Overview

overview

10

Static

static

10

43e3cf7f28...56.exe

windows7-x64

10

43e3cf7f28...56.exe

windows10-2004-x64

10

441b1668aa...5d.exe

windows7-x64

10

441b1668aa...5d.exe

windows10-2004-x64

10

442867883c...aa.exe

windows7-x64

10

442867883c...aa.exe

windows10-2004-x64

10

444561befc...24.exe

windows7-x64

8

444561befc...24.exe

windows10-2004-x64

10

4454ceb491...79.exe

windows7-x64

10

4454ceb491...79.exe

windows10-2004-x64

10

4455bb88d2...82.exe

windows7-x64

10

4455bb88d2...82.exe

windows10-2004-x64

10

4478036b24...33.exe

windows7-x64

10

4478036b24...33.exe

windows10-2004-x64

10

44936a5622...c4.exe

windows7-x64

7

44936a5622...c4.exe

windows10-2004-x64

10

44a74f61ee...28.exe

windows7-x64

10

44a74f61ee...28.exe

windows10-2004-x64

10

4502536cf4...2e.exe

windows7-x64

10

4502536cf4...2e.exe

windows10-2004-x64

10

45031250d6...94.exe

windows7-x64

10

45031250d6...94.exe

windows10-2004-x64

10

45031a9738...74.exe

windows7-x64

7

45031a9738...74.exe

windows10-2004-x64

7

450bef50c0...67.exe

windows7-x64

1

450bef50c0...67.exe

windows10-2004-x64

1

453d8a7000...22.exe

windows7-x64

10

453d8a7000...22.exe

windows10-2004-x64

10

454e6ce92c...08.exe

windows7-x64

10

454e6ce92c...08.exe

windows10-2004-x64

10

45707ca513...4f.exe

windows7-x64

7

45707ca513...4f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    441b1668aa7980a3ec40cf151cea5f5d.exe

  • Size

    1.9MB

  • MD5

    441b1668aa7980a3ec40cf151cea5f5d

  • SHA1

    c38963f651a4a062fb712e9fbe7cb39cb9b4b0f5

  • SHA256

    8fff8f0b312deb03f0f95f4df36073a6b5da22b83d571151c7b5d0ee4837c06a

  • SHA512

    299c3014e97c402f59d8878ed67e406ada3b277c3d43a1c4e698c825e27631c8acf3987459f588d3e02d7a7d7b4f0e656b641a56d11ba1bfca2e813a1e9fa817

  • SSDEEP

    24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score
10/10
defense_evasionexecutiontrojan

