Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 06:15
General
-
Target
a31ba0b291554684b4a097371669bc4c.exe
-
Size
1.9MB
-
MD5
a31ba0b291554684b4a097371669bc4c
-
SHA1
0a5034d116b71c1a99879ef632962026b5b774aa
-
SHA256
0bfce2cf34dbbf853a1171acf4ac9e2802d3e67285222bcf8d43dffec50b6593
-
SHA512
8d8c96ad82f63aa8f7f3345d3905f5eff42cc3d8b50822036e128b9f886777cf475962161c3c308ee4867b05a5ef05b52d68be3e317b6a9505029c4f03547c67
-
SSDEEP
24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD
Malware Config
Signatures
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 24 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 16 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 8 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 24 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a31ba0b291554684b4a097371669bc4c.exe"C:\Users\Admin\AppData\Local\Temp\a31ba0b291554684b4a097371669bc4c.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a31ba0b291554684b4a097371669bc4c.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\OfficeClickToRun.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\sihost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\StartMenuExperienceHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4596_316599628\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\OfficeClickToRun.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\StartMenuExperienceHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exe"C:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0c793fd-eea8-415e-b125-0f7625e6c28a.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d290c958-820b-45f3-9d5d-3025a704875b.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30f0f654-b1a2-46c8-a2a2-ebedcea0bd24.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e32cd8b3-a67f-48c3-9e31-fc150c1b3ca5.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a44982d2-5449-4aaf-aed8-870990d473ef.vbs"11⤵
-
C:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e55142e0-aefd-4e7c-bb5e-288dbb10f6c5.vbs"13⤵
-
C:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64185405-e87e-451d-b832-4ed3f582382b.vbs"15⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6b9b162-172e-4589-8216-f5206506a979.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2411b1fe-e527-44c5-9b98-45bec771ce71.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0d07775-b418-4abd-a8a4-7fa315a1f60b.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac5791d7-7e50-40f7-afcd-bee2764faa12.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13040e2f-b873-4a4c-850b-f3dc28ff7306.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\584f614b-9162-4051-b5d2-32ea4879eb05.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c5d8cea-8fe1-45e9-becb-179d2845c3ed.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Local Settings\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\d25f591a00514bc9ba8441\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Public\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\d25f591a00514bc9ba8441\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\d25f591a00514bc9ba8441\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4596_316599628\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4596_316599628\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4596_316599628\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Pictures\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\7e20f84d5244aba7145631d4073af8\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\7e20f84d5244aba7145631d4073af8\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5cf2abe80b262b63b4bf10d22a12a0df3
