000996e02592d6f5216a77464baff2591739b5cb35a8ad930a5424c9099c7e11

Analysis

max time kernel
140s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d7cbc882298f639d31191a03ec81bd3.exe
Size

1.9MB
MD5

0d7cbc882298f639d31191a03ec81bd3
SHA1

93124a821e8fe02c1736cb62e9a613c8dc8379e6
SHA256

56d64aaeab87dad048e08ea98237bcc727bbab88d97cc126e328ea1adf7fc913
SHA512

5bfbbefb14b200ded88943b685b22e5ac26ea281c9948d8a5fae49f3d19899d82730d52c8034c0b5d5c1b5fe1da1cb583d26b4d2ce3264903e5416d5480b3cf9
SSDEEP

24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	3032	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	3032	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	3032	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	3032	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	3032	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	3032	schtasks.exe	29

UAC bypass 3 TTPs 15 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0d7cbc882298f639d31191a03ec81bd3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0d7cbc882298f639d31191a03ec81bd3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0d7cbc882298f639d31191a03ec81bd3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
820	powershell.exe
2948	powershell.exe
2312	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0d7cbc882298f639d31191a03ec81bd3.exe

Executes dropped EXE 4 IoCs

pid	Process
1788	OSPPSVC.exe
1848	OSPPSVC.exe
2880	OSPPSVC.exe
836	OSPPSVC.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0d7cbc882298f639d31191a03ec81bd3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0d7cbc882298f639d31191a03ec81bd3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\1610b97d3ab4a7	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\RCX2AAB.tmp	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\RCX2ACB.tmp	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe	0d7cbc882298f639d31191a03ec81bd3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2852	schtasks.exe
3000	schtasks.exe
2888	schtasks.exe
2788	schtasks.exe
2268	schtasks.exe
2552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2304	0d7cbc882298f639d31191a03ec81bd3.exe
2948	powershell.exe
2312	powershell.exe
820	powershell.exe
1788	OSPPSVC.exe
1848	OSPPSVC.exe
2880	OSPPSVC.exe
836	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	0d7cbc882298f639d31191a03ec81bd3.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	1788	OSPPSVC.exe
Token: SeDebugPrivilege	1848	OSPPSVC.exe
Token: SeDebugPrivilege	2880	OSPPSVC.exe
Token: SeDebugPrivilege	836	OSPPSVC.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2312	2304	0d7cbc882298f639d31191a03ec81bd3.exe	36
PID 2304 wrote to memory of 2312	2304	0d7cbc882298f639d31191a03ec81bd3.exe	36
PID 2304 wrote to memory of 2312	2304	0d7cbc882298f639d31191a03ec81bd3.exe	36
PID 2304 wrote to memory of 2948	2304	0d7cbc882298f639d31191a03ec81bd3.exe	37
PID 2304 wrote to memory of 2948	2304	0d7cbc882298f639d31191a03ec81bd3.exe	37
PID 2304 wrote to memory of 2948	2304	0d7cbc882298f639d31191a03ec81bd3.exe	37
PID 2304 wrote to memory of 820	2304	0d7cbc882298f639d31191a03ec81bd3.exe	38
PID 2304 wrote to memory of 820	2304	0d7cbc882298f639d31191a03ec81bd3.exe	38
PID 2304 wrote to memory of 820	2304	0d7cbc882298f639d31191a03ec81bd3.exe	38
PID 2304 wrote to memory of 1788	2304	0d7cbc882298f639d31191a03ec81bd3.exe	42
PID 2304 wrote to memory of 1788	2304	0d7cbc882298f639d31191a03ec81bd3.exe	42
PID 2304 wrote to memory of 1788	2304	0d7cbc882298f639d31191a03ec81bd3.exe	42
PID 1788 wrote to memory of 1392	1788	OSPPSVC.exe	43
PID 1788 wrote to memory of 1392	1788	OSPPSVC.exe	43
PID 1788 wrote to memory of 1392	1788	OSPPSVC.exe	43
PID 1788 wrote to memory of 1688	1788	OSPPSVC.exe	44
PID 1788 wrote to memory of 1688	1788	OSPPSVC.exe	44
PID 1788 wrote to memory of 1688	1788	OSPPSVC.exe	44
PID 1392 wrote to memory of 1848	1392	WScript.exe	45
PID 1392 wrote to memory of 1848	1392	WScript.exe	45
PID 1392 wrote to memory of 1848	1392	WScript.exe	45
PID 1848 wrote to memory of 2624	1848	OSPPSVC.exe	46
PID 1848 wrote to memory of 2624	1848	OSPPSVC.exe	46
PID 1848 wrote to memory of 2624	1848	OSPPSVC.exe	46
PID 1848 wrote to memory of 1724	1848	OSPPSVC.exe	47
PID 1848 wrote to memory of 1724	1848	OSPPSVC.exe	47
PID 1848 wrote to memory of 1724	1848	OSPPSVC.exe	47
PID 2624 wrote to memory of 2880	2624	WScript.exe	48
PID 2624 wrote to memory of 2880	2624	WScript.exe	48
PID 2624 wrote to memory of 2880	2624	WScript.exe	48
PID 2880 wrote to memory of 752	2880	OSPPSVC.exe	49
PID 2880 wrote to memory of 752	2880	OSPPSVC.exe	49
PID 2880 wrote to memory of 752	2880	OSPPSVC.exe	49
PID 2880 wrote to memory of 2932	2880	OSPPSVC.exe	50
PID 2880 wrote to memory of 2932	2880	OSPPSVC.exe	50
PID 2880 wrote to memory of 2932	2880	OSPPSVC.exe	50
PID 752 wrote to memory of 836	752	WScript.exe	51
PID 752 wrote to memory of 836	752	WScript.exe	51
PID 752 wrote to memory of 836	752	WScript.exe	51
PID 836 wrote to memory of 2104	836	OSPPSVC.exe	52
PID 836 wrote to memory of 2104	836	OSPPSVC.exe	52
PID 836 wrote to memory of 2104	836	OSPPSVC.exe	52
PID 836 wrote to memory of 2160	836	OSPPSVC.exe	53
PID 836 wrote to memory of 2160	836	OSPPSVC.exe	53
PID 836 wrote to memory of 2160	836	OSPPSVC.exe	53

