Analysis
-
max time kernel
110s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
-
submitted
22/03/2025, 06:16
General
-
Target
cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
-
Size
1.9MB
-
MD5
2084c9d26206ec07c2dc65d1167ee1be
-
SHA1
ff37b5b781c17b3de200bbc1f68530370b4110a9
-
SHA256
cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320
-
SHA512
99740d059fc3cd37fad78ddacd9c149eabb519c7e043cb01cfa92884724bbce326dc9f9d4b716d85b222a6580e1c75ae437680752bf565135a5de9ceee226f44
-
SSDEEP
24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD
Malware Config
Signatures
-
Process spawned unexpected child process 34 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 24 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 16 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 24 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe"C:\Users\Admin\AppData\Local\Temp\cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\OSPPSVC.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\jre\bin\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Kfq7VgMDq.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c8d1f6f-8b76-4d5b-8db4-bd143dfd5dd8.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e741c33-4840-477d-bb6f-32ef18f42df5.vbs"6⤵
-
C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7eff2284-335c-4f57-8f2c-f5be4e3ab3de.vbs"8⤵
-
C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb8484f2-c3a9-4828-a03f-f152f6ad5964.vbs"10⤵
-
C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8278051a-5584-4710-b21a-4ed4ad75ad6c.vbs"12⤵
-
C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\989841bc-c42a-4267-adc3-933c51cb261d.vbs"14⤵
-
C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\059a2b35-8134-4353-8153-c26b20a3b497.vbs"16⤵
-
C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"17⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57db56d3-9235-49b6-8af4-7a0ae7f38200.vbs"18⤵
-
C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"19⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\966782fd-4ac5-4e25-b8fc-25a613417793.vbs"20⤵
-
C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe"21⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54935423-beee-4c66-be85-92930522be7c.vbs"22⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c97ae36-05bf-4fa1-8a45-53e8e0502a50.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2126bf54-51fd-4cb1-ab5b-86b7970e0bd7.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0622bdf-721a-4a8c-893d-fabf7c6a54ee.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ea0e55d-dcb3-4cfd-999b-70992a53c3a5.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e8f28ab-c9fd-4e47-bad9-413de9fcf3cd.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a09cad8a-2504-41fe-b1ea-6b8b86cbdb29.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fdbdfa6-b11e-45d5-9127-835cad28ee58.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\530f0501-803a-4448-b070-aee01421893a.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e6c86e5-1f49-4e73-b8ba-90e82fe34ea4.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ed3a8ac-d439-478f-a611-139aa17a792a.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\OSPPSVC.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\explorer.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\explorer.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\My Documents\explorer.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\explorer.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\explorer.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\fr-FR\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\fr-FR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Panther\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Recent\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