SHA1f8c2bb11a9c9ef255b6e98d548fb6e0f99221a8b
SHA2561808ee817521ee73cc3e7d507135c5fa1fccbde30f2363d687b4fa461254ef1e
SHA5128956be3d7e0bd06ed0e2e735100d51d79f511f899962da365af03dd69f917e127dfbcebda01a83dc772597eb7081bd96d480dd054edb3c40ade4f9094571fba6
-
Filesize
1.9MB
MD57bc132a12a1a0b2b8925c1463975a4ad
SHA177d7725ac58ba8208a6353f90c7cccb35c90ea98
SHA256c6bdadbe2f3eda8f21b12269fac0434705ddc6af8fd7329c7907633a77fef1a7
SHA5129bba8a9e02d48eb15a152a84c9dca29a8494943eca72c440872eefe42e91ebfb2bc6559ce823ed9acf002f09313da015b1c845080c4f3f407e47f5702138c38b
-
Filesize
1KB
MD5364147c1feef3565925ea5b4ac701a01
SHA19a46393ac3ffad3bb3c8f0e074b65d68d75e21ef
SHA25638cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b
SHA512bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD561c5e5652b1157365c7698665230f99c
SHA1d128376d2856dff53452ee26f098fb490ee47fd5
SHA25618780691720f3aeaf2365ba59345061e776938c2b19b2e4f1ef6d6c3e5d839e2
SHA5125f6089bc38a3d734822e6f7f718b8b23d15829a1cc98b73f634bd34318b3ce0cb7170cb7e15f7782fa24c9c89ac860e883311bfbe3c6384647e6e5e7158da7ab
-
Filesize
944B
MD5400965c5c8206c7b519873fb3aa3aebf
SHA10764aa4c62cc242ede7ec00e36539c20e17e5565
SHA256e8a339e9d5f5699e83419d2fb336577a101a4cd31df7ddd8c71a88dec1593b04
SHA51232b7c0f5745c3cbb291642e96ce907d0d71f986f0fb1f55f2c5f56dd76d9243d8ca936a7e81c0ef3962d5daf25d51bd93c5de77cdf9c3ed74101e3056e510369
-
Filesize
944B
MD592b2deffd5900b3c60f9e6737bc5b67d
SHA16ce9b13b44a2d7f5635f909b0bb177ea60dd8d06
SHA256780876a6d4beab15e3264f97a68092540e927c1a24250a03068c4374d57d0906
SHA5124658231390e04649f6b393abb54d0b2a68771731ef3780207139d0a66a73e866f70dc4e6a0bc9a92e7e78ea01667c68263a001a0f275087a403afd11a80ee27d
-
Filesize
944B
MD503f50c7070ba1f54782f4ab1969e4753
SHA149d81d10c39e5262e0c5ede717d158928dfa8db7
SHA2566f43b688400511d37e3df0415a140030ccd0b972bd91c364ac036d0ccb798613
SHA51255e4849066cac0acef3a56183b1083ae594fcda62f3697a8300029a1db7f535b2df911fb67abfce881349c5fc66d3fc08e345ceb3e368dc9f1bd3e5541ad7941
-
Filesize
944B
MD5a822dfe702436e366414e8ddb6fb41d0
SHA1db35e49e01a1baf69d51d52375fb26da32b12ddf
SHA256929a0a2762a94d0f949b0bec034d141a00c1653d8dec84ff994d32e6e115a3b2
SHA51267d023275898ba86b0f1bc67b0868b0a31038ce366b1ade6e433c1785d4150c8b630462afd2af2479d2268351d1e7dd5a6e99042020cfbfa1490d04420bd296c
-
Filesize
944B
MD50cf7dcc8e715a3adb60273e2d687ec14
SHA1153e79121708a67a619762b6ead0991d321667ac
SHA256df09c90760a7d935978206d29a0cd22bf2454f1e73d862d339af43503c6e93f2
SHA5126e057853c247186574cde2bd8c5c085311ab2a24e85ed16078c869f82379d702b8b7f35400f3430aba03b6103529e6042fe9d6f517b08f9ee1c365d0d3fbec24
-
Filesize
944B
MD53a1e48b8d7963bbbb73f442cd864dca3
SHA17f71e6af810a734d5f6a0c3ba90c171442e7e334
SHA25633f70a94f53d11ebf2ea52debe0eb6afd7b30a095b31e784b0d4a0fb42b708e9
SHA51226599ce4722f735e1b19f8b68d82318978d577245530e23f5445330dbccb395ffff4e6c4020cdeada5b179b94b557a3e093c2dbe5606b1b6956c1f73a91f637e
-
Filesize
944B
MD515521808f89b47330dc44e0debfb369c
