Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 06:12
General
-
Target
6c46d70788b60ff0ba7ea4c5f0549f18.exe
-
Size
1.9MB
-
MD5
6c46d70788b60ff0ba7ea4c5f0549f18
-
SHA1
10cd8b050891004ca06c2be54d55e38a243be162
-
SHA256
f4b884338e802040f828153f0a161ab18205ee0a90b8f778831900c7ae97c465
-
SHA512
c156dfae670696f766ef3672e3513f7c0f66460674cb78c4419b876f36128e593fc9a8be6923d752116f855d3334df65bbc8f26010aee9d8c8d6e4db430ee81a
-
SSDEEP
24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD
Malware Config
Signatures
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 27 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Checks whether UAC is enabled 1 TTPs 18 IoCs
-
Drops file in Program Files directory 25 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 27 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c46d70788b60ff0ba7ea4c5f0549f18.exe"C:\Users\Admin\AppData\Local\Temp\6c46d70788b60ff0ba7ea4c5f0549f18.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6c46d70788b60ff0ba7ea4c5f0549f18.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\System.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bRsYpw9MQb.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files (x86)\MSBuild\winlogon.exe"C:\Program Files (x86)\MSBuild\winlogon.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\138ed505-152e-45c0-9cfe-d8ab4649f1db.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MSBuild\winlogon.exe"C:\Program Files (x86)\MSBuild\winlogon.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\033071f9-6f35-4b9a-b206-554137802eee.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MSBuild\winlogon.exe"C:\Program Files (x86)\MSBuild\winlogon.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dc761bc-7e5e-47e6-b8d3-8890db8ed1b0.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MSBuild\winlogon.exe"C:\Program Files (x86)\MSBuild\winlogon.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\632fd050-1199-49d2-9fe5-00e70a29c545.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MSBuild\winlogon.exe"C:\Program Files (x86)\MSBuild\winlogon.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbfcd5e0-a2f8-4669-b424-dd87809e2b10.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MSBuild\winlogon.exe"C:\Program Files (x86)\MSBuild\winlogon.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fea51d0-d405-489d-834f-99d1fc37aa1f.vbs"14⤵
-
C:\Program Files (x86)\MSBuild\winlogon.exe"C:\Program Files (x86)\MSBuild\winlogon.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b418e679-cd33-4640-9e67-4a4014bc6ed6.vbs"16⤵
-