898KB
MD5dc6bbe0a061a84f7d66571e8e8118045
SHA1dfcb19855945fc458c00d95f585f44430342ecdc
SHA256da0b7a7b5c071a5b1457d94b626611a3c3b138e2502752eb26bfa08403d05118
SHA512372cea88ffbcdceeb1befe72bfdd960d329e79b74cd9b9c81c451924617adedbf6d1c0c6838f54d3bd7ba029c5970960a7bcc271c3dc1168eafaa3d5b5d7f06c
-
Filesize
1.9MB
MD53af08998a77046d848671d911a3d2d1d
SHA1cc8d205c694e601ee574dce0627203ba8f27a777
SHA256a9172e31a9342bc19a92c78b79139326aced3d9c7381c0d5ab871c87504d8b6c
SHA51215d9bebcea9a4781e3cb5b33a4f97e5e87549beaae2d3b5054702174e8c694ffd043ce534370876224652023d28d092dc083dd395e3b75d8b41f0d9af039ebfa
-
Filesize
1.9MB
MD52084c9d26206ec07c2dc65d1167ee1be
SHA1ff37b5b781c17b3de200bbc1f68530370b4110a9
SHA256cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320
SHA51299740d059fc3cd37fad78ddacd9c149eabb519c7e043cb01cfa92884724bbce326dc9f9d4b716d85b222a6580e1c75ae437680752bf565135a5de9ceee226f44
-
Filesize
732B
MD5036fafceeb9f8e1f3dfb27b49f78bdc3
SHA1dfe96dba9858f81100e05cfe7d4df536ede27fca
SHA256ba0218421002d1935c76ef53d63accbb06750ec9988ffae760ae632737c07081
SHA512d577088e651e8969a532ad299bb3f2e7ab6988dfc9edd9def0d56d72e92bb197752673ab1400a51503face824af1afab47732faee391a6c556bcce130ccfc0d0
-
Filesize
221B
MD5c9256968a528e5a29ba800eb434e1da6
SHA18653656b693fe1d779435dc345c7a50ac75c1a61
SHA2560eeb9982f8e8497dec5a68b5795409bdccc38b8a2e69441ee831644a0e3bc194
SHA512360cf6833867749f0498700d2c1eaa0c5dd91c13fb498a185ac308b5587454165af96f879c103ecc2392909b195aa38895e1c000ab02ae354ade7623a125c7c2
-
Filesize
384KB
MD5e434f8bb5d41623fd9207b39ce339867
SHA12528a234e04d8a89a2175f96a576dc23a52e0249
SHA256d4b57f35632d1e8b876906b6e6fec37800f0b11ede0f92ec24e3ce2e5f2d8a93
SHA5126c6177d79ac5e0a58acd2936eeecdbfc5f837c286a18db7d9783c27266f45ba85d7f7621e60ae2573600991f3cf6b80928f11b00621564baa0b7615d2cb60e63
-
Filesize
732B
MD56b0ddc173f45a2c87d7cf9a1ffd90ddf
SHA1e075e64ce101359205ef9f432ec38715d01298d6
SHA2562ea1a2712014517978f5e87425db2a2a8dbaa4fbc119c0014badae3975dbdd86
SHA5129d9cefaf8184d47f809b53a24a9ad6ecdc914ea89f9aac567cf1119c737a7c74c6dcc19ce86f72a963321f1a56521ee8654f60c99cadd55d789c695ee3f1a3b1
-
Filesize
732B
MD5fce7427de83db4691c78825ce7ae21c2
SHA10c248174d757bfe7375b90a9521e23bb0bb5a541
SHA2569243360a72bb39a8978c49fb23a93abfe9fdb42efc5a694e47d577ce2d1fba1e
SHA5122674d68c069fcd1033be850b4b813713538c248dd572ac132ef697fd01251d5a9feb7bceaf088c14dcc9930cf60415e2bebfbf211bfb3d5ee6d2687d4023b35d
-
Filesize
732B
MD51cb9378f1239036be169a5ca6540670f
SHA155f4891a97576cc033319ad08cbfb59b83f93993
SHA2564e41a1d4917b7df66d27dd35c3ae8852f994fe48a89e96c142476326685b497e
SHA512c2e272dbe007d1130cbe499fd2903ba9dd91146ec14cfbd24116edbc9490bf42eda7e3926f24077c8fe597d98b42a11cba445a955fd87977cee6703bea047e1b
-
Filesize
732B
MD55c894e16dfe3e45a9c09e7ca016453e9
SHA1593e0ed721bb10c3a3cb21a8ed39000c5a8c49c6