System policy modification 1 TTPs 15 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0d7cbc882298f639d31191a03ec81bd3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0d7cbc882298f639d31191a03ec81bd3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0d7cbc882298f639d31191a03ec81bd3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0d7cbc882298f639d31191a03ec81bd3.exe
"C:\Users\Admin\AppData\Local\Temp\0d7cbc882298f639d31191a03ec81bd3.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0d7cbc882298f639d31191a03ec81bd3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe
  "C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1788
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da6c8156-55e0-4773-9958-a527404691ea.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe
      "C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1848
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dd64d46-6cfd-4573-979d-85a44bca5c21.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53978816-553f-4840-99de-2f329f51c955.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\429a4b34-8df0-4e4a-9faa-86defa58d86b.vbs"
        9⤵
        
        PID:2104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f9cfca1-5e5a-49ce-a31f-2089b4c0de16.vbs"
        9⤵
        
        PID:2160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36b75cb5-c559-4a83-8589-f5969512486a.vbs"
        7⤵
        
        PID:2932
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4d0bc7f-6ce4-470e-9a6a-521917b91b10.vbs"
        5⤵
        
        PID:1724
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7a2fca9-b45e-4373-b180-5395d26daed6.vbs"
    3⤵
    PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe

Filesize
1.9MB

MD5
0d7cbc882298f639d31191a03ec81bd3

SHA1
93124a821e8fe02c1736cb62e9a613c8dc8379e6

SHA256
56d64aaeab87dad048e08ea98237bcc727bbab88d97cc126e328ea1adf7fc913

SHA512
5bfbbefb14b200ded88943b685b22e5ac26ea281c9948d8a5fae49f3d19899d82730d52c8034c0b5d5c1b5fe1da1cb583d26b4d2ce3264903e5416d5480b3cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dd64d46-6cfd-4573-979d-85a44bca5c21.vbs

Filesize
745B

MD5
b5e0fee225ae7176513852b221d2d437

SHA1
2d4a90a789c1186b5937d9d4e443f7879fe6a6b8

SHA256
f348644e97d4555fb05106d07845cafea3222f24e48e53257851a2604ab98bb0

SHA512
7156ed3c90007742a20c86fc0c99cc7739f29111dbebebcb20da9f9aea254deebd7f725fe18f6ca7b628cb7eee08ab5954b60e4052e11b00ebf66ac5c8b8e66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\429a4b34-8df0-4e4a-9faa-86defa58d86b.vbs

