Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
-
submitted
22/03/2025, 06:14
General
-
Target
9576cc7c1d016017905b260b127b983f.exe
-
Size
1.9MB
-
MD5
9576cc7c1d016017905b260b127b983f
-
SHA1
085fbeb0456c1eb2f9d1854e4940def27aab0386
-
SHA256
5d64fc503e241b1ffafe9179e97d244b2af292a14b95f5513c48ba0557d14de2
-
SHA512
8bb12a73650c814edf1899c1453b40b92114f316de9b76dbd20f724f2970514f0f4c6afcf41a37a8796e90917f4ef11cea1043e6815e08ce199643a27f64c4a0
-
SSDEEP
24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD
Score
10/10
Malware Config
Signatures
-
UAC bypass 3 TTPs 33 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 10 IoCs
-
Checks whether UAC is enabled 1 TTPs 22 IoCs
-
Drops file in Program Files directory 30 IoCs
-
Drops file in Windows directory 26 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 33 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9576cc7c1d016017905b260b127b983f.exe"C:\Users\Admin\AppData\Local\Temp\9576cc7c1d016017905b260b127b983f.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9576cc7c1d016017905b260b127b983f.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\setup.exe\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\9576cc7c1d016017905b260b127b983f.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\audiodg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\taskhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\System.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\9576cc7c1d016017905b260b127b983f.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\audiodg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Panther\setup.exe\wininit.exe"C:\Windows\Panther\setup.exe\wininit.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69972d40-dc5d-4747-9b00-53fdeb4cdd0e.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Panther\setup.exe\wininit.exeC:\Windows\Panther\setup.exe\wininit.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c70c5d09-e2ef-4181-b2e0-04c46f838c1d.vbs"5⤵
-
C:\Windows\Panther\setup.exe\wininit.exeC:\Windows\Panther\setup.exe\wininit.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\442cdd65-5108-4ceb-a2f6-e1bd448e7d9a.vbs"7⤵
-
C:\Windows\Panther\setup.exe\wininit.exeC:\Windows\Panther\setup.exe\wininit.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6f559f5-a86f-47f7-a593-c2d01b452dba.vbs"9⤵
-
C:\Windows\Panther\setup.exe\wininit.exeC:\Windows\Panther\setup.exe\wininit.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e58f1ce3-8b21-4da9-82a6-b3092ca0d381.vbs"11⤵
-
C:\Windows\Panther\setup.exe\wininit.exeC:\Windows\Panther\setup.exe\wininit.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00179c0b-47da-4980-be60-701adf104080.vbs"13⤵
-
C:\Windows\Panther\setup.exe\wininit.exeC:\Windows\Panther\setup.exe\wininit.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8351839f-7eba-4a9e-aeff-12b40920e325.vbs"15⤵
-
C:\Windows\Panther\setup.exe\wininit.exeC:\Windows\Panther\setup.exe\wininit.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4d0e6ab-2b3c-4cf2-9e69-871b3daca1e7.vbs"17⤵
-
C:\Windows\Panther\setup.exe\wininit.exeC:\Windows\Panther\setup.exe\wininit.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\955d0617-e10e-407e-bbb4-b49d58cad813.vbs"19⤵
-
C:\Windows\Panther\setup.exe\wininit.exeC:\Windows\Panther\setup.exe\wininit.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd108427-8a4d-4364-a983-c6b312874c2c.vbs"21⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7dbaddf5-9425-4ae8-aa76-f1045cf73b9d.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70873ed7-959c-4ef7-b871-adaf4788a12a.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd854dbf-8465-4789-914b-2b51174cf89b.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5dda15f-9f05-4d8c-98ba-6b9e41d9b1a0.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5276eaf-9d3b-472a-ab32-31f3023d97fd.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eeba4631-a695-4293-bbc8-b94fefd2b111.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e9740e5-9919-47b8-a481-de28fb49cb5f.