Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 06:17
General
-
Target
d92866420d8daf87ded38ffc92b6a8db1cc13c93e7529db32979a5e52d9c0bea.exe
-
Size
1.9MB
-
MD5
371ac901265784870ebce3b2f6d4c663
-
SHA1
624369382a311fd84568a61b309f8414b8ca7c07
-
SHA256
d92866420d8daf87ded38ffc92b6a8db1cc13c93e7529db32979a5e52d9c0bea
-
SHA512
28a83331b901295d597616364a429020e7879aaa1abb5c690e98bd96f385a8ed5dbe27435c94d525a678c4cc4e3c6228f00fa5356828ec53b540ac67def51d27
-
SSDEEP
24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD
Malware Config
Signatures
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 33 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Checks whether UAC is enabled 1 TTPs 22 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 11 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 33 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d92866420d8daf87ded38ffc92b6a8db1cc13c93e7529db32979a5e52d9c0bea.exe"C:\Users\Admin\AppData\Local\Temp\d92866420d8daf87ded38ffc92b6a8db1cc13c93e7529db32979a5e52d9c0bea.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d92866420d8daf87ded38ffc92b6a8db1cc13c93e7529db32979a5e52d9c0bea.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\sysmon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\INT\sihost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\taskhostw.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\IdentityCRL\INT\sihost.exe"C:\Windows\IdentityCRL\INT\sihost.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dbfd544-f29a-4e63-a29d-d9817205a513.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\IdentityCRL\INT\sihost.exeC:\Windows\IdentityCRL\INT\sihost.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d1d8d28-e169-4a36-bc71-39d649ea63d1.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\IdentityCRL\INT\sihost.exeC:\Windows\IdentityCRL\INT\sihost.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20d5ca45-b0a1-4ce2-ac6c-7fc9a063b30c.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\IdentityCRL\INT\sihost.exeC:\Windows\IdentityCRL\INT\sihost.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e079b464-e794-46de-8846-cc00aee20a64.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\IdentityCRL\INT\sihost.exeC:\Windows\IdentityCRL\INT\sihost.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7367474-a196-4d36-a0be-3619a78c5560.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\IdentityCRL\INT\sihost.exeC:\Windows\IdentityCRL\INT\sihost.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7b5ca73-013a-4dec-9820-7ee9e2e682a2.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\IdentityCRL\INT\sihost.exeC:\Windows\IdentityCRL\INT\sihost.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67a060c9-8521-4e73-a901-d57b932ef6e5.vbs"15⤵
-
C:\Windows\IdentityCRL\INT\sihost.exeC:\Windows\IdentityCRL\INT\sihost.exe16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdf54cd7-e18c-42ab-a90a-8be80b47bb3b.vbs"17⤵
-
C:\Windows\IdentityCRL\INT\sihost.exeC:\Windows\IdentityCRL\INT\sihost.exe18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1797029-57d4-425e-9ec0-46a4f79275b4.vbs"19⤵
-