C:\Program Files (x86)\MSBuild\winlogon.exe"C:\Program Files (x86)\MSBuild\winlogon.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80cf74bc-897b-4d84-b751-e936681e8b31.vbs"18⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82b39712-fcd4-408a-9c83-71e8194ec248.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\823ec3fd-1c48-4198-b165-4a002571a63e.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62494a37-d409-4dd1-8e72-f4a92eebe32f.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e959cc14-34fd-44f7-9fb8-6f2c3f504d70.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0c12cb4-05b9-4fa6-8ab9-fdace6c2926f.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2e3994b-753e-4ae4-a3c6-d70183b0d799.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6bbcf5f-2c5f-46d1-8d63-5e2718217394.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9acb381-e86b-4327-ae93-dd4e466292eb.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\0154351536fc379faee1\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\0154351536fc379faee1\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\0154351536fc379faee1\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\0154351536fc379faee1\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\0154351536fc379faee1\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\0154351536fc379faee1\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD56c46d70788b60ff0ba7ea4c5f0549f18
SHA110cd8b050891004ca06c2be54d55e38a243be162
SHA256f4b884338e802040f828153f0a161ab18205ee0a90b8f778831900c7ae97c465
SHA512c156dfae670696f766ef3672e3513f7c0f66460674cb78c4419b876f36128e593fc9a8be6923d752116f855d3334df65bbc8f26010aee9d8c8d6e4db430ee81a
-
Filesize
1.9MB
MD52af075cc07d9d01b67e165512e18b0f9
SHA1b628953ef790b1d1a86055d8221ba373dd0898c5
SHA256d2960cd2bd759de3a5fa7299d86476634c5e852d6aa0bf86b520838bdccd9b3b
SHA5126c737744f545ce019ca27e2a3ba897cd0513824842ac222a47234b88bc307154f2f9f4104a916f87df4716815e01bab239627b771d5a9ed1cf974b7568bd0a97
-
Filesize
1.9MB
MD51a9fe9ed02818fa2bfe9bbafa2ca1965
SHA19f000817a38ec79ecf48059b75319ce78151a443
SHA256a7c510c2898cff1cff0b67010f09c3015c05a7412ec094e11bf077cbd6044f63
SHA51214a2d241db011aaff8dae2f8b963f59ea7d56df9bc5dee72e24f2869f128f1b5345cc3ac0653004ee797f221c58b50f04d2990fc3292f90d044f3b13509b5114
-
Filesize
1.9MB
MD5e5955f11a87bff8574c55669289fde29
SHA1fdeb6028ddbbd333686454ae0dfd6feab6f9d9a7
SHA256560843b2cd7a74ac290b80d3322db45cccdcf3581593bf9a144c8510f9ec4908
SHA512add2b6a3c2f244f7fa9e1c54247add7fe586e68714a2df77c6dd1fb5e4e7bd2207008b8e47ee47febc6f5bcaa0bd8759e865e7b8edee827bb676d527490038a8
-
Filesize
1.9MB
MD5b7784c2c4e88100a13161eb70616013d
SHA1ee62a0b57912051a62dbe6625766d782f43685a0
SHA2566192f31ca6333bdeef2fe5ee19386e1439a2d1499f556ca1eb287f95d8eac24a
SHA512a7af333cb1c1fb2189cd9c64fab43425d55f49ff07d56b8f6374aafd0eb3f7daf858111257947c19b791a3383cbc1f352af010146be7768ec5e33e97c91ff048
-
Filesize
1.9MB
MD543e89cd9a0be094cbc82817231a58d6a
SHA1d3a04e11b693a346099036c6d747fcfabcc7a046
SHA25612621d37fb35b1fe656acf25e1e098eb59945ee30660fced92c40407d3b15b46
SHA512bc2de81f56bdad53a44593063eccecb58fb750239f0f1d147a6e601b2583ad2010599e1937d3df15a502934a7aaddd9780b4fbf996aa69e6de109f6ad09b1db3
-
Filesize
1.9MB
MD54613229bc7c5bf69c076de7ab2363076
SHA103afbd641b10fde9667a62fbe12ee88f63587ab8
SHA256c0b5996b942aeace8c1ef4fffce678195748d1cc7c30c5aca64d0b06ae718bcc