Malware Config

Signatures

  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 18 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 12 IoCs
    defense_evasiontrojan
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 18 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\441b1668aa7980a3ec40cf151cea5f5d.exe
    "C:\Users\Admin\AppData\Local\Temp\441b1668aa7980a3ec40cf151cea5f5d.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\441b1668aa7980a3ec40cf151cea5f5d.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2084
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\WmiPrvSE.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\servicing\Editions\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1052
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2300
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2224
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\WmiPrvSE.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1124
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\WmiPrvSE.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1184
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2852
    • C:\Users\Public\Documents\My Videos\WmiPrvSE.exe
      "C:\Users\Public\Documents\My Videos\WmiPrvSE.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:560
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f7fc65a-4dc6-47a4-820e-1c622637a76f.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Users\Public\Documents\My Videos\WmiPrvSE.exe
          "C:\Users\Public\Documents\My Videos\WmiPrvSE.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:816
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51684def-0678-476b-8131-23b1b3064bf4.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2828
            • C:\Users\Public\Documents\My Videos\WmiPrvSE.exe
              "C:\Users\Public\Documents\My Videos\WmiPrvSE.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2644
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\590bf50a-7da4-42ef-98c5-21c126547d64.vbs"
                7⤵
                  PID:2372
                  • C:\Users\Public\Documents\My Videos\WmiPrvSE.exe
                    "C:\Users\Public\Documents\My Videos\WmiPrvSE.exe"
                    8⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:2524
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99b45cfc-5571-4c65-9307-cdef289fea2a.vbs"
                      9⤵
                        PID:3008
                        • C:\Users\Public\Documents\My Videos\WmiPrvSE.exe
                          "C:\Users\Public\Documents\My Videos\WmiPrvSE.exe"
                          10⤵
                          • UAC bypass
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:2704
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a076474-d153-425a-b4fd-2fd49112494a.vbs"
                            11⤵
                              PID:804
                              • C:\Users\Public\Documents\My Videos\WmiPrvSE.exe
                                "C:\Users\Public\Documents\My Videos\WmiPrvSE.exe"
                                12⤵
                                  PID:1556
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2cc2189-d91b-4aaa-abcf-cfa898b72a2b.vbs"
                                    13⤵
                                      PID:1068
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e2aa404-d92b-4483-8198-e8b0c9b432d5.vbs"
                                      13⤵
                                        PID:816
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af53bd7d-1128-4902-858c-0d57b0b56bb2.vbs"
                                    11⤵
                                      PID:3048
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86cb3d0c-0eea-4a3d-8cd6-5234a42efa30.vbs"
                                  9⤵
                                    PID:2424
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac051659-a159-4e34-a6fe-706dbdbfee45.vbs"
                                7⤵
                                  PID:2664
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5ad9726-4b6a-4e56-afd7-48bc23d72ccd.vbs"
                              5⤵
                                PID:2252
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beb0e886-6fdf-4bbb-ba2d-6451e1c5d55b.vbs"
                            3⤵
                              PID:2748
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2744
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2112
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2404
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2644
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:3016
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1196
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\WmiPrvSE.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2004
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\twain_32\WmiPrvSE.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2300
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\WmiPrvSE.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:3060
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\servicing\Editions\wininit.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2412
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\servicing\Editions\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2260
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\servicing\Editions\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:628
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\wininit.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1156
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2420
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:3020
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\wininit.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2252
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1656
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1928
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1136
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1776
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2160
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2220
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2064
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2008
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2236
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2608
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1868
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\WmiPrvSE.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2488
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Links\WmiPrvSE.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2748
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Links\WmiPrvSE.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:520
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Videos\WmiPrvSE.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2128
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\WmiPrvSE.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1472
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Videos\WmiPrvSE.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1592
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\dllhost.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2272
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SchCache\dllhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:804
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\dllhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2456
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sppsvc.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:568
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1228
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1812

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Program Files (x86)\Microsoft Visual Studio 8\wininit.exe
                          Filesize

                          1.9MB

                          MD5

                          441b1668aa7980a3ec40cf151cea5f5d

                          SHA1

                          c38963f651a4a062fb712e9fbe7cb39cb9b4b0f5

                          SHA256

                          8fff8f0b312deb03f0f95f4df36073a6b5da22b83d571151c7b5d0ee4837c06a

                          SHA512

                          299c3014e97c402f59d8878ed67e406ada3b277c3d43a1c4e698c825e27631c8acf3987459f588d3e02d7a7d7b4f0e656b641a56d11ba1bfca2e813a1e9fa817

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\2a076474-d153-425a-b4fd-2fd49112494a.vbs
                          Filesize

                          724B

                          MD5

                          0d341d6c3fb672aa6a3520f876e043ea

                          SHA1

                          8f094579110c103337719c53eee3a1e45efe8167

                          SHA256

                          656fb39d1ea425c4bf7f19a81c02232569e63484f09cca91dafd4b6cd6ddb5bf

                          SHA512

                          0cb8849265d2bd2d00e9b39f39a2710c66473cca29240f26f97489b2f9fe0d057de0ac9aa5fb42dfed79dc9d50816996f280a22da50458cf40aa65718b960f67

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\51684def-0678-476b-8131-23b1b3064bf4.vbs
                          Filesize

                          723B

                          MD5

                          895699d146c5925286670719c282aee0

                          SHA1

                          5ab7d975a1dc37926b9fcd7909a11a728abcb822

                          SHA256

                          1b68ab1399ffe17ab21445e8d94ca49422ee074e88f30291415fe890ac3af7c5

                          SHA512

                          e147ffd61ec21dfa27f17389733d88c3411e9d3c10be59724be1eef04f53f9ee962f22650f08b1286edfac930399b09503e0232c270b1f1180a19e1669e56c0c

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\590bf50a-7da4-42ef-98c5-21c126547d64.vbs
                          Filesize

                          724B

                          MD5

                          dc1e1c5559118005289a63dc6bffb739

                          SHA1

                          cc051fe7d4d9d014049822efff2657306d01ff77

                          SHA256

                          cf81d3d6b1baa76d2064b3a4983ed4e9ada17603285aae705a26cc1f44c0411f

                          SHA512

                          ae487736b76a7b501657cdd98ece981d8c2e1ba48105c90015f4c17ceafe84ebb6322a71c86fa7ef875b75ccd706712ce2043ec2e861a1d84bbc4c4123f8ae33