Filesize
744B

MD5
2f541c50276dcac7ba01875426fd3f0a

SHA1
357ad5cd991df59701d59af7e4df702047bff4b8

SHA256
3995ee79bc237f8813aa0eb20109f8cb18c2463e32ee31a5d5422b6fef740fbc

SHA512
f47acf5e6aea6c1fcd6743818b3d779668cb8006d83f39ea69a70b85733b1cdb1092b82095890a2841065c4a97760b00721920d90c5b0b4d830b4a8226abac4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\53978816-553f-4840-99de-2f329f51c955.vbs

Filesize
745B

MD5
76126169fd6930a73cd60ec771f22a97

SHA1
81625d20c7536cc359cd05a364e25ff06373fb09

SHA256
96a3c816481191fe82ae7a16bf77ee4a31823c5b207805e40573dcaac62f6532

SHA512
563a8787ee7b5539c9e34b7dfef98314443052aa3c6f2b78e5a209c23e1eed143b25e42434848d3cb79be97c2a5b2d3098c6d34ec5e001ba39db37d02c350047

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7a2fca9-b45e-4373-b180-5395d26daed6.vbs

Filesize
521B

MD5
ec3cfb00792253dd2fb4c6f6852ee5f5

SHA1
520e567717baa9706def70f61e7788772be2a9aa

SHA256
daab59844edf7bf162d8c8c4de81ca930d3a2ec15ec30eb6269b54c3e459fb42

SHA512
9b69f862a3b33810d75b3af13dc8a0692a84e706c08462a5547394cc356ceb3438df7423f5973267ea20855ee63d69381563e31955874913e6bf3993cf6d0745

Download Submit
C:\Users\Admin\AppData\Local\Temp\da6c8156-55e0-4773-9958-a527404691ea.vbs

Filesize
745B

MD5
b31bebaa07eafc53dd6f82f9f7cb5e46

SHA1
e779c33149ab81f096723faea8d7b4ad52defc8b

SHA256
578ad57abea57620b6794cc060d80d3a23e331f29abe18836558afff118ab7e0

SHA512
d15db939c17da7b41c968120989b026d285e6e0e8f0158f8737b206fa34490d1e83bb46a01b0f41872aac83c2ce9151946188179a98d25b12a6c9117e18967b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VWKEBRSSFCQBHGBCHIG7.temp

Filesize
7KB

MD5
a46716f8e4b2e8f67c62618f0181f963

SHA1
fc934455d7106b95dfd945cc81ae067a1730c354

SHA256
5db524fdbe62bfb3563c7579f610863329e259f3b901cf1358a082b2412f0f78

SHA512
dd480cac681a15c4e23aebc0dcaf1f6690d63a60f0aac3491680d704088be7eb64ebbde556be821d438be23c8ff049f1f6169a0c4c458c82a294a1aebdecadbc

Download Submit
memory/820-75-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/836-116-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/836-115-0x00000000010D0000-0x00000000012BA000-memory.dmp

Filesize
1.9MB

Download
memory/1788-78-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/1788-74-0x0000000000B60000-0x0000000000D4A000-memory.dmp

Filesize
1.9MB

Download
memory/1848-89-0x0000000000C70000-0x0000000000E5A000-memory.dmp

Filesize
1.9MB

Download
memory/1848-90-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2304-13-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/2304-6-0x0000000000520000-0x0000000000536000-memory.dmp

Filesize
88KB

Download
memory/2304-15-0x0000000000E30000-0x0000000000E3E000-memory.dmp

Filesize
56KB

Download
memory/2304-14-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/2304-17-0x0000000000F50000-0x0000000000F5C000-memory.dmp

Filesize
48KB

Download
memory/2304-10-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2304-12-0x0000000000A60000-0x0000000000A72000-memory.dmp

Filesize
72KB

Download
memory/2304-9-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2304-1-0x0000000000F60000-0x000000000114A000-memory.dmp

Filesize
1.9MB

Download
memory/2304-7-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/2304-16-0x0000000000E40000-0x0000000000E48000-memory.dmp

Filesize
32KB

Download
memory/2304-8-0x0000000000A10000-0x0000000000A66000-memory.dmp

Filesize
344KB

Download
memory/2304-77-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2304-0-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp

Filesize
4KB

Download
memory/2304-18-0x000000001ABE0000-0x000000001ABEC000-memory.dmp

Filesize
48KB

Download
memory/2304-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2304-2-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2304-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2304-4-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2880-103-0x0000000000660000-0x00000000006B6000-memory.dmp

Filesize
344KB

Download
memory/2880-102-0x0000000000300000-0x00000000004EA000-memory.dmp

Filesize
1.9MB

Download
memory/2948-76-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download