Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 06:33
General
-
Target
0d7cbc882298f639d31191a03ec81bd3.exe
-
Size
1.9MB
-
MD5
0d7cbc882298f639d31191a03ec81bd3
-
SHA1
93124a821e8fe02c1736cb62e9a613c8dc8379e6
-
SHA256
56d64aaeab87dad048e08ea98237bcc727bbab88d97cc126e328ea1adf7fc913
-
SHA512
5bfbbefb14b200ded88943b685b22e5ac26ea281c9948d8a5fae49f3d19899d82730d52c8034c0b5d5c1b5fe1da1cb583d26b4d2ce3264903e5416d5480b3cf9
-
SSDEEP
24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD
Malware Config
Signatures
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 33 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Checks whether UAC is enabled 1 TTPs 22 IoCs
-
Drops file in System32 directory 5 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Drops file in Windows directory 20 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 10 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 33 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d7cbc882298f639d31191a03ec81bd3.exe"C:\Users\Admin\AppData\Local\Temp\0d7cbc882298f639d31191a03ec81bd3.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0d7cbc882298f639d31191a03ec81bd3.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\Engines\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\sihost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DiagTrack\Scenarios\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\en\StartMenuExperienceHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\backgroundTaskHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\SppExtComObj.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3275664-7d1d-4693-b77e-9135f210d6b8.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ceac846-a4b0-4655-930e-79092caaa63c.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd077f31-21ab-4385-9f04-85dd8de48b33.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c3e95a8-4403-4933-97c8-d5ca4420dfb0.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e1ddb74-d8ef-4bf5-a74c-afa02da27f2b.vbs"11⤵
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0ef991e-6453-465d-88cf-a3afe746f7b7.vbs"13⤵
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d45ba479-d860-40ee-9586-e14233a2a74a.vbs"15⤵
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b92bbb6-b34d-48a8-8ce5-97421db554d8.vbs"17⤵
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b0d512b-2f49-4fec-be92-fe3636a89dc1.vbs"19⤵
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb6eebaf-6b05-4ed7-885f-c99fc5f521b1.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af156a83-41f7-40ad-bd2a-0dfab6e44d5f.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10e3e19c-5189-401a-abf0-400b115b3ca0.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c34b9d7-f5d0-4ba3-a25c-d106e0ef405c.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad1b27f9-7501-4361-b798-0eefbe3c5b87.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b02160f-170a-4a3b-b250-093e6fc1470c.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5830ec09-94a2-454d-a852-0f98fb6d1350.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6894c69e-d648-4ed4-b216-7df540b099ca.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2448c07-388c-45c7-be96-4856ca13c09e.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\3ac54ddf2ad44faa6035cf\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\3ac54ddf2ad44faa6035cf\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\3ac54ddf2ad44faa6035cf\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\3ac54ddf2ad44faa6035cf\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech\Engines\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech\Engines\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\DiagTrack\Scenarios\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\DiagTrack\Scenarios\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\System32\en\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\System32\en\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\en\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\0154351536fc379faee1\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\0154351536fc379faee1\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\0154351536fc379faee1\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\0154351536fc379faee1\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\0154351536fc379faee1\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\0154351536fc379faee1\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\0154351536fc379faee1\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\0154351536fc379faee1\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\0154351536fc379faee1\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\3ac54ddf2ad44faa6035cf\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\3ac54ddf2ad44faa6035cf\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD569951504084ede3a31bbba0f38c0f39e
SHA1e15be4af35609f961daba17e2632e3e2529db6f9
SHA2565ec896b27f5ad04e059365625e5fff2fd22972930b0d2fbcfa03771e6420dab7
SHA51295053f4fb1017f7667fcb54e7d7d75f538768e9a1969b8a777e849377a0a0e47efc42d082d640ef0e2224c52d40bdf58cf03b6e3dda8d8175cdcba32f465742b
-
Filesize
1.9MB
MD54cd4d82ba08151a8d28a533d96322dde
SHA17779daecc0cf24f2a6dcd433b21412c01d8ee2de
SHA2563e448f127bb6d39eadc7c7ecf4e4a9988efd5e8a6fd343f24e2d7ee8eab3b0fc
SHA51201f734de75e1b4eebe1ae0e1fa79ec27b94579e447fb32fb145a4fc4293803880394ea3201a745614f8fe866113d9a18095eb0f950bfb1d8a75ac13d963bdb03
-
Filesize
1.9MB
MD5cf917d442d04ecae0b2c5e755e1d93f9
SHA106dd44eca81e94434fbbe6932178cd3a630d025c
SHA2564af85e69ef33d9cb9ff35cbacd6e35656aa7826078f2cc394b26f0b0b54c2ab9
SHA512d749d40a611a1fb62e3d63584097ee5f126616f318e72c1a9dd9d4f8a92ca8a462bbe69c24b06c5bc40c609777fece8b558a3c46b1dc57c9cc9252aea77498bb
-
Filesize
1.9MB
MD503ccbd5b7b9c84cafce4982b59e9d464
SHA1c2ebc15e079ef79949c5928f3c82a087a6caa468
SHA2562fcc25f37d78afdb2992c68ca96e36bdd06de46aa717b51211e2fc8d0905aa39
SHA512e1028314e59c408e0e49945f7bdc8afd0fb94015d933ebd6f67b6a769b965596b2c25bab02d81db0e23300d97f5ff11fbf7ed158a3db79a2f70ceedb8fb72beb
-
Filesize
1KB
MD5364147c1feef3565925ea5b4ac701a01
SHA19a46393ac3ffad3bb3c8f0e074b65d68d75e21ef
SHA25638cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b
SHA512bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD597ddd18a32d584958b41172d299ef349
SHA1b217ed812355e6405a4c8965039a4f8f6b0a86ae
SHA25676d557743db3e6342eeb93d93a334de194eab98a6f106b1fab2a50472f181594
SHA51230d9d358f5fceb29fa1e023d01049a5756c15969750c3aa311f1a85d4d10404f6b059d9b6ba0174ba1dd4c7a8b331924408e14fb36f07655b26421eb9501c1c8
-
Filesize
944B
MD53daae9cdd018437ea3c21aba22ed09c6
SHA19f0127b1483e1937d5d8cccf3ae1de0cac1c4c58
SHA25610ae5cee35e47503d6db91713d92e11babdbb6c06f309fc761dccc7d9684723a
SHA51217b4b1aa30c7871f7325f67b1b3ab5cd6f6eaafd7e4b45e96beb7fb84f80d0c4858852dbb15c1dfa2abf3e2aa6507c85e041807a575f29fe0c5dc215b04a206a
-
Filesize
944B
MD5452593747a6f6f0b2e08d8502e1ec6e7
SHA1027c3a7f5f18e7a1e96bbf2a3d3c267e72821836
SHA256495c62eea4eb41269dbcdba0c0acd65d27a407ac837f5c04feaaa0542963b33d
SHA51217a8288467e77ade8e81bf7620e9013ff3690c2577a172ce30734c65ca2d2328afd3737dd6a9fb6b4d7ba673767f094986f6b996f5920d7e1cdecdf019e37488
-
Filesize
944B
MD5af1324e7a4e3e6cfc7ee7add0391f0b9
SHA119117163248a95e5ceb83b6dc8c21e396f33bcaf
SHA256a31abfc5cc0132c488495c81046d7f3c7eed1e7a6923d94ffd85b58436871a52
SHA5126a05a892ec41527782b418a2f232300da84eff105b2d9c1cb55c7e9ce1ef13beab2d57b4bf3cc73d1e5b2710010f3622500c4d8e0cb2fa8e5365b6ff007e9d00
-
Filesize
944B
MD5a0a5a1b68ad6facd1636fe5f5e1c4359
SHA1e4fee6d6a2476904d9ba14d9045341df3616ca4a