SHA1f9ff45265173980d8f5ba51c3a68d1b36987db91
SHA256287b79804eb7d558e133160a42beac75c8fcc49558f883adce9b0da42e2fc18f
SHA5129479b6c6e58d08183bd968b22c07b0c640c15514f0a6b18d8befead8cb984e23939abcb9ecf69c068cf8105edbe6d9844c402e0b766887d90aa861da8ba2f79e
-
Filesize
738B
MD54b632550255a0540dc00d615fbb5ebfe
SHA1e28c1a4e33c229f737e86beab777d275a891beae
SHA256e3e288f4e49fbf72d7b09247dd36292799f85db641860b907288920b13fbace8
SHA5126ba1d29c17a7da71e1e949b93e0804d2d2e4ebb1cc34efea29b016111ef0443de547841ff0e12b967751195943f412f803aaadb448b170d66bcf9e701905217b
-
Filesize
514B
MD583f66114855f02c81a0b5568421fa893
SHA159e1180e34e72e1ce962ae5834b36957d4c66b56
SHA256b2a4b17ce5276c7e609b9950585423a634ceb9856fe75b77e0e90143eb67c23e
SHA512459b078423118338952afaf75e96f1fed445cce242e451edf507e755712d5c3159acf44ed5483dd068e62b96ab7278e8a5cd5d5710045fe312ef4b902b2c9e72
-
Filesize
738B
MD53d51127c5f10fb4648f3a2fd9e7eb647
SHA142878058556c4ed520909f28773943b34f072157
SHA2567861d8b69b68e3ce8d0315fbf690f68f7fbb0f9f10212bd15815935e72b03a6d
SHA5123452446f0ec60f87a2fee16a418159009f4ceb3997fc9f6a0291fff3176e80777acfb12046ff7e61e8e646cd3a29e7d2f55316439c29d040450f1cf40ca71f7f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
738B
MD5e0af06de87fd3a6793cb562e90ace070
SHA1d807b85e6ec42b4725fb046b453238300273cbd9
SHA2566f623e2ada9916f243ffe6a1c902f76e61268f81d9bb5e89e64e913e9c380959
SHA512a3df7b3bb7d4c34c5821ad2708069a0f7cab568b0e425575789f65603ffb8d99e64739247f75df8732d01bfce32a61322c9fb5f8e3acd109645a07a79e534218
-
Filesize
737B
MD51610dd7f81ee5ae56c92b6e41122dc89
SHA125ac547ed9b9bab6a2e5f4cc614a1dfc855ec4d0
SHA2561a6d0226bdb8b71fd4e0454905bdae3bb7241d4112c52f6d8b811e69d9e32a16
SHA512161ca6bee2db78ace81d9b3116cadc9fe0551b577f6b10e6ee10d46e09ca77e0935a28747f7918483451ce889ff8ffac3a747682327a7064790c2fd3fec3a7d7
-
Filesize
738B
MD50e0c1222e3882ea116a9bf86cb7fcdc1
SHA1b80c407c88b47f4fa190a2438bd385a458cf9da2
SHA2569363932b885ece4a24ef1ac4dff361e9d032dc1cb5d0b9b69ea8e6c501775ebd
SHA512f804148638da8f152630389a6e66183aec0cc009ee93286b267d3792a5ae4b040520e3713102bf4613cc8f2ebaacbc4aa159e197629e000baff96d9c0950129a
-
Filesize
738B
MD517da809be6d896e49c1d351ee39e1eb6
SHA1f2e42102b07b947301b209bbfd69d37758a55e1f
SHA2565a20026e4b16a2851db8423394032b43ee737d5a4c6e577e8c99b47a9510b979
SHA5123acd76b2516aea94abf4aa89ecac6e5325726922372bd05405e78569b1eeb627c26acea3b216aa9db9357c4f172d8fc6877564fc97cb381b2b57f68a5757b7f7
-
Filesize
738B
MD5669511242ed3cf107e57027dc91ff524
SHA1677a9f3b99ad19843285e5f75414f1ccf6c859bc
SHA256850ffd4dd6e863a3f3466095977617bb684ea26e227b5b2fda0d2bc69cceb8dd
SHA51222f1a2fc8648be826cb80aebde1f13897838b8b933e1df395f31639ded90ae600453a2e5d76515dec4fb618f208f075264dd5ac30a999103c9486fa4213aecfb
-
Filesize
1.9MB
MD5a31ba0b291554684b4a097371669bc4c
SHA10a5034d116b71c1a99879ef632962026b5b774aa
SHA2560bfce2cf34dbbf853a1171acf4ac9e2802d3e67285222bcf8d43dffec50b6593
SHA5128d8c96ad82f63aa8f7f3345d3905f5eff42cc3d8b50822036e128b9f886777cf475962161c3c308ee4867b05a5ef05b52d68be3e317b6a9505029c4f03547c67
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
1.9MB
-
Filesize
10.8MB
-
Filesize
344KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
320KB
-
Filesize
5.2MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
88KB
-
Filesize
48KB
-
Filesize
136KB