Analysis
-
max time kernel
114s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/03/2025, 06:15
General
-
Target
a8b0399c704553c85dfd0ab584536333.exe
-
Size
1.9MB
-
MD5
a8b0399c704553c85dfd0ab584536333
-
SHA1
62aea1857adbb4160c94beb5c8a599c0b6064a07
-
SHA256
2614012e702c04f31efd94532e4d8331b5a8d2ec0a2f7b98cdaf4c02942c469e
-
SHA512
65cf46ce9d75e7395d77c2025a9ab8552cfebc3b979c0c1596f9b3114b0699a11882c6dc1d312b0d3a2e14cf887525990b2612372a990748f6b31914f03f7904
-
SSDEEP
24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD
Malware Config
Signatures
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 27 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 8 IoCs
-
Checks whether UAC is enabled 1 TTPs 18 IoCs
-
Drops file in Program Files directory 25 IoCs
-
Drops file in Windows directory 15 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 27 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8b0399c704553c85dfd0ab584536333.exe"C:\Users\Admin\AppData\Local\Temp\a8b0399c704553c85dfd0ab584536333.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a8b0399c704553c85dfd0ab584536333.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\uninstall\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\OSPPSVC.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\audiodg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Mahjong\es-ES\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Public\Documents\My Music\csrss.exe"C:\Users\Public\Documents\My Music\csrss.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c1ea853-c024-4054-81c2-18c1b7a2052a.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\My Music\csrss.exe"C:\Users\Public\Documents\My Music\csrss.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3838081-f761-44b5-80a8-08c51c1b8aac.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\My Music\csrss.exe"C:\Users\Public\Documents\My Music\csrss.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07e6cc10-fbbd-4e58-9f05-8d69dafa0a71.vbs"7⤵
-
C:\Users\Public\Documents\My Music\csrss.exe"C:\Users\Public\Documents\My Music\csrss.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47ceaf33-a310-4875-b1e3-72ff94bc9e20.vbs"9⤵
-
C:\Users\Public\Documents\My Music\csrss.exe"C:\Users\Public\Documents\My Music\csrss.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f90cac88-188c-4b23-ad35-7c15e6bccad3.vbs"11⤵
-
C:\Users\Public\Documents\My Music\csrss.exe"C:\Users\Public\Documents\My Music\csrss.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8334f1e9-0bb2-4e82-856f-6fd8b2c14995.vbs"13⤵
-
C:\Users\Public\Documents\My Music\csrss.exe"C:\Users\Public\Documents\My Music\csrss.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93a95b9f-08bd-46cc-89aa-a79c3e468add.vbs"15⤵
-
C:\Users\Public\Documents\My Music\csrss.exe"C:\Users\Public\Documents\My Music\csrss.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4987e911-957a-44a4-a90c-39d1436eec67.vbs"17⤵
-
C:\Users\Public\Documents\My Music\csrss.exe"C:\Users\Public\Documents\My Music\csrss.exe"18⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75fed6c5-ce90-49e3-a7a0-858919893103.vbs"19⤵
-
