Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/03/2025, 06:11
General
-
Target
641434cfae2a1d91473c0acaa431299740a85fa7008a30e2cfa100dba19e4a75.exe
-
Size
1.9MB
-
MD5
75fb0392f18c15fad9c774931e0d9958
-
SHA1
100648ec8d8a1e7929dcba0d3bd40967879feb3f
-
SHA256
641434cfae2a1d91473c0acaa431299740a85fa7008a30e2cfa100dba19e4a75
-
SHA512
707a0b0eaca939144f2f22bc76d030f6365a51fb4a295d5a17674420c910a71b68ddea6153bfc75a873f86d142ef02a085d019c2f363a3f3e4a280aaceefec32
-
SSDEEP
24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD
Malware Config
Signatures
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 24 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 16 IoCs
-
Drops file in System32 directory 5 IoCs
-
Drops file in Program Files directory 20 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 24 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\641434cfae2a1d91473c0acaa431299740a85fa7008a30e2cfa100dba19e4a75.exe"C:\Users\Admin\AppData\Local\Temp\641434cfae2a1d91473c0acaa431299740a85fa7008a30e2cfa100dba19e4a75.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\641434cfae2a1d91473c0acaa431299740a85fa7008a30e2cfa100dba19e4a75.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\641434cfae2a1d91473c0acaa431299740a85fa7008a30e2cfa100dba19e4a75.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\WMIADAP.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ras\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\SIGNUP\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7AJeFeQM4g.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a426c115-f07f-4cc7-8a1a-33aa0abc1449.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02c4d7f9-06df-4a6a-9384-31bb8a1f5624.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\854b13b3-7924-4570-b571-e8c99efa427b.vbs"8⤵
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a807840-5efa-43cc-8b62-2aeec723fe8d.vbs"10⤵
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd5c1730-6ded-411a-9976-1948d18e53e8.vbs"12⤵
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe27041c-ff80-43e5-808c-8ebe5a1f76ad.vbs"14⤵
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\159bafb2-f367-4c71-a7aa-db56d97b43c9.vbs"16⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c56d3e3e-268e-4577-87ab-8be0ab7e51f7.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35cbf336-66cf-4342-b189-e8a63aa63c1f.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91cbbd04-ccb4-4d70-9eb1-e42c34d217e8.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f26d4d45-81ee-4fbc-a253-de9ff7bc8b75.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8179bf65-e6f1-4a58-ac1b-5266603c78dc.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24452eff-2ee2-46ba-8802-9c9719197b9f.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\daaf91fb-8953-4a72-8510-47b78a554e51.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "641434cfae2a1d91473c0acaa431299740a85fa7008a30e2cfa100dba19e4a756" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\641434cfae2a1d91473c0acaa431299740a85fa7008a30e2cfa100dba19e4a75.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "641434cfae2a1d91473c0acaa431299740a85fa7008a30e2cfa100dba19e4a75" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\641434cfae2a1d91473c0acaa431299740a85fa7008a30e2cfa100dba19e4a75.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "641434cfae2a1d91473c0acaa431299740a85fa7008a30e2cfa100dba19e4a756" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\641434cfae2a1d91473c0acaa431299740a85fa7008a30e2cfa100dba19e4a75.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\DataStore\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\DataStore\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\ras\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\ras\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\ras\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\SIGNUP\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\SIGNUP\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Downloads\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Downloads\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5119dc9d9d15753e6a8f2b7090a7ce306
SHA19e281aa5f70c3f3cdcc916d53c380919485d049b
SHA2562afbd007757b1fd19cc72e63f4deec50194727c9a83e812d7c1199c400508871
SHA512d86a249c02b521a9f15d356b663393bd9adde6607cf078128bc0a2e38ec96101a43290a8045248e476359e00578be4ff95ded2364fa8aa663d1219c4f44de994