SHA2567257de23847d0c2fa79bbae208df603b1f29406f486cdcafdaedc54846b18c7a
SHA5121b843eb6273034c6798379cf217ddb58004db776243daffba33020e5aa0ef8fc440e202b9cd6454521e7b608158891edb979165aa9353d3ea32fae74815e97d3
-
Filesize
944B
MD51b2770b6e93963548483b9857a191b12
SHA1da1f36e92f6f116ea4d6300b279be899ed6413a8
SHA2564c2f150efa24585d81d212c3d1618af0777e007596cf7bd76cbf660db384b00b
SHA5126fe8388503b09ec12528e982fea548c271d5687163db05ede832a0814a0fad6fa7c4ff32ed0cfa48f90c9b2980e2613be1d673fa47eaa2a9ea9540add473b4ea
-
Filesize
944B
MD5afc798b866b5e59eed81ed1ae790ab89
SHA1f0198f123b8c2b4428e95f4eb1af52043f1a27ad
SHA2564252f8b41ce5a5d808e0c8418440c8432b7075025fd3bf8e16cc1fc7697000f4
SHA512463266fcb03789158528abcee746f35e8069e1f03dad6ab3d8aa30cd31c2c1c110cbb79ae44ef922b6a1765855ea7e5e4aa2a1d449e9d9e96c9f85d224b74e5e
-
Filesize
944B
MD5c63980b62b932c2336743babc337af85
SHA10ef001498596b702a9fd8944795d7ccb7aac5333
SHA25659df6f476d34b7f08f279482dea01d2331665c987406de593ebcfd4bcbe73665
SHA51271dab1d77cdefe2b22c6fd787dedf6c5296f05d450878d550ea9cd1f30fc575c6a234a1f798bb53815715f7f2d3db456358c1173f605f1eeabf41d921e94d067
-
Filesize
710B
MD5452c03c204ba839b0872c84997572987
SHA16d8677b0148bb103fe1c4ef59054c22b76ba092d
SHA256b8438ad1819bf1673db2ffed9116e47cce7468b27b013b31027ce541b11d4ee0
SHA51243303b6d1e277c347b159139e24df9aed86b4acfc3d4723c3b7ab00b71a4d753f39a9568fa1bbd10972f1c79321456559f3f96cf4f05c677a31c23639c2f9ae0
-
Filesize
710B
MD503cef3b446d879eaf8d38fa9cd0000db
SHA146ec0c94f1c24c5f1568423cae43953896ba1086
SHA2562ca272ac35cb0d3943b233d615d04303e7dbe05dab861c1aa5fd617f70dca919
SHA5120544fe0f516a1f6be19520fc0fac5124250082ad679683e8b75ca2c03ea7bd7800466d5d98132f6c14a369aa3ddded62ddc24016945be61512bc8c3c2d7cf07d
-
Filesize
710B
MD5e4170e184464bede49a8301f50c6746c
SHA1e96ea04cf0376b70551b20c0eda07700134d4fde
SHA256c50a8ae9982377f4db13143f34ecefa9616d945ffcd3a54616fffc2e902a3d9f
SHA512270f9c57feab99e8f9fddd1593c6b759ad3f9b787ca9d0f3d432d9eb47531fc7dd11bd0f64e53881b10759578b0b16e7512073a55839b8ab14ad8e355a2ae0c4
-
Filesize
710B
MD54d715bd6268ae301699e128e294aacdf
SHA1b1b6a2b4934cad6f1d03f2279a677a0ffc98086a
SHA2560a95cd8007af01dbfbbab627c2410a9c90d3db5f5e6bc9a8429dee5d2a03c7c2
SHA5125dca100a24c118b258bfbf75d6274cfac502661b5f0ee0ced22de864643134c8857637f44e603c911571996428fcfea52b9fa43096b0c6afab4d50e652eb8bfc
-
Filesize
710B
MD54e0ea5feb5205db327fc57ad00a9ad80
SHA1a6270aa1abda9d3233786372e01b222a133874d5
SHA25615c2cc2ede1d584637bf902579b7f6064402ede89a76d9b29e77c249a86da776
SHA51278f79970c269b36ece7ce3176f6da54f493653712cfd822ae746c0b6b8153075690aef570ab27d34ed15c401e4a10ed2e3ee2735c44e94772a7332ae576732b8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
710B
MD59b6337e81d1888ff08aaf522409e5038
SHA1b4469b3fec367a453a0ab8f7c194b5ed28214af5
SHA256d7b80fcaa7b90dc757956e293c9403f49fd0c04e59e85e212b9a1e95a12869ef
SHA51269b84214c2aed5738a94b61f763fb7b3e79cd17f628d55993cc543a40cc76e785655849eb292ed57e1a83580a05bbb6d7ffc475ef5cc489d0e81475c10e15b68
-
Filesize
710B
MD54d565b02ce92d253bac47e00a8b53280
SHA1650433a4c7c147e49ce9048e12aab75dff3ce9e0
SHA2563390d459e0fc5ded8a331c17ad0330d3f26d43844ded96a1793856f65068d6dc
SHA512ce62b2f56b83ba4a820fcf0310f8e3629cdca6244461d3694cdeda07113599be7c1857d64a0ac9d290c500be91d43b869bde7bb2c12d9f86beaa5f647e516cdf
-
Filesize
710B
MD5832e29bae142d92a9dbf94cb51b6db62
SHA12e801ef9a90627b40167512a0fc69af1e32f8788
SHA256b31e1bf8a5ba14b02f0e9a0d01856f36f79a33c41ae6ac6da4dea234fa0c6815
SHA512d76a7ef46a3612bf3f4e6cfacc396e4c8d9c9e5593e90d7ce58b0b9571649baaf540b6f4b06f2b1385971849c893bec993349334a9b1f342120ad5be5a785512
-
Filesize
486B
MD566505656f7d2de605f31bc0c62370a4e
SHA17c5f18fb750adde8c9d506f612532301b898d2f2
SHA256b5b39ae4b6eaddaa3d016f80625129eb0f9208c96e93fbcc89f0db18a206ae2d
SHA512