C:\Windows\IdentityCRL\INT\sihost.exeC:\Windows\IdentityCRL\INT\sihost.exe20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a02595c8-9092-46a7-bf3a-eb9ea9165524.vbs"21⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\901734b6-7d81-4117-b0eb-7916f1005c28.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\114de08f-0031-4618-ad28-5792fa2c8614.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f14986c0-454a-44da-95fd-aad000d79a25.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee9ed0c8-f7be-4c49-a547-a7525c536df0.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0b8923b-af03-400a-ac06-ecf495695d0f.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\100df768-38fc-4423-abb2-a95117137ee0.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b14c5e02-b81f-41d0-8ad3-947396d40587.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84a12a68-487d-4c28-9d7e-c923c082838e.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2ab87be-6c63-4a49-9878-9eba62fae303.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c495c4a-cc94-4ab1-840f-3943cd824866.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\7e20f84d5244aba7145631d4073af8\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\7e20f84d5244aba7145631d4073af8\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\IdentityCRL\INT\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Windows\IdentityCRL\INT\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\7e20f84d5244aba7145631d4073af8\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\7e20f84d5244aba7145631d4073af8\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\d25f591a00514bc9ba8441\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5aa27415423ae4218c0c58b44c6066bb8
SHA10f2b24926eaa42a98bb4feae34eebae76695406a
SHA256f2e7b6971c847b65ad632900e295072de2960523d2b5026a8a3681a160f4b7a4
SHA512c2bb1bab5b475c53af672a81eb891fb14b543bdb82037dad7808e52d4a23166755699e9aa01cabedc8ee19ffa2ffadc8da49fa6bf131880f7d433c5335f7179d
-
Filesize
1.9MB
MD541a3896ea5af08d2c2341fc448b71c70
SHA1f6211efa3a9aee7758ab8a98f1bac3af7e961a52
SHA256ee23f1d844688392edd85bbca911649d84168e34e98563af816f7a7f36baeb01
SHA512da99f7c3a446aff386cfc75123e210e10c243777a80c030fbc83016fdf33d2d819f5cfc418945c32325ede799673c2ce8e64d4d54047aa61d442c4e1016d9562
-
Filesize
1.9MB
MD5a2e87beafa2de948979072152ed1b511
SHA1ac2f4d6de1d9859cdd274ec1edf42acd137c8d35
SHA256b99fbf1eb3eeb08c2fc76ef72d78e0412a74baba51dadb4cf50d19d3139fb96a
SHA512eecb91d4c8e08f52b6a5ab94e746b03ba648b99e7622ae503a8942cc74d10236ee30864a6627347e0357550521394f3a7d99c613d443630a7bc546bdd10d4c80
-
Filesize
1.9MB
MD5a04e4423d16a9171ffd289304de7a332
SHA10e8e07f9c62344b9bdf9849271d899912a7f0f96
SHA2562f7680c5af09da44224d54d0786c840fb9fdff1bf293875febecf965efc00e0d
SHA512d2f3ba572b6af28cbca3e7102296acfe9edc65402e899a9ae6338d619c412faf02025fa20e3dfb1f89dcacd5109692dae075d925600ce38e8706eb9d84cc2e3a
-
Filesize
1.9MB
MD5371ac901265784870ebce3b2f6d4c663
SHA1624369382a311fd84568a61b309f8414b8ca7c07
SHA256d92866420d8daf87ded38ffc92b6a8db1cc13c93e7529db32979a5e52d9c0bea
SHA51228a83331b901295d597616364a429020e7879aaa1abb5c690e98bd96f385a8ed5dbe27435c94d525a678c4cc4e3c6228f00fa5356828ec53b540ac67def51d27
-
Filesize
1.9MB
MD53b61327177a53330aa75c5caa726ae70