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\7f7fc65a-4dc6-47a4-820e-1c622637a76f.vbs
                          Filesize

                          723B

                          MD5

                          542433dc2da99c478b41be090b5b335c

                          SHA1

                          1019c81c3e9ad5ace0f1f372c0e5c0df8f2038f1

                          SHA256

                          4dfb34724a721b05b51315590f647614360700092e71679ca84e726746553413

                          SHA512

                          54d34f5f88a87e5f1f7ac53ef013925c7526c8319faec89fe2aabad833cc7971cb2763e3d9c5b9de655375ac67d0a2d3e5baf1113e0d5d2cd513dcc4a64d120b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\99b45cfc-5571-4c65-9307-cdef289fea2a.vbs
                          Filesize

                          724B

                          MD5

                          f4b304cbe7199893a0ce9f18c886f512

                          SHA1

                          365cde1559c75320702570b04c782b3cc9022e91

                          SHA256

                          06f6c9f92b3cf3e44c5f058f3d62de82fa591ed548bb48990be25998ea4275c9

                          SHA512

                          cba13c5b83d8a1f26a3757f7dd89e41058af54553d8e7d4d605c5d102d1713735524646833b34d9a7063c632d4a4ba52d6fc9318046c50ce1e766c8a24700695

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\beb0e886-6fdf-4bbb-ba2d-6451e1c5d55b.vbs
                          Filesize

                          500B

                          MD5

                          7c0bb813f90690adaff77763c5828998

                          SHA1

                          9d78fece415da8762fa869db832879d74149f6f1

                          SHA256

                          11c65a9436c3358dcfdc5bbae4408f56716afc97d8fac29e6b39a5c5c980e2f9

                          SHA512

                          cc6255ad211a8e800a77d03d90c8540f242dbec705e3f3a43ebf27e2e318bfefacd4ec6fed531dbacc392c24307d86306b8bf5fd6652537ba3bb877132ae29a3

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\f2cc2189-d91b-4aaa-abcf-cfa898b72a2b.vbs
                          Filesize

                          724B

                          MD5

                          8d11dc8e9d4ef51c5daba866292bb2f1

                          SHA1

                          4ffccfe06ec9d875d97c831e2a90b1c5e4e17836

                          SHA256

                          d2f3e654081c07fd240839afbc2b055da6bca5644f737f06f180d69b77d1dfcb

                          SHA512

                          cbc8f4add397657615f8a8ab5a34843863e0d81cfb3a92afd1436804a59cbdbf41b3edf15c9f0c3e457dc1416f1b6e3fe5d8c35e4663839918c3cbd188a1e7c7

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\fd23a132d78b1f702c219a82e73e0f42691a8136.exe
                          Filesize

                          1.9MB

                          MD5

                          08dd17dfb0b162bdb2566ad72d0a8f26

                          SHA1

                          de19dc65899307e9b54a3fc82fd6c15adbcf4c47

                          SHA256

                          482cc49886dbd6e82118ffaf9e8e8ab5d8b8883fec76bb120427891d6773705a

                          SHA512

                          1faa6df2ee0371c702a536dcf7506fe5de4d84e7a227562204ffe670103cd37244589a663626f621d6149f5ed6222aab25a30d3f876097fa4fc094b60ef79083

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                          Filesize

                          7KB

                          MD5

                          50ad81176e5259e558b221226641e41d

                          SHA1

                          6edef93eb6b1c59502d4c90170857a4dc7c14978

                          SHA256

                          aae6d99e65d8615da6dba3c0646a24e1850e90d6918115ae3d03cef9fd3bdd17

                          SHA512

                          cc6ca7aa6d5e4a575c30c238068ce13b1b5e5ce700db6c8711135656d9459317e550a1ed72d3f23f54036a0a50a87bd78a9a5e5cfcfe5bb7044672de0f5ab818

                          Download Submit

                        • C:\Users\Default\sppsvc.exe
                          Filesize

                          1.9MB

                          MD5

                          db91ff039d3b07c9928fffeeb47d8e60

                          SHA1

                          cbd8fb8779c8abc612c8e14598261d702bd453db

                          SHA256

                          4b767b6d75f2ed9417e3080402b3b3769496ac17f53caba62f57ae78c7403ee3

                          SHA512

                          fe38041a1a36051b672836a47a65a26ad11ab138d340fc6d043e472c73ed5718f6d35d5879114c38056504d37b6ae1f7d754f8ad9e5eed5f45533b17d0dcbce5