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80801376-fd1f-4d01-8c80-8d756d8ba65e.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88006b75-ddd3-4803-87d8-add989eb4ce7.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eab2cf72-930f-4423-ae45-2d6988cd9307.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Panther\setup.exe\wininit.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\wininit.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Panther\setup.exe\wininit.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\spoolsv.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\tracing\spoolsv.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\spoolsv.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "9576cc7c1d016017905b260b127b983f9" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\9576cc7c1d016017905b260b127b983f.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "9576cc7c1d016017905b260b127b983f" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\9576cc7c1d016017905b260b127b983f.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "9576cc7c1d016017905b260b127b983f9" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\9576cc7c1d016017905b260b127b983f.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dwm.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dwm.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dwm.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\audiodg.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\audiodg.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\audiodg.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\taskhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\taskhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\taskhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\System.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\System.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\System.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\wininit.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "9576cc7c1d016017905b260b127b983f9" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\9576cc7c1d016017905b260b127b983f.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "9576cc7c1d016017905b260b127b983f" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\9576cc7c1d016017905b260b127b983f.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "9576cc7c1d016017905b260b127b983f9" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\9576cc7c1d016017905b260b127b983f.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\audiodg.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\audiodg.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\audiodg.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\spoolsv.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\spoolsv.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\spoolsv.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD59576cc7c1d016017905b260b127b983f
SHA1085fbeb0456c1eb2f9d1854e4940def27aab0386
SHA2565d64fc503e241b1ffafe9179e97d244b2af292a14b95f5513c48ba0557d14de2
SHA5128bb12a73650c814edf1899c1453b40b92114f316de9b76dbd20f724f2970514f0f4c6afcf41a37a8796e90917f4ef11cea1043e6815e08ce199643a27f64c4a0
-
Filesize
1.9MB
MD591e88444556c35fda6505e418e1da7fb
SHA1fae8314742ee57ad2e475b2970b4c66f1096a44e
SHA256f63b12c2b42358100561a13f746f8ca5119f823eb0b2e08d67a914d2ba1a360e
SHA5122991e39e7ed58c965db44ba0c2fd54220c12231af0922b6ad8f2414ed305e89066ad186cdfd8a4f3825249eb18d50dd4736db83d234b7fde46f2993140e1b726
-
Filesize
1.9MB
MD55c807d4431573acb0a9199f7c6f580b1
SHA134af6095b527544a593e4e812ddab5669fa6deed
SHA25657322dbab498bfab506d619d966bda40d0917e4249818e3a78d4515e96a9d19d
SHA512218d96231f4deadd6ddfdc89ffede9153aff3fa9ffcb52b5a3534ed3b4c117d570fa56d3109e5351f7c3e0acda6be1c0e822bf4766a9dead164df3cea1b48136
-
Filesize
1.9MB
MD58413f94d5ccca3bfccceed8592499220
SHA1a86aedba10d0f96ddd533a2c2522fe80f4b232ae
SHA256bd6f2ea5cde01f356177f7fa923f61734e35577ab29cf8d0814f80e62343ebb5
SHA5126e7be3d6b3374faf11140c01adf1af352ee4119140206c2e8b8d03e721eb6cc53bbca85a5fc886d61be14d242be14b68bed807c11fb9528ee22d327c734311ac