-
Filesize
738B
MD56af961e07acb9b8e1755047d1b2ba2dd
SHA13d568d24a5c877f1546fd7fada53e40c7fde3111
SHA256853eb688b4bf2d882acae133cdbe7fb44a9f306932d3e302eb5879f79dbb42c5
SHA512daffcfe4b79570020f12c0a03de7b063de8ab92c26f19c5ca208953a19ae9350e1abc901cd26ef862571e739c910ba4367375a62d38831664841bf8677efff2f
-
Filesize
738B
MD572999070ef9cb994710621a6f6fcebe4
SHA1d6b8d097a6b980b48dee7608eb61df34b8204984
SHA256c81fc6c0281f27a91d38d0095fc765a851742f6417a64deec4f3464e1b9e8362
SHA512b27df3cedff8664f92260a017542509bbe090bab02d1c28872ad5960d4c8d71e920578df43cd4a4ea11d6d9ba45036a9ab71bf298ab071aa6b640260971f2af7
-
Filesize
738B
MD5bfb3be89cea3ee8d8304e787c2ef833c
SHA18b7482fc5dd05a23d4b868e09959e4171ad1a110
SHA2567b3066916a4c49061180282541ddef67aa7d7ce35a84d08ea1b01f43c757b056
SHA51241b69d402dadb1a3b1ab5cc563254aa142dd83eb8aaccf33937292fb6a3cdb96a116a4fdc496110eec6987854e92a7527e4eacecc44b22016d51fec86c6cecd2
-
Filesize
227B
MD585588f3329c7fa9d19e5929124463478
SHA143a3a483cf2c4fe485c1fa8a69b8f080cde0df68
SHA256e998ace6f7955575f2f9f4da26d05d6b6878140de242f73378ce4240767b0215
SHA51218c6aba19cb167df88a417a0e7e8431c0ed375907f1bd7cc76eba0e25510d1503ae7186092b58eda5d54a2f8a452cf56db29e4b48dd7c857c9bdb8641dd6e86b
-
Filesize
738B
MD5d52c44e88459d9c76045962b5bb8216a
SHA17d502394d9f04b5dd769d9cf6a3c1073987a0901
SHA2569cb796a6893cf820b60d262658e43d0d9fa138b7e877ae61e52987773ce38121
SHA5121205bd82e6d9c7e6b91e586d094f0ad00023099abd0b560e8276aa15578b2de2a3ffec91112bc6b770d283cca830afa96e52977b3b092a18e6e324605b8444c4
-
Filesize
738B
MD5bc2a48476cfe62ad304d4692aa770112
SHA1a228250eac85e2be00ad8274d951013e2786ad5f
SHA2567de2be828a1b55beff064789d04419a420b4c3fe5a8a39b7741b4f5ba59255a1
SHA5128d6e7f066aa3e22c59b49ec94ccb9925b5d346094c1ddb83adc2f39a982e7420f8efea98f900e225c4dace0ed8736175e003415d6deb8a78af5f062f2c8704a0
-
Filesize
738B
MD507241c529a013b70d35155d352cbc63e
SHA118cc107d3187096fdbde5925ebf9d0a433e0ed13
SHA256f1b4fb212abc7d06fd2c273e8233d649530a46e84184c98b3ae79f3aea2f6dc0
SHA512279f31bdef1d3af2e5b16e1c69aefeae43f78cc619d6b1203328feade7a245136ed07f83e1d840734a97f307e230821c9cbbe9995bd48e1c276ae597a2c936ac
-
Filesize
514B
MD57f119a318da2a3c0a3fbf61f6eb1b954
SHA10cbff25325330fc1f113029fc0b2c0e6199ee788
SHA25674fe64fd78a35ebec9ad2169211f18f39ca75d7128dc8b399cced42200356437
SHA512766121414d730345d1c0ec212f751f8266c09755d83efbd0a396209027ac83409a06d60bef25c450ab7f69abcb06354af292c93d8ade1e7941c191ef4d2058ca
-
Filesize
738B
MD5ef782d17121ffc2db3d675270c66c2fa
SHA1660b474038659ca8748f65c9994b818686998a2a
SHA25653710ccba4c5a6d84f40d727719cef65a07cbbd72801a498cf3b7204ae3c2c47
SHA512c28e171ab7c109329b652aa573c75ddde39e1b81dde8d085ea828f3d77b3ef61c2552eddf8e22bb23358dc64f1a5bcf7c6a2e88fa8c950d38c6094e65ceaeae8
-
Filesize
7KB
MD5666e4703f7f8b3bb6756da14c28545ca
SHA19991177731620da3e1cb182c79ba4e93261b488b
SHA256f18df802534fa844c94155e63279e2bfcd675e116f0a6955af6324cea815e00c
SHA512b1f829e17f6bbe4183e4fc9c61c2e3b4c7a552d9956be2a1ea2236670cef0a654fc1bc7791200598134c483348506b20f3d350ce806f75c08e19b055eb671251
-
Filesize
1.9MB
MD5afe271e00a88adb6f32adb8adbec6105
SHA1355b4f197a438ff9047774f7f46df858be49cea3
SHA256acacdba70a0beeac48c53eefb4a835775f4c3564d2c01b8f5d9696224a3d8d49
SHA512872f06c4d77e5c31e2bc1ca54b9e9d6ecbc92b2397e32269e676a21d9bdc14f45fb328ef065f0ecf6e94ca092e50194b80a1a7e11bc36c6f6353154e6124c672
-
Filesize
1.9MB
MD575fb0392f18c15fad9c774931e0d9958
SHA1100648ec8d8a1e7929dcba0d3bd40967879feb3f
SHA256641434cfae2a1d91473c0acaa431299740a85fa7008a30e2cfa100dba19e4a75
SHA512707a0b0eaca939144f2f22bc76d030f6365a51fb4a295d5a17674420c910a71b68ddea6153bfc75a873f86d142ef02a085d019c2f363a3f3e4a280aaceefec32
-
Filesize
1.9MB
MD5c8d312547872e34294ab700ae4980f0e
SHA12d955569a7707531352a69c0f8ea53031ed3eb50
SHA2561eef4529220b3cbea7a31febacfe51abbdfea66dd10ca6bd6145889ac4da3dad
SHA512df4d4bcd40cd51e8cf7f7cc3cf29c05f452d6bd5bc160b0c1389d983e8255ac8a39c7467f59f042214eb4eac9dcded0ce6a3d90fd73f60a87d458e4d8d2405c2
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
1.9MB
-
Filesize
344KB
-
Filesize
1.9MB
-
Filesize
344KB
-
Filesize
1.9MB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
9.9MB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
1.9MB
-
Filesize
32KB
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
9.9MB
-
Filesize
1.9MB
-
Filesize
344KB
-
Filesize
1.9MB
-
Filesize
1.9MB