Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 06:09
General
-
Target
34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
-
Size
1.9MB
-
MD5
34655ac11b4f6a8d6f1ea8e2fbbe0676
-
SHA1
d17ed388047ec77145ef4c96e3760ea94985caa7
-
SHA256
75b2e0c469d7b50ea3a5f022b84db475f4009e17265ead71e5a68a9a90a44688
-
SHA512
2c2bf7b06e1a6ddfc2bbfe21a9c1a21cea9a33015ad62837dd1dee81e8a096b951c1dae3f3a95ae052f014e563b040da9d3ee9c96565116933603a99ab9e61e2
-
SSDEEP
24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD
Malware Config
Signatures
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 21 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 14 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Drops file in Windows directory 16 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 7 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 21 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe"C:\Users\Admin\AppData\Local\Temp\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\sihost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\TextInputHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\StartMenuExperienceHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\unsecapp.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\it-IT\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FU5t9pRjNL.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Windows\Fonts\winlogon.exe"C:\Windows\Fonts\winlogon.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3dd17b7-d646-4a7c-90ab-4df43ebab7a4.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Fonts\winlogon.exeC:\Windows\Fonts\winlogon.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78f3b82f-3961-42b8-90a2-5096834a78c7.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Fonts\winlogon.exeC:\Windows\Fonts\winlogon.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb1e9304-a752-4fad-b32a-e49d646fbca0.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Fonts\winlogon.exeC:\Windows\Fonts\winlogon.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbe95dde-77dc-485e-998e-026781b0cde6.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Fonts\winlogon.exeC:\Windows\Fonts\winlogon.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d11f1b7c-a954-43ab-a1c4-35391b5dbf56.vbs"12⤵
-
C:\Windows\Fonts\winlogon.exeC:\Windows\Fonts\winlogon.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f1be790-c663-41d8-ad57-388ff40f3d21.vbs"14⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f42dcc16-b0a7-42b3-8477-6210519e1b59.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e081ab2-7915-401f-bb3d-465110a47eff.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\604ea1a1-ddd7-4e01-b7df-997a8912fe54.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c37e47a-4fa5-4b4a-928f-82ecea047ab8.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68b72fbc-4cdc-460b-82ca-eb6104c280ea.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e83f49d5-15c7-4a0b-88b0-42e5c171766c.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\7e20f84d5244aba7145631d4073af8\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\7e20f84d5244aba7145631d4073af8\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\d25f591a00514bc9ba8441\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteApps\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteApps\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Videos\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Videos\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Fonts\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\it-IT\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\IME\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\IME\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD54211e11d9a2e2d47e2a10c70cefa2565