-
Filesize
1.9MB
MD5682ce6acd08d3b456b9389db0e2a4434
SHA1493c873bee066270c18a12c4e549f82688f51265
SHA2566e144f9a2b08bdbdd242800e71936860c0a2c14b6c68daa5c423a553ad217761
SHA5127b54a356b8584c045e9c3dedaba9d1aa306793cb8ca81b4f50a0cd2769ed3a356c13365cd665f96d9d8e998349c31e9e7587b64d5ec9a52439aaf68a4ea8a61b
-
Filesize
716B
MD5e266c238e3ab34a71ab84e4d4fe0d023
SHA11564ac27c99eae7a9aa15b5efa92aed8d717e6b8
SHA256119407502f78e4ef3cfd6d50e936ebb4b395ec3a209abc0451337300426f37c8
SHA51259fa1b0d15d826b765f549995673956f3c1ae6ce6be65f65cc91af41d4ddc4a0319da1f213d5ae3987b9660bf74811d8338a5b8799c5026c8087edbf95847082
-
Filesize
715B
MD56ac3405dd8c1c0dbb70f79eb9c16e629
SHA17f7796f8c1a413ca59e40e438a4b270ae3024526
SHA256af6d7a7b645c01d3e82c9c99a770c20d876ad0cc0ff18667f2c1f1d7f29b4018
SHA5129695c8bed3486111bc0c3d7017a72aa9a77bec5dce165d3b4b8adb37436beb4866e92c70d311f6f33e508f0182d15656cefb9d5447b0cd444731ce9b41eb7c7b
-
Filesize
716B
MD55814da175f06a0cda47f8dba9c63c2ac
SHA13a7245cecb7377db73f9e77661a80bc03f244830
SHA2566cddc80a9178c5f9ae52a47b3157e3fba87454d37df50a4fc2904fb10cde76b2
SHA512d054a70be07975a46ff1aa7d5609c28c685bd2ed81766d6a03df1ba19a728568fd46579cc1a45caf163a62888122321b2f558e337ff4cb4f38970879c97775d5
-
Filesize
715B
MD5310796d65161b388adc46e4be203a9f4
SHA1a5f24104b82935ae1b05ef735ace74cac2838b88
SHA256abffda24a29573e74d16b1567965d02d3436048fc833d32d9165494dacc65ff6
SHA51287f39f4bac6a8f5a755f440086374b3c63c31571cc02d40d8fd6b6c5f4d08c47b22550ce754f81e49c34c723c2b7af5c7f3692850561874b5589b68f135a2662
-
Filesize
716B
MD5dbfd3cd658a19ce00d8e5c3b3a8a8afb
SHA17e1a0b1ef9b051a6270883f2e5f6e261dc29c021
SHA256b1fa94d2586686b8ff528b99822ff9469f503029893b0fc83701c7460262ffb0
SHA512e704f441348ad07e96164042955e8eebf7377a08a7e9ca7cf20562eeb9bd01d2acd07fbcb15cb6ab5410ef5da27d8226e14641a516821edffb075680887ef5a5
-
Filesize
715B
MD5a2121b0c6a7690f9a6f32c4916fc721a
SHA1bda40ee63feac5a71139cca3546a1a1ebc2c7fce
SHA256ddac3c0310b9126fe3e64c3333e1dfb0b3ba1f7d6b24cde18776a2112be10241
SHA5126caa6155f9ba7fdd4df2c83d466e177d62a92183cd4122fc10b38dc5fbe4712513381023de477196980c07dbc6a96c4070704dcc596bb2ae890a5e0775f8a34d
-
Filesize
715B
MD59d4686a8ffc20e0e368ceed294e19e4f
SHA12b182ea4539f017d1142b2d569e355dbadae268c
SHA2562e1cde22959b9982f7b2837cb76858c252e8c59887a0a28adf9aa50e542e1f8b
SHA512d469e3c95ee2ba081a06743887725b645aff2c05dc4c6dd352e7a37ae99b24990c7880204a0c7d734eff462a1ae8bbe4c9ae1b7fde9ffb14d7404662b2ae2599
-
Filesize
716B
MD52d9e7e8f1bba8bf8e787cc760eee64c7
SHA1eb70eaa2e265222fde56b0a46b9ac8fdeaa0c561
SHA25646263ca6589c7aaa462794e33cac2a6f0dc11060cf78c6bb2ed72e1e7c591b53
SHA512456bae4eab00d1e7208ce8086a8a73598d1387869a74c7ee8d350a1a39c1df08c829b2861fed99913fd27c768e3a9ba276487803dc24704c8a6f7bd8ded64bcb
-
Filesize
492B
MD5a582a7033ce9d08cf49f683ddb1891f6
SHA13b7980d7c405afec156aaf3d0f48e0365cdd528e
SHA256cdccbb543faeb3386562baf43e311ec208b1a3893f93678507eee7e2207b9836
SHA5127d4d3f8d5aed3579ae5b983e27866d95a5e3276b123aac07b63cd68b82d72818d2485d3335270a58d92bcff84aed6492172b24d62bb4e80465c6247bce57a4b1
-
Filesize
716B
MD512b95b4d36619964d7eefae243d9dd7a
SHA117e18e39630e1c8d7efda53b89b30e1fcb08f9de
SHA25635c0fea7f2124bca3e319aee838c5ab342f863d0d9fa3485404b24dd9b1bf5eb
SHA512031f2cbb2e25f3e837114bcebf8d0bb02fabae6f2fbaa153c3c414819e71e4fe7c84a1fb6a1ae8edab9f76652c3297012786969b7e1a3f70f93fb2087ee2ee09
-
Filesize
7KB
MD5a5b76944cb16dfcaec9b6b63f6212c06
SHA1a543e466f961009e8f7f01b2859d0483980c0b83
SHA256ecfa8bbcba4f9226cc7353aa424eaaf1473f3f7fdc1e9d35564c2c48584d1a05
SHA51290bd4d3e6457cf0b26e47f1da72a7b9bec6ff51ca445f0213e90ca9b991fddae09e58b7f6483d9611695b59195ab998dd873f6176ee8c20e588cebd26c302825
-
Filesize
1.9MB
-
Filesize
344KB
-
Filesize
72KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
72KB
-
Filesize
344KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
344KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
88KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
1.9MB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
72KB