                          Download Submit

                        • C:\Windows\Migration\WTR\wininit.exe
                          Filesize

                          1.9MB

                          MD5

                          12e5a8471c7dde65bf616b59775da957

                          SHA1

                          f96379ce1d107c012f903a14da76dfac6bffdfe0

                          SHA256

                          5950429164285c4d2b3ad3fcde8979c816c6c3685d811c6cd63c0bd8ac1e6d7c

                          SHA512

                          860909c4f6ca5643728586d16f0b038f97fd6a0aab3bfc5f984aa3682b8abb1fdf9a6554b7683e02d5b58b39f73fb6328f202e5bc4b2f6064f3472308bf36a3a

                          Download Submit

                        • C:\Windows\SchCache\dllhost.exe
                          Filesize

                          1.9MB

                          MD5

                          01469f4eaad0f214b941eeed64876566

                          SHA1

                          359193e1d01c1407efeb7a7c9bac355384747bc1

                          SHA256

                          a17d9a2cc5f42f198b006358db784f3cd133183b30cebc4f35c65e79dd9cd185

                          SHA512

                          ed419a08779b89ffcd7a364b127a3c20e507f8e1f4ae435102cacc156ba71e39b9afd5d34d5c4af40d8779160036e51f9fe66da580e7ef80596933fcccce5826

                          Download Submit

                        • memory/560-243-0x00000000009D0000-0x0000000000BBA000-memory.dmp

                          Filesize

                          1.9MB

                          Download

                        • memory/816-287-0x0000000000D50000-0x0000000000F3A000-memory.dmp

                          Filesize

                          1.9MB

                          Download

                        • memory/1556-334-0x0000000000CC0000-0x0000000000D16000-memory.dmp

                          Filesize

                          344KB

                          Download

                        • memory/2084-233-0x0000000002290000-0x0000000002298000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/2084-232-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

                          Filesize

                          2.9MB

                          Download

                        • memory/2524-310-0x0000000000E90000-0x000000000107A000-memory.dmp

                          Filesize

                          1.9MB

                          Download

                        • memory/2524-311-0x00000000006A0000-0x00000000006B2000-memory.dmp

                          Filesize

                          72KB

                          Download

                        • memory/2868-10-0x00000000006B0000-0x00000000006B8000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/2868-0-0x000007FEF6383000-0x000007FEF6384000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2868-74-0x000007FEF6383000-0x000007FEF6384000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2868-18-0x0000000002460000-0x000000000246C000-memory.dmp

                          Filesize

                          48KB

                          Download

                        • memory/2868-17-0x0000000002450000-0x000000000245C000-memory.dmp

                          Filesize

                          48KB

                          Download

                        • memory/2868-16-0x00000000023C0000-0x00000000023C8000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/2868-15-0x00000000023B0000-0x00000000023BE000-memory.dmp

                          Filesize

                          56KB

                          Download

                        • memory/2868-14-0x0000000000900000-0x000000000090A000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/2868-276-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2868-13-0x00000000006D0000-0x00000000006DC000-memory.dmp

                          Filesize

                          48KB

                          Download

                        • memory/2868-12-0x00000000006C0000-0x00000000006D2000-memory.dmp

                          Filesize

                          72KB

                          Download

                        • memory/2868-116-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2868-9-0x00000000006A0000-0x00000000006AC000-memory.dmp

                          Filesize

                          48KB

                          Download

                        • memory/2868-8-0x000000001B190000-0x000000001B1E6000-memory.dmp

                          Filesize

                          344KB

                          Download

                        • memory/2868-7-0x0000000000690000-0x000000000069A000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/2868-6-0x0000000000670000-0x0000000000686000-memory.dmp

                          Filesize

                          88KB

                          Download

                        • memory/2868-5-0x0000000000660000-0x0000000000670000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2868-4-0x0000000000550000-0x0000000000558000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/2868-3-0x0000000000340000-0x000000000035C000-memory.dmp

                          Filesize

                          112KB

                          Download

                        • memory/2868-2-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2868-1-0x0000000000360000-0x000000000054A000-memory.dmp

                          Filesize

                          1.9MB

                          Download