C:\Users\Public\Documents\My Music\csrss.exe"C:\Users\Public\Documents\My Music\csrss.exe"20⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bf58117-488d-4d72-bd0e-515d97d5af52.vbs"21⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\097207bf-3cd8-462f-844a-54e4bb04ce02.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b3b3ba5-59b9-44d5-b318-7f7d1b200b3b.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1848b316-a1ce-4293-8a5a-e568ec121ba0.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06e4af41-c80c-409d-8dc6-af937ea73582.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c89cd9a8-2626-4d1a-bd33-d0de9bc926cc.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f067411-8f48-498f-9580-113ad3c03f3f.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a73a5d7-8e68-4760-b215-3a971fda9a2d.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8105c1f1-7f75-429c-b7da-7dfa21f813e7.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d49414ee-3fbb-41b3-bcc4-ae237a0ff565.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\562f7763-49aa-45c3-960a-d81eadc8859b.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Media\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\uninstall\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\uninstall\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows NT\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Music\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Music\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows NT\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Mahjong\es-ES\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Mahjong\es-ES\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Mahjong\es-ES\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5805f0d8aea360cba460450740bc9fc2c
SHA1339d691715ff34bf93a995ab9fea75eaf803bcd0
SHA256a9f7182e9ec71cfc98a2570302dbeac95099952a3548b5eea03a9c9d81a057ee
SHA512b7ae4b8cf30020cf573727282c33ae6e53b783f196733148e17eddcfdaa9c193c6a017c172a5786dbb8d60c21216026676a878232848e010000d56cc30514c4c
-
Filesize
1.9MB
MD5a8b0399c704553c85dfd0ab584536333
SHA162aea1857adbb4160c94beb5c8a599c0b6064a07
SHA2562614012e702c04f31efd94532e4d8331b5a8d2ec0a2f7b98cdaf4c02942c469e
SHA51265cf46ce9d75e7395d77c2025a9ab8552cfebc3b979c0c1596f9b3114b0699a11882c6dc1d312b0d3a2e14cf887525990b2612372a990748f6b31914f03f7904
-
Filesize
1.9MB
MD55ec8760c7ef102f0ac463d3e49ad5295
SHA1c7081b9eb89f834e3766f3ea371949e7f8f7bafd
SHA256c77e4c3748c7b34ceb63c09161327024b86671302778d9aff8ef046ac4ab0430
SHA512fc5629c190b49053600b9a4f661b66d585ef7263b657e20ecc5ac88d40c78042102b383da3955f7d7879abc8ac142aa00dfccdf555ebce9c41931ce73b38df00
-
Filesize
720B
MD5dfa0fd2004ab0dd354421ddd786caa15
SHA16c0ff778955d3990f7c786c20db4bf788c7c6a43
SHA256e495fbb30ac1612656accdc26beca49db9f642a30966a4eddd3c6253bc762218
SHA5123f10d45508a83f40e53e7e5849f855c08536bb5fea8b7ba00473e92211a2ef56ff23f8fb47cf0f415dc9f2821598e5a74e9e38b59ffea49c16981761b3916f71
-
Filesize
720B
MD5d71476daf5cd4096d590e63dd5a55d4e
SHA14f27ca7ec92edf7b00828f476a93a014e5b800dc
SHA256e567246a7bf5a488ceb3df73be88810a91333890953e142a8ac547138114b462
SHA51205fd0d30a429f51af8b88cceb033b4dd64f25a6390d4dfa8957fb61117a632f091d01d41f8c4802011c0e76d8c3ddb7832b72623677e940ba53b2de88b7ffc21
-
Filesize
720B
MD5e024ff7fcd565df5364be0788d686b38
SHA15d0ff683fb8d55c6f0ec2a789387a8bd55451c4f
SHA256c4df6fb8907ff452d2b20a64b09d04eb49166f64cdcc0ec2ee4a8c586e164364
SHA512c6d8ea5a206463d31f844a05a78554faa5066bf8dc08df8f62e82e753a7b382aaf5b0f5c8f2fac7839fd437ae6f2331810907830727de37b7ad76d44d9220787
-
Filesize
720B
MD561ed33d68aaf3c65e2ce065c272d567d
SHA1e8d795ddf23c78e9ea79fab301593d89c4d004a2
SHA256210ba83bc5da28e9e9519a245b42dabe12d615f371da4966d9b00e84260d869c
SHA512849f14029d3aa1404942006ff6b179358464823f6f98ebcb6527fe9aed6da3f8be6eb77b666fe2eef00c6ec0327b362f60e2d1aea1461f1e660849bfb2d46cbb
-
Filesize
720B
MD55e25d6f7b55b8f39995500f8caeff516
SHA1b8f017588f23c42dd3c19d335a98b4b037d57f0e
SHA25668576ce2ac3661fb253951270a54d886945067cfddc5532f3de26be8df91ff7d
SHA512f259d4a2d11a796eba5a449f8ce858754de90d5e770dbde099052994ad76f3491889bd23902cd0a3dac7f61fc8a736e53144a425029aa0795cd754913a9c453d
-
Filesize
496B
MD54e60dade7725119daabdc0acdda7503a