SHA10699af8b6425fd41b7f37dc19456cfc5206467cb
SHA2563ec5bc18359df9d4ae2b90b071d27a96f825c0f0419cf2cc7fb669514e6435d1
SHA5120c93347bb1b3258f0025c2705336b4fb50867778437a771b145e63ae77a5ed0ac4e4a514a03dbd62e8799b15f0df0871ea8eb521939533bec43d23466b999638
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5364147c1feef3565925ea5b4ac701a01
SHA19a46393ac3ffad3bb3c8f0e074b65d68d75e21ef
SHA25638cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b
SHA512bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf
-
Filesize
944B
MD5681e61532ff712d8340986e1c9913ef5
SHA184a8edb57465d211a98980b5788c18a2584edcdf
SHA256d6bd79a01f6f2501487a2e7cad738bd2fb6ee772191a79d15cad1b995bcdb66a
SHA51226822d15d1c676fe6f59470b828b783751187947a22f2e0baded0629473f78e33f3c048e0bc3548e1e4ad817fadac968a91dca1f1231433204df0b5ead03462f
-
Filesize
944B
MD5d2e14ffaec8328ef6b85925ed5fc2c9b
SHA1f42699edcf4fea12a6f3301141f996c2b8ecaf5d
SHA256a75bb133d71f078fb9d5fa46ae46b5d23bfaacd382b0dadb4da59567f6749ccd
SHA512335a0c6e8a6b1620b5644962c7deb43cef5e5ecb7f4d84816671cac12bd42d2fd6311e1c6ebe9c3a9bf5bc49c170760ba42d7045a74a38ec0963badacd72beff
-
Filesize
944B
MD5dc05a4f71923730b4eed5cb63f86aeed
SHA1798199489ad94c55021a92ec812b320ed90b5711
SHA256557afa6640a2b8ba319b55ac8d6b4b79e8e4bcda916870baa5f74dc9bd937650
SHA512fe0bfd9ffdfebf5c10320e0701a3dad1da28b826395154ba95f53ea76b2e68a3e6504e539b504aa24a276877ebdbfd1e3fc6c1a2763bb80d17bc69471388656b
-
Filesize
944B
MD5241a30ee59b4b06c007874e90fe80d6d
SHA15f1ba41ebc6984909a65725c2e686c6012bd32c6
SHA25691b63fc7449595695b9e0ee26704ea721dc66d7da9e99b38c66962f6d93e65bb
SHA51261f9ce6d433cc8efe06587ddcb4921a1bf6516fcd3c36ad79a2583acf1122202bf9565ccd5e8c28430b0fd09b1564b2a17b97f7a6c9e6ffe5a0ea76400fbaaf8
-
Filesize
944B
MD53c9a06205efb4ec6b1ca25ba605f9f6d
SHA153f4cbc7a0b1f493e53f99d49c08c56c2ac912f8
SHA2564ef4ffb0f743afc2ee1bb8edcc10ec450439a82dbbbb9cbdebeee633db4cc61a
SHA512e936041f7fe2278a939290bc2b5409a01ae070abc58df4e4bb938e4a406d0c96b19a1fa4db21b9f158efcfbe956f3ddbd97cb670215f2d6f2c1328fa4e455657
-
Filesize
944B
MD5e69ced0a44ced088c3954d6ae03796e7
SHA1ef4cac17b8643fb57424bb56907381a555a8cb92
SHA25649ee2b78c2766e68fad51109337710f032e25649bcebebf14562edfbf2e98108
SHA51215ebe961c61ee8efadd8370d856c936e5b605c3b847b8ddabb3cafb63c724d374a0a9567054852444de95794c7c8b3f9f12d05258104573c7546ff88023d7cd4
-
Filesize
713B
MD5d5486ad566f6d210a8758461cbc09556
SHA16e084daed954bc4650ef01e8b6a31a45894bd5ad
SHA256f00c1818d97f38bbda663a49489b10e90e7c3a34dacf50097de31ce647e38ab7
SHA512b654f9cf9926bfaff71909bea29f99008d01c63d88b5d9323cbef7046b48752f3ec841b4504922d18d390cfaba8326f70ac92a5bb6e7e8ea351958eca069b42b
-
Filesize
713B
MD50af780362221ce0fee856e90476ae245
SHA1d99985b18e30acea63dfaa67d6a21d9e8a1b0b77
SHA2560df692fefb9cd3eb0e1a5ea1a806b204df9d955daadcf8ea794fc3bb494aa190
SHA5125f74c9ed8be456a94c50a983f125083848754de9becb3c3e0bee13b31fb7a4d2ef58baa67d9c461a3f3095168198a2835b5e8dd5430eec2549eb982683ef66b0
-
Filesize
713B
MD5dba5391c3c1a1e93c2fe2d4367bfd7bb
SHA15a2c1448845bc1976b524caa1cf96c8660d35ca0
SHA256d89ee5d0996a859d1df66a305d0966f3d41442f6538761799436cf7a6815c756
SHA512915a6eaf8e956668b34d566d2df9e93f1331ddb9279f29edce87469e366a5f2e17690d14271763fd93e588dbe3d3e91e133d4999659b04da14d1667340d969fe