SHA186d98f062585f196a8f57ac090087ad9f11a98ed
SHA25637856a1d1c58b3182c768e6933dd321a32427019cd7134652ea5b9583f35f2e4
SHA512de26259391b9f1ab59de581fc2fe5a01f6a69b5df4809c74783b9effbebd80f1c1316f1fe95e46397330b853acb0e605148dca77ef98d31058602c2f753b60ba
-
Filesize
1.9MB
MD534655ac11b4f6a8d6f1ea8e2fbbe0676
SHA1d17ed388047ec77145ef4c96e3760ea94985caa7
SHA25675b2e0c469d7b50ea3a5f022b84db475f4009e17265ead71e5a68a9a90a44688
SHA5122c2bf7b06e1a6ddfc2bbfe21a9c1a21cea9a33015ad62837dd1dee81e8a096b951c1dae3f3a95ae052f014e563b040da9d3ee9c96565116933603a99ab9e61e2
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5364147c1feef3565925ea5b4ac701a01
SHA19a46393ac3ffad3bb3c8f0e074b65d68d75e21ef
SHA25638cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b
SHA512bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf
-
Filesize
944B
MD5e69ced0a44ced088c3954d6ae03796e7
SHA1ef4cac17b8643fb57424bb56907381a555a8cb92
SHA25649ee2b78c2766e68fad51109337710f032e25649bcebebf14562edfbf2e98108
SHA51215ebe961c61ee8efadd8370d856c936e5b605c3b847b8ddabb3cafb63c724d374a0a9567054852444de95794c7c8b3f9f12d05258104573c7546ff88023d7cd4
-
Filesize
944B
MD5fdbc304f3d894fc63c481c99aa258017
SHA147cd3a7cae4dbf6bdd92532bbb69224a75221b86
SHA25658c02d17c622f9ffc1744d26a3be409d7a95796119bcea540e54dcf687c8abb3
SHA51218923c6b620a47d59377bdffd8dbf9717750a52980530cd67c169704649e471b1583eda2045cc7db84e560a9672759f8ea0c3a5ab45d4f328e17aa6e0ca5fae1
-
Filesize
944B
MD594f35f261590c8add6967ae13ee05fab
SHA1e0e5828e2c4b7d1937fde13dbfcc63f59c1899c7
SHA256db908d6ae1a8ae3e77e93332eaa24f8316aa9e65285996439d35a133024e1a63
SHA5123e3438bc5e8dfe738d8cf374d444f9f8600cadac6071708426b7852d3a84f0363f79ae6895f11206b5c7fbb8c850725318196c4171112634cfef3d2d70d1e8fb
-
Filesize
944B
MD53357c199be211a745818714039e25935
SHA17d50d07ff2e234f3d10a88363796cbd615b1e9a3
SHA256668bb751b77a8c5c53c7efcb71e3ee9b2902388e0503e6d6ad3647587a0a0a38
SHA512052751067bede3dba675313a1c0d88c0e76d62bbc903dbd9ba4cf2b8d03530716c021926bbe34242af9516a77e27df080d1cedde04d8cb51c88c1484ea8a1077
-
Filesize
944B
MD5e1c41ab70e6e5907330c398d5789b851
SHA139dbfc40fb75793d222369e59ae5d784f5c3b7a3
SHA25690c7c4c7f4671b52194b8e5d5e43715003581b96ee6418ced8c3bab9329a1fad
SHA512a5e07a6316a8142a0680d9ae73890daabb18de56540ed1025f1a7a463b7992854b7b31c537d8e1a32deaf8864dfacc88fb2203c22891643f9e1ddc713968c3fa
-
Filesize
944B
MD5f26021db51b2ceb0c03baf5665a86386
SHA15487265d705c72daa8495c543f2182a64b373da3
SHA25656a4d25798b8d3102fec5025892dd6ff79500aee72db311e82b1308f1783db6f
SHA512e09f018d22c3dee7ff7dbd6d79182e5c94be1aba0ceaeef3652d254712fa8393dc81002e20de3749abd3420ce0ed23dee176fa50eeaf80d6ee09a9dae2a1a49f
-
Filesize
705B
MD5efee26695151ca48cf14c5eace316fd4
SHA13288d949e6e069b09041403d5e149dc82127c83e
SHA25638f5e0ff8f7b702d32de7a6f2dd45ebd34b8d548e3f0e6b0857062a6e187435a
SHA5122cc1caf2c3058bafd8065152c5387cf55a63e0af377a560289620e91257ef1aeda02c549f8e3651d212fd441d10c71d35e97ca6cb9ddcd2cb10ac7ecd8f49856
-
Filesize
705B
MD51045ac74f0b03a2abbbf17afe022fec6
SHA12367924543c7bcba4a6777fe82bad23bed8ca3ef
SHA256507733bafb7fbcda1cc29f2040359d000aa2943a6c496c7661094b60205e87c6