SHA256c530530d3291b70e2f25539e1a5fe2cf16482155618c6e746f3d4e747aa8b15d
SHA51202f991d5fd674d46a1bdd50a3a5c6e4ce449e8bf9417b80cc58609703f124ec67850d96b3b3f16c370fcb6722887648035789c75667b891d7fb88e52b126d9fb
-
Filesize
731B
MD5a21f27b07bd99fdba4a55baaefc9dcf6
SHA1bce38d910d3f16cc19387ff999d95cad76e934e1
SHA25644cd860ef8e80d4dccbf070ec75a6e0f9dbd5bbae0aad6d2deb56454c1bf9711
SHA512b12ea41a2b9aeef4bbaa60a67582b74b1932f6abb7368854df29b15523bd089ace5569bf3e1d8c8b762bcb4cb5533a31150a3f9913daa5c42cd63fbb8539597d
-
Filesize
732B
MD5907690fa2cf97e0422410131d5571d8b
SHA11708e9a19b2b4121a7545180a613960a49e3ec97
SHA2567d0048162509bc3504e85e22a821bb44eebfa0013a61a9ef58e5f911f4cf3403
SHA512fb39dc5acbb806bf61f42e3b3fb452c455f803293826e64ba4cef6837a63faaf4fd3c6a1d7a422426ed104b55ab0c21d23c34f77bed688c6563dd90f25aa7b2b
-
Filesize
732B
MD5689cb5e22956bfc90f50239d2a217fd9
SHA1488418d7a35cd0f96fdcb56122a5b07638d54a23
SHA256b9b159f8cf2e86ae72228eb941c95b1d2c26abc79d2330d0796d5c1516678402
SHA512dc41b2cd2e50e0ce09eb4d1acca8aab3e5fc2cf3785ee76d52af2ed20f4ef7e741139eda65b2cba943af41309db8acf1519cbe4e100ce5aca0db3a05f4e3d90d
-
Filesize
732B
MD52bfff00ad98b6aefcfe21c22d15ca03b
SHA1b6adb8e02e899505dfd0a33afc2da967cc961a01
SHA25606af5f26d77980a1361461e9b31275e4b58dbc3a31082e4e6182a7df82ced70c
SHA5125bde1b494d0190901617039112c4e160caea6508fb52d07709e734f1ad7360e063c41c8460eb37f0cd10df8057ba9dee32c1802e8228db9dcd8701b54ea3046e
-
Filesize
508B
MD502b3403f3f60bdf78373d651b8f7338d
SHA1743085341c8e147d6b9a0db1ca729b9b06b5c551
SHA256f04c2fa051610f218f428f41f4b98e0121b1e3b93c00f9cd00ee3cde0680ebfa
SHA51296e3048c3831e2b8c6baeea8e5c39f6e0bffe83ab799d22c4755497ceea4e108a6664c3d2366c9906e2fd01d17bf2c52fb2fe49ce4dbd351a75527e7f7563786
-
Filesize
732B
MD5192e441e63a41a95470ca61aa74ff803
SHA17e3d8f105f66e21631d8518b9ce9ea6d7b0044d3
SHA256400d6e1eab41bee265bdb28b702350c4a89d8e439376bde6cb01cfaadaa8bdae
SHA5120bf506cbec2aff666cd5bdc8e6a802df4d122357730700f3d38a246d21f40400543639b47c5773fb341b7891ab41457ca71feba108b1b212911ea01ddb549e3e
-
Filesize
7KB
MD55f1ad6bc5fbde8788ba49f1cca394a2c
SHA12cf5414cf3071d03c3da3314c896f45119b9db46
SHA2560e550a0171aef047b5fb71dd00d69a60caff24747bf4d2adf4f40fa9dd8b74b7
SHA512d1c60688f9c5283bd34e2e0c2cdc25374cd9a0d46e3fea1bca4868f8ce53cada8814bec9a231fe0d3908b870083d613caa6de6b9c7214fc68c9a55d51dee7830
-
Filesize
1.9MB
MD5d86e6cc7346308e41de12dfbc84d5bd5
SHA1885b3f3bc7e0d58734064494a30bc35862730d29
SHA256cf674696b51d8fb4bb01167cd7e32fb9ae15df7effbc8a0b8be5f8f47075a443
SHA5126419748e4dd699c2aa91315000f8750fa8498036b2d1121d88f96d2e37751557dd4e64d947a3238d8e0e0f99fe6111db02007f53680ba2b2b38d142adcfd29b2
-
Filesize
1.9MB
MD5ac8d5c8cb6270bdc5db2cc9b419739be
SHA16b57ba9047774850e31bf21b6bdc1040374aeb54
SHA256498117709e4ccf55621111e95e9c5c0d46044583df5c585c5fe596b198806e0e
SHA512f54821f5390579a2c825e71c33cc43038807f7932a7e96d4eef5b71b47cf521661070e5db4512dcb8dbd3871a9f0cba237e2731b26e53c4bed28d2025702c3dd
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
72KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
1.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
344KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
1.9MB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
72KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
1.9MB
-
Filesize
72KB
-
Filesize
1.9MB
-
Filesize
344KB
-
Filesize
1.9MB