-
Filesize
489B
MD55da768cfa41fc52d8ddaf423e3bb8316
SHA1a56037aadbfef907b89f77d3e735e697be75dfde
SHA256c1994121e31b925aaf448db3f7f3d9e94be245e54292e445b1e5a56623e3aa1f
SHA512058177392d4b444ffa6ef05d25fdd0da9b276616abb803def94299433df98cbc5fd4241a4fdb82f51ed3066b70704ca6dfd40441edc55785c7fb5db40b42aa0a
-
Filesize
713B
MD506b07a38c0a20a59377134e86733117b
SHA1b8bace109d94427a5bfebd8bcc99e060caa2a37f
SHA256cd3dec0ce390f20739f7b19a0e762e3c45c7ecf15db7d780babc9674d99343c4
SHA5128a74ce40577dd6054cef26216af45693377ff7435526ed5a816ea7d82f1f0593f41b07c2b2ecf30d608ef318f1fa14309a2e5bb3497dc1f9dc2bf6039f5baaf3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
713B
MD5a56470087ec2ef46798881360d550490
SHA11e2252cbf92afe71c051814f7a4a784f587cef21
SHA256e3ede08cd4ffba1c923632314c09dc8c8054148164be2a9998ff2e05694b86a4
SHA5124908a2d9bfc45a3c7aebf9f1b1305778b0ef91ea0116c17894e47287ef5dcd16709c8c477ebfb3581d048d9be2db779c501e24c976552af686c5dbbe145ea0c4
-
Filesize
713B
MD5a5f6cf3194091af1e728777994bf2dbc
SHA1dcbd991f0e5dee9765b8624564ba4e0dd07aa149
SHA25636b1c623c19475082d48957091b15c7b55c0d5a2ccd28e0a6cf50b09b2ead438
SHA512f649d730a6d6d744c331392b1c0fb6ff0464fd7c7ed64831511d3c41bb52acb0ee100ae03ac4c456f77c6c002905c6280d4bb92478978e256f8894e1d39e70a2
-
Filesize
713B
MD51334b7d7a9efd45cd3192de555eef8ea
SHA11c0e1a22ae987f9574454949b0a5ed1da4e719e5
SHA2563c8beb58e1f75cf47352cdfbf4f75fad650c1b5fe1b320cdc29d51ce1cb3fc17
SHA51273a43592ca4603633bf3303baecd03c5afab5d2e5e0d3ce3e90eb340e14d12a1cb23b1ebccf328ee90d5bf67191194ccfd60bcc0bc3596adeb7f20382f2f9dfb
-
Filesize
712B
MD52e8a5663e40509af420f94c2532e872f
SHA11fc02615ccfa08ce842372cf1714b2c4fc6a9f84
SHA2563eedaf33a406d9400a7a587e3571b8ea072585fd0ed290b131b690e88f3168c7
SHA5129ecf9b31b3ffd4c37c4a1c0a73be42614c03977efb6b82dd4b93cb223cbd0990ef78d2135821855ec6cb26c111423223b05a8c2ffab07e0d219314c4490ee7bc
-
Filesize
713B
MD53adbe2ea147ef066fbaf883a401c7cb6
SHA155fb27bf8fd70787de75a404f1c99fd2f59628ec
SHA2562dabda35ba710bf321dab2ad7286e9acb810762501d49ec9a05d7cf4ede709db
SHA5127649d6ba0e25f8de0d28eb0a0ecf2432c71d3b3856c757a619a9e1b32365246103641223443c57fb13fbe880f56e09d0b50137e551d5d590b56b2a27c613d156
-
Filesize
713B
MD55c57a7ab88aa3a0f9cc1be72db5886b1
SHA17adb3c5245248e54b8cc3f2db82fa169937a0b35
SHA256f577fa36656cb060b0fd9c0f65b3e3855f3eab4a437efd50a968ee8105dc87dd
SHA512ad17158a60d8a2e90c3c0e48bd3d21356c24ab7d20ceaee398284a7931b43860aef061fc13b341591acfcc28d2e5d32c4a8da7e8c4b8ff0c0588e85055d83b71
-
Filesize
1.9MB
MD59ac2a050103ce5e6360cf273a3992ee9
SHA1a6ec154fe5911aa72c9a7d2052d4df90e9de1cd4
SHA256678524e5b33d0906838de9c9104f38b435a3eb31924a64e83649d0807082e2d2
SHA5124c2476c705c09d008bacf624b5dd943b486e6048a294c8923abafba6731c0e208c44a9c8df077a3dd045b8e93007c1e896a9048383beed858e74d5e7558d8388
-
Filesize
136KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
72KB
-
Filesize
344KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
344KB
-
Filesize
1.9MB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
5.2MB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
320KB
-
Filesize
344KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
1.9MB