SHA1147c311c13ad7692b6a40d97182ca8147e1df078
SHA2562aeee7d19ab291387867ca370ec6ce03a27e9c3dc942ba1be0e18a73e7841d0b
SHA5127f15692d5982cad60194c8925cd5b90832f11f2d7826b76b4b04fc55930270d29f9af1ed3e0eb4440109376f8370bab224ce461d265fc22c176a7e38f0d1f783
-
Filesize
1.4MB
MD5e012828c986dd0ea3754179a63003ab4
SHA1033c71e88284937bfa321b782e6fb01baab528c4
SHA256352f0501afd5c5d886749bca78c8279072ced80a3e31f3b8bce6573bd1165957
SHA51206a78fabb379b3ffb6ee632b3193ad04be7713e3a095337ae7eb902d89ac796afb1625af26aa14e6d0dd123354a42371dde8cb9d3744ce392884a98c9afa3010
-
Filesize
720B
MD55079e07005d625e225aa02ebc0771a19
SHA173578a3d4df83c300782c3544ff8459c2bcc4c95
SHA25642ff0e67ca8fda02668f05fc3255011d956fee586fd17947c4a079bbc67c2196
SHA512b872a805f0c61eaf0cb86215a1887dab34de7f0d4d1d7b15d0a592fa56808e92059be872554b86c2493d5d5f11c44e4e39def29fe007b87f7a64f494f5ae86f1
-
Filesize
720B
MD52141f11d1804d4447e1ded715a855d02
SHA11e7dc2dedee7c3ce99f74b08d97ec82b5ea45bc0
SHA2564335862c66b497972f1c36ff471c2308e12ece211d76aa4230ec9d5a8289df08
SHA512f7b229f512840d717f84d36e91a3db9dfd7ceb74e27112ab2b570522f6e75ea7de415081ac70a2f9fd797907fd67ff22e95b5daadd1dd833e921519c00537444
-
Filesize
720B
MD563d7f8553c979cb89bb3dc7c47ce1286
SHA1721a631cd6437bf62a861b5306fbb0a40f3c82a5
SHA256ae26b37b0a5b535fb555c3e9064266f58f8446f0e72baff1823388b5e452dd60
SHA512819c4b48f59855cdd0579be52a666aa808eb3a9b4205520ed647581b5b5840b4ec6723c3da0a6313c878d68f1c01efba1b625873bffa9815360645a5dfab851c
-
Filesize
720B
MD5feaed9940b66876dfccf3853fe9dd72f
SHA15bcff67fab7019ef8b49dad8be3766c7311ac18c
SHA2568d29216361e58c8147fb9138a5bc368745ee76ecfbc892128179e1c6344db78f
SHA512316ec17915e134ef0e297c4ddc61579836d158e5781a13d2378fbc585f158b51b4238422cf25f1f8d995d042205ff52ce88795e1366dd4a6b188c4cf95c2c056
-
Filesize
719B
MD563c06e72033655ee3e3861ac361a8652
SHA110bf72390251954e3c8cad9e661abcfa8a3ab3fe
SHA25620f74d58424e0c04089090b9ae6483f3a5ea1d1d6d54c5ce41162e93e5425157
SHA512add0dc1c430025ee437592067d7f41e76ec3299ed51d469b3815f45813364efdd8a1740745d3c539203a5aab4034580a0d32c0030daff74d67b96f6ce6bf5343
-
Filesize
7KB
MD55bcc04fa6313cf98cb451309b95bd89b
SHA1a64caa2bdf2c7952652c878acd64ddf5800c5c74
SHA256e223db0da47be271120fd81a4c95d624fb4ae4fd38014d00de9da6d58745c955
SHA5129adc080b42a15796d56cdc46633df65337d00094028a88bbb30fb603a4eb6d8685a9a80781f37a114b15587d3ee7bbffd32d5d6fe53223d802938328a6e17174
-
Filesize
1.9MB
MD549a4e386e9013a5ea53fcbe03edb879a
SHA1cb1bc1c422d7d83f2c6da1d5e40bff4c1c2c503b
SHA256f3c5e3f1762df01a28af6793c313d71fcb8efb709823c4e3400e0b8e46f416d8
SHA512ffa0f602b4ff2b3210c36f5e90046f32c9a645650f5f9f0fc8d88517d485c298cae983b4a00ae80ba907025f3ce4bc882854ab836a6922d695f71025da467b4c
-
Filesize
1.6MB
MD50086416c45285c709db7ff24fca0e0fe
SHA19d73bbe5f6d969cbae1c2fe406873642fb43f242
SHA25664a71ee36d71bc81fb0bfcb99ee10d24b6728320348db370ac814b7d4f3488ca
SHA512f86cf9d476c8b230e8e473655f18cee41fd91b71c591a74b42a6b04ec93b57cc2ffaf7b6b3444c8f8c43e8635c943fc8b384883792f12e2f680dc07bd04602f0
-
Filesize
1.9MB
MD5d52bdaa6ea6aaafb920e94a2c45a8012
SHA1836adfcea2882bf55e2fc43dc7d0184b4c39c49d
SHA25653f79a155745fa9ee15921fea784fb2c44048ed5885d03f5a04565b647c59cf6
SHA5127ed3ff170553c88877098ddf39a72004671a4f820e014bd99df94f512a610f764af96bad6a10ab729ffbdb514705296b5bfb2b18bfae9e45287eed1a75a96a0d
-
Filesize
344KB
-
Filesize
72KB
-
Filesize
1.9MB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
1.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
88KB
-
Filesize
344KB
-
Filesize
72KB
-
Filesize
1.9MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
72KB
-
Filesize
344KB
-
Filesize
1.9MB
-
Filesize
72KB
-
Filesize
1.9MB
-
Filesize
344KB
-
Filesize
1.9MB