SHA512d0fa9f372c82a7884f62fc6a3e20871c544f7dde1c5da407927c7d9aa94ca5d961cd20f56c320a9400bde3d17d253f0244c608d6da147533d7eddcb848484a00
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5364147c1feef3565925ea5b4ac701a01
SHA19a46393ac3ffad3bb3c8f0e074b65d68d75e21ef
SHA25638cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b
SHA512bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf
-
Filesize
944B
MD5bb875e164d9293920d25c2285cf4e85f
SHA131f5ac61123abb048f244af3e6b59c94caebafa0
SHA256b8d1d0753b26fd3b8cc9ac8324ce14a5d54e3aac8c0696aa696a0474573e4477
SHA5123c2dabe1391f01c9aeba5030ee3b695b78f7449e8e645e2b54c08badd0baaba7fae89a4124d153f14c1f8a0e0fedb1d58e583f3e012fbf49d3721b14ea0b4a85
-
Filesize
944B
MD535be6e176d67a5af3e24a7f54b4a9574
SHA1900bbb3f3f8a9d38a4e548b4ba60838a9eae41b9
SHA256c0be8fe9bbed3f82068a8179a28fadfcaef8a524818f34b87b59b5e1b2cae1c7
SHA51209d15913b88d2eb7529d661c5bb2ee20eef0a7df92b5eaaadb2ebc70ad68d9c38b341b148ac058c895b7f85a54d703c3543b043d8d2a3f0536d21d3c7ebbe15f
-
Filesize
944B
MD53357c199be211a745818714039e25935
SHA17d50d07ff2e234f3d10a88363796cbd615b1e9a3
SHA256668bb751b77a8c5c53c7efcb71e3ee9b2902388e0503e6d6ad3647587a0a0a38
SHA512052751067bede3dba675313a1c0d88c0e76d62bbc903dbd9ba4cf2b8d03530716c021926bbe34242af9516a77e27df080d1cedde04d8cb51c88c1484ea8a1077
-
Filesize
944B
MD5c667bc406c30dedf08683212c4a204b5
SHA14d713119a8483f32461a45e8291a2b8dc1fc4e7d
SHA2560789d8328acb13062de330425e072019c1d81bea70923d5ef5428f9604d969cf
SHA5121f6b49f11baf3b4289677d8b27537e016896fc878d14af3d8c132d6800a591a632b31203edd570f3f8b90e7c0047a4f4ecd938c10520832d2df55ba35a53bd48
-
Filesize
944B
MD58d7ef90d60b004c1ca554407c4ce6d0f
SHA18d57fc1cbb9776bb85c8c740a7ad2bc10c531fb4
SHA2565a2c61fa1c443a345a6f9961b72b01489f7ceaf7da9af4f9f217ae5e81a8bffb
SHA512263d0d91a24adbe5e536a48145976876e88d09b57435efcafd622391f8c586c0d282c7cb78275074e039e3108474c1b13199be1adbcbd79990e6e6b3d60f2809
-
Filesize
944B
MD50c87ff349c47ae6e678ea72feb4bb181
SHA10668dc890d29354fbb86cfaeae5363d9f2c1fdc8
SHA25668decb0f61e56ef1ad4a9c69e0c496ac30ead7bdb15ae2830a01a21cb4c243fc
SHA51232a9a76ddc1de0612c74ce170e86e716fde003306c202c68573ce4dcbb58e2ff59b7bdff77e4c259c869f4443e2c6aa023d1fcae6857ea36e4bf8a3110b58fbe
-
Filesize
944B
MD5414d3c7be38a289ed476cbb4ac51ae02
SHA1da5113d85edeefb5a20093e40bb548356316f3d4
SHA256d8ce1dc945725e1a003fcad77de1db795d498003228c088506d286c613cd2e31
SHA512a6db753e6e9515ad845b8073e725b2d0182697c6dd77475291aefd19e7331d78039c00b9d41ee8cccfabe9a2e0e2ab25753ebf9a865c4a3c18d77ee27cbbae93
-
Filesize
718B
MD50198ba466ad5b055d267c4ea7c70d84b
SHA1732a299077de3e1404c44283626f958fdac20cd7
SHA256b2c74945d34d44508712e6f4c66992ac51606a0d096a08ad1a931dde62c7c19c
SHA512cbc2b9b4d02d4bbefcd6bca494644cd2d0f2e99f7a4c580a663e94fc6215c95b89248cf618b05cfc294d7e8436c4cc5d841082872f88913c9572186b0ab4cf44
-
Filesize
718B
MD5d4b6f2f56cedbf009e6c53abac55de4b
SHA1915d0ef0836f6d72926de33b0207262a4731145c