SHA5129f6963c83b987e062e76943208249e9e74e07522744ba4b1966ecae57099892775e6b483c21834a5d18f439c4eb5243ceaa524a26ae932d28d49ab2d8363999e
-
Filesize
194B
MD54bba262541f501fc11d00d95bd6def69
SHA10e7f19bfe38eca09327dea417146e70cff548f88
SHA256ad8bbf11ce0e496c83e9e4e7a7a5f03719d808bd60c44a3a16897338fa55f139
SHA51214b177a56947d8d73aeec9e484c48297f901b29f73e052cd33e54f98ba4d3a8862f88d0b42171d6226dcae7cc9ffeb3d8587971aad0a8adf72cbbda200b6b6c7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
705B
MD5fb2ce8b99939ec54e50d3ce320c9d331
SHA185f9904a75f160e13898b12d233fc3727bc8ced4
SHA2566e7272450e0b0eb74f3701d7561a7f4759f584d278758cec266e6a00fe3b879b
SHA51225c25e69dbd8adb382bcec9b1f410d4c8cecd8f957e466e26f64afe9bf9093f8b129b9742f7ae919744c461c00ba8ebabf811ba0171a2b28211b836ebd3eb16d
-
Filesize
705B
MD521133d4011dc426e82e63bfe99af0e5e
SHA167f1b155564729b143d2e18145f17f829e5fb954
SHA25625e66a6113a11f92c7e0b56505895cdb39c1e98412b53a6645bfd90459f9650b
SHA51282c45c6af8e12be394da328cb82d6635c6280fe789779ca8401968066d5904b6c958058993de9501d570a8b6d9c41b1cd2ffe570ae00a8b9777e96f6602e91e7
-
Filesize
705B
MD5ec32179519350dad6cd5efb85c34e520
SHA1bdad35aa4e548e23fb5eff734acbcddb0e4ad2b9
SHA25624f7c3785d6b70aa7b82a2d6786528d55414cb6622a7cc72501b0b9e464f5a8f
SHA512fbe384ba097463409d09a4f34c659a85745e02a2579e7e81f1535f3fa1b13ca487d8480999b13f8508eea586db5b7a31c0dd3b74fd60c6aa47b6924d2eb818a4
-
Filesize
481B
MD50267004bd458085a9d9c2c172450162c
SHA18f386d4e2e9474e268b4ed3a042ceb6ad1518fdd
SHA256f4b955fdc79db556d54187c2d37438be43a5925cb148a741e8874be275c3b60e
SHA512cee3bfcb0b324dc127d56521949ed64447e37709b7fbb85c0ee60e5a87210d6c9a8a4ff34ab1f18b850aef792014894249637a490f4608ba7583782497a3116b
-
Filesize
705B
MD5c3f6fab623c6831bae31451763714e35
SHA1d220fc77c56ac0199821f7ec6931d34bff5440e3
SHA2563d0ab0f1214d7d5142772e295cc12f56dd4b503203fbfcc1dc4fced93245cb00
SHA5121ac2552dba7942c925ee7f650f6dd884d42b246a1513b3239fee947c7529e676acf03714ed6855a9f488dec31a7cf4e42cbab4b16f69bd3e51284999b255475b
-
Filesize
1.9MB
MD5829c6632311527c03989a87da17b8ff4
SHA107b8bfebb59abb088cb317dd455d17bf3d7d7295
SHA2561fd79f21ade48522f8c0ec011ec769fc8620cf76bb09d20b15d98e462b6a336d
SHA512d9bbe3e10c0803f636d2db3bf3afafb9e051225a02d497c569b3a08687eccc7e21d37abc39a4bfb6192e4f8cbb69e0324c8bf2eb7d829f4afed33117f99275dd
-
Filesize
1.9MB
MD59150586ba7515586a183afc953e89415
SHA114f818da771a431ed419d41e565292e9bc8dd552
SHA256d06dba3893a5279e7ff53358962e4d2e9da39c60232b0dd4efe9faad1a529e2f
SHA512742d8d39f98bb808ceb49000ff70fa799924c017ee395924ae7e34ec02aaf795a32333203c74f352c94450a08aaab05fb118c35424bb9508f41fc37364c17eb2
-
Filesize
1.9MB
MD5b523df3885f88b3780493ae39e2eae84
SHA1a0f851d9989e89f00dec4d44a4b649c17848ff77
SHA256d90a09ca170421f1c948ce876e485e24075b3853ebc4a827587ddd72b42d7089
SHA5122144819816a1c2691dd10024d61242f8787995a1eebe4b57a9dd8b2c327fb9eb3ac1d2ed13024139b69077583546ea98052448906d1c709709607cfc6c08f403
-
Filesize
1.9MB
MD57fe727db381843354dc584088bf27833
SHA1de9cc6e8fac00b80db87bbbc0130a89bd3f4ddb1
SHA2562783848156c868215879db1e7c0e97063451d5c19a75514e0de5de7201d041ed
SHA5120e2beecae8ac8c71ea7eb9f2e33fe8c925a7a0c9d82fa99a2c50a602f81e816d224ee00d7de9765c895e37ad898e189f8a9d430b0b42e841b4e78dacab333128
-
Filesize
136KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
5.2MB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
344KB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
1.9MB
-
Filesize
344KB