd46320d3b329883fdfbd5c02658a255055aa5a672d005afad9b25138404e16e4ebf9f14eee92fa63c76c1689fc0c2ad62a7f1a6428
-
Filesize
1KB
MD5da358acc1c776804f760de9f97ab5559
SHA1038168a232be9db3c170b6d8dccac62cfbb8e969
SHA256f46ed0361ae7838e338b8dad157daf7c0848d76dfe0f2d9db12bb64bed6ef343
SHA51297cea7270ba86a760adf14409ecad511999f591b680fb6ac62c6c75957257feb22f6a2fefe673b2c648a3935ffe192bc3cb16e965c2bdf83d6140b38dfeb9f3b