SHA2563f531d93a663b6b03ff9df9fdf7b6109468faff394a39cbf193557ae77f7c2e0
SHA5128f83e4dcd1c326d6043fcb759003b6c8c58f85d8294a922693b3e1f28d022639fbf411cc3c37d0d076146b0b4bfe134369f98e04ef6d87a465244e0a62f75a6a
-
Filesize
719B
MD5b65cbad8e73c21292aa64806ee28bd06
SHA1a49578da6ab27382f3a6355fd95dbddfa476ec27
SHA2560d84c8372daa1766db78e9ea44b099623e882c943b7c96e4e783cdc8538695ee
SHA512d7271d5bf7c0243252b47b65fa0d02a8ddd5bec48c3948c3453e755665f2dabb98a1113fbe1cff330a9fa841aabb96d93d586e979245035241a092f548d9ed1e
-
Filesize
719B
MD5772495aba3616c08bc1caeaa250286e2
SHA15eab78fb97fe3f4eb278f6d61dc9260e2e2a47ed
SHA256e954b51528ced992601b5a4319cc17544e9a518202b12cdc00352a6d2341a408
SHA5122e1cc98dd7652eb6e7d009c8c5dbf15e93794f335f7b5d226d4e1b93912989fe9a8b0de406187fe0ca8b43f04f51be810ad80a21360d851cf284c6b165890513
-
Filesize
719B
MD5b5bb7ead854ddc5bc884815c2512230d
SHA132e15cec43dd500fbe46ebcef990af8bced04e08
SHA256af31679efd527bc050ee2ab3e3a441066799ab1f94d3a681936674b488544063
SHA512d802b12d781e5ad383045ef2e8f53d03e78ff02861aed925bc492a147d5d809636449d69f49f569740760afaa387cc3ab6e1aee64648170af15095847f676ca4
-
Filesize
718B
MD57ded1407e0afcb98525297e04dc48380
SHA12d51f8dcc099ae33d5410a9e925909104085e4d7
SHA256f66eb64c465dc723f1f66b836ce7783c6aa4603e874818427491528b431fbb66
SHA512975515e7c82273df05a6e8ff648a16e12fb90f6fb7a520fe68d8230d8e63cdf5de6cdacd0187d1ef34a200ca301b128176af5305c84f9df418e48c884e72c2bc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
719B
MD5887448b6157ba960205e18c307c0494d
SHA10a0508aac39c7fcb019d487bc2627786c3919d6f
SHA256977fb531326b7bce630587f0b569f72e72300bff97678d3ff48b874e8507d9e2
SHA51287a55cfdd7fe3b549924b0eb92324ed69a32f85d5fc718745d0496f5d31a163b1d87d1e50f98d67d1a7ea429fe54ca0774b144cb1800838f46d98936e357e8ed
-
Filesize
208B
MD5320809632add114e8610c159511834fb
SHA1a23030548508cbdfe837cc4758fa5cf68f257bd7
SHA2563c5fbbc7e4650858fae98a8984f20766d75bc79d275414d2fd69feb16b19ec4d
SHA51288af43556ce0ded5a14cbd1899405f835a9d2501b86e15189f8a28144574929708e6054802a5da4414f12242894d0ee3ba4a14696b0a7b18632f3daa716d2c9b
-
Filesize
719B
MD539549be8d9829f81213fb492789214b2
SHA119e59ba30d995c4bbcda21b08367c1ed577ee524
SHA25680232a72fef6ec032dcd2ae1f20227343be2fe0223d41adeabbd35a9a525e44c
SHA5126dac797dcb91a71595d5082ee6755b8212f05128f62df6554c3711f05251ad4f4d4b6ddb64a4556753e193b69aa1301bc3c2427f63cc781ad0f310c2545e7d82
-
Filesize
495B
MD5c6fc750124e1108986bacf20c93d5a99
SHA155391c1367cc9129143293235575aeac9746b442
SHA25650020b428326c91c72534a5eccbc50ff5412e2c9a3c1ae76e352465915628daf
SHA512eb2fecbebbf3b693f73fb7dfd673578788b2420ce17cb42fb477f7ceb833a3499d841ce5371b67db4e1150a7bb7b4735f0d7ccc24257320e806659aace5a67e6
-
Filesize
344KB
-
Filesize
1.9MB
-
Filesize
72KB
-
Filesize
344KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
1.9MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
8KB
-
Filesize
5.2MB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
344KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
136KB