Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22/03/2025, 06:17
General
-
Target
e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
-
Size
1.9MB
-
MD5
88c85713b28206515423821dce1f0a0b
-
SHA1
3b8372f2cdf9875b21e189634f50661cf4d40a2c
-
SHA256
e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d
-
SHA512
26e7cf21280bf49336462cfcf229ea6a8c72c3241c0398e85e9fb3f2fe50d174e3bb1f0215f784767034a4b1ecbe59d61e02bf4541014612bd0e30f67f5a6a07
-
SSDEEP
24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 30 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 9 IoCs
-
Checks whether UAC is enabled 1 TTPs 20 IoCs
-
Drops file in Program Files directory 16 IoCs
-
Drops file in Windows directory 30 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe"C:\Users\Admin\AppData\Local\Temp\e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\OSPPSVC.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\taskhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\DPX\e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\ja-JP\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EuziAK6wbh.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Windows\Vss\Writers\System\OSPPSVC.exe"C:\Windows\Vss\Writers\System\OSPPSVC.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cfae547-5d02-407d-983e-7f2541e79043.vbs"4⤵
-
C:\Windows\Vss\Writers\System\OSPPSVC.exeC:\Windows\Vss\Writers\System\OSPPSVC.exe5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae9dfb25-285c-4127-b346-30f595a80a86.vbs"6⤵
-
C:\Windows\Vss\Writers\System\OSPPSVC.exeC:\Windows\Vss\Writers\System\OSPPSVC.exe7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3720db5-9be6-4378-bdd1-318f29854573.vbs"8⤵
-
C:\Windows\Vss\Writers\System\OSPPSVC.exeC:\Windows\Vss\Writers\System\OSPPSVC.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9e00ae7-5606-4637-9407-1f662eafba1d.vbs"10⤵
-
C:\Windows\Vss\Writers\System\OSPPSVC.exeC:\Windows\Vss\Writers\System\OSPPSVC.exe11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76dfeb55-d881-4162-9605-39a66b67a6ed.vbs"12⤵
-
C:\Windows\Vss\Writers\System\OSPPSVC.exeC:\Windows\Vss\Writers\System\OSPPSVC.exe13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7c4e580-186c-4206-97c9-1d8ab0e8df89.vbs"14⤵
-
C:\Windows\Vss\Writers\System\OSPPSVC.exeC:\Windows\Vss\Writers\System\OSPPSVC.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bb80e0a-0dd9-482f-85e0-d0bef6a2a025.vbs"16⤵
-
C:\Windows\Vss\Writers\System\OSPPSVC.exeC:\Windows\Vss\Writers\System\OSPPSVC.exe17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83260927-cbee-4814-9c38-3525863bc52a.vbs"18⤵
-
C:\Windows\Vss\Writers\System\OSPPSVC.exeC:\Windows\Vss\Writers\System\OSPPSVC.exe19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39d2a455-370e-473f-819b-17d521cc1674.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29d76a1d-d0ea-4286-881a-87bbee0d2445.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df8fe782-37bd-4a6f-a802-8c4d8b8be047.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60ca852a-4505-4d48-a7b7-948ef6109a77.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14684635-a785-4195-93b4-59e532da97b7.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c90d1849-5a65-472d-9037-365012adbfb1.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c117cff3-074f-4818-bc67-d324708476f8.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21d05a5f-ceed-4ca5-9588-77cc6b23fe51.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\System\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\System\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\system\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\system\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\system\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\WIA\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\debug\WIA\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\WIA\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0de" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\DPX\e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0de" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\DPX\e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Desktop\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\ja-JP\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\Sample Videos\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0de" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d" /sc ONLOGON /tr "'C:\Windows\Cursors\e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0de" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5b2be528b2e9b78f89f23cadd5b85bf72
SHA16eed172a6117361cfe98bb10f132268a1449d6c0
SHA2563485f61cfa5d377b239318e47e78c0e327979bc899158e3b78a12321e295679c
SHA5126986fdb133cbbba922a912e508f94c94ef4453702232b135476b85cbdb22b5ef8213b3f5ac336579be2ffac577bd0549637a835a81eb7b14267fa13cf1e2ad3c
-
Filesize
717B
MD53057ef978b41d5a70905fce365d67215
SHA10bf3a70f3e23bb2ca7f6ee84162c744057d29056
SHA2569e4435aed134daf26593abd05017fe04dd071e4bcd7c2e7349f34c7dcceb2101
SHA512d3c10ce9aeb2f802cae6a7028613b1af2e901080bba8a7ec8a07e27dde04498dbeca0c734d541b68856cd440a042c0d6f0f5c6cdad8392ed2c1afaba96299d54
-
Filesize
493B
MD5151f454fbd5be9ee574fceb881fe0236
SHA108649262e43ac495abf90819a807407b6aedc89c
SHA2561b59236a7a3cbeec8e0bcdc262afb281570ac4c73c14892f934a48bc479b8ce6
SHA512726fc5f18f58861a4562ded57ab2a3c337b53f9f863f8be19e9028921fcc4fd4a1ace824b96ecf221367c0d0cbcc292021abe8692e6846d8a4336b926b698c48
-
Filesize
717B
MD5048f7a374c12fb79ff2e114d773aca92
SHA1d41587dc8de21760e7c6a831a9367a2559513932
SHA2566ab75c158514d5fc4f931f9835d362ec5ec175c6e1055c00514e5500d57153fe
SHA51226747696dffa3e07f1c04ddc977f54ae7cbe22b564f4d236b8671265805c7abd44925f3562add3f8dcf63a49ce278dfe31f10b8397bdfce0db1abcd2a9b14767
-
Filesize
716B
MD5bbb51b224026eee3c79a84f25c8ad81a
SHA15a076a3a6e4ab1f692890655e1ed0d998a3a675c
SHA2567fe4ee22b58d0967202b8dee6246d8ec9884c2e5e35822ed1d48791c9d8094eb
SHA512c8b00ec341aeae55098e79be287dd6f553179c559eb811e45a5c1588636614348e2511af6e9f6b6ea3a98a921194107731b2adb1546e509730fa05baa800b76c
-
Filesize
716B
MD557427fe415658816fb13dbc45e899655
SHA101c999461b00aa1d044a273ccbdaa4adcbcdbea0
SHA256e15d7a143a058df5176387b82eb99ac928c35b37bd6b3bcf7e8c2ab958a41615
SHA512324c8516ced56571bfee9bc5613a6b0368769ddf0b539147f7581ee79ea41162d9fcece136070c6b076cad0770b6ab31328ee962ff760e7164bffd4b5aeb28cb
-
Filesize
206B
MD505ea056df9a25c5d60e29066c9f2ab2d
SHA1bec66b3681a3bace86c60d776e8eb4964e4ef14c
SHA256139e76a9dfe3d7aeb5cc12ee43e7456578fd289999712c9face772f2d0e70e30
SHA512be369855b86b9a4eedd3a6e7afb2d93f6610305cc9520bb2ef8f1f027625977416a3750f8bb2bfaeb46eb34c86a1fde0900510c5622e139456fcfe452a84d890
-
Filesize
717B
MD5224e2701062491e6de9724c9057633e2
SHA14e3f8f05391e268aff4fe584fcf0fb745e88cd2f
SHA25613fde2202b5f620fc759ec5b86050cc02aaff504dc6a46ef10d4535cef704adf
SHA5121e6dd211e0378ab088d0e784d53959244455ecea297cc04a7852039d5cef6959c664ee53c3cc677b74a210adcc4c0aae6d4f1af79543a51598cd61a317b33cb0
-
Filesize
717B
MD54c187a1a37eccb3390bc7e8ef02fa358
SHA16d51e183a91ea201869d1fe7e437d6fa4bd90e57
SHA2565f18651f27d20df4a17e8cea5bf445c461777b0d486aea27c7949f143b093d9e
SHA512d35ec1d65f447fc23f0df73fdc20d06999e8be561f35ebbb910d08dafc372cd1939144fa99264f2b3ef621ab9df483248b9d1ecaaec35b79894a267413c1037c
-
Filesize
717B
MD5f0ed30b940ad0d603edf0c767d46c5e8
SHA12adf3eda2c608b5abe332f9827d8ee2b0807f275
SHA256ef62026dcafaa319768aebc7f2f3e1f61ea948fca0b650530d1409e3b43d4aae
SHA5125ffc475b2dec6effabe62660f1d3aec09b02902d23bd3a5c85b0f991ebd0449d32eea9b8b907e2f90ab0e5ebd65d8062ba0a8b08d6ce1d5b3806d3a96b309d63
-
Filesize
716B
MD5298a4a5c0192bf0561f572c40b2dd124
SHA1ebe51dd9d065408ee7b95f06bc2a70e1795083f9
SHA25602263f3f42fdf9448be20633e600c2e97f0c2e0eb97f4007e7e2d53af3428a58
SHA51268d47b2419314f3996998dc13de858fccd4e11c2652d0765a670ed1af5802df682b419ba818c78aa7aa9d63715cb8e5a766d453365011eea3cdfa6a1123c7bc2
-
Filesize
7KB
MD59facc535a14ebc30537c772a8fe6bd1c
SHA191858372077b4ffb95bddb8ed0b61dbefd11cee0
SHA256fcbc72d25b7b2cf932e858a4bc43db8f073f290d2e4abb2525fbcdec9fe6a8f4
SHA5126733c236b113c5158a2c9f0ce1fa84715faa46003877d9d27620e7b91079f1090d61809d83f18a291c28b0005d92f0b2640a8c2dbbe60568057e94e29d72d0ed
-
Filesize
1.9MB
MD51c9af5d654c202419372a238d70cf99e
SHA1c04476ab4907b766c325cd71e13383f513a58431
SHA25615cabe0f81ba42ffa2dfa8dec65b2ed383cdf6d9b715c6bc4353d36a67a6105c
SHA512fce78d68e4244e051c12a6be333904df019cc458145445048257be69ae00476bb54dad6d9e1c066898daa7ba7464a515960e8dd5cc75616ee6f693dfc9d1debf
-
Filesize
1.9MB
MD588c85713b28206515423821dce1f0a0b
SHA13b8372f2cdf9875b21e189634f50661cf4d40a2c
SHA256e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d
SHA51226e7cf21280bf49336462cfcf229ea6a8c72c3241c0398e85e9fb3f2fe50d174e3bb1f0215f784767034a4b1ecbe59d61e02bf4541014612bd0e30f67f5a6a07
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
1.9MB
-
Filesize
72KB
-
Filesize
1.9MB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
1.9MB
-
Filesize
9.9MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
72KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
1.9MB
-
Filesize
32KB
-
Filesize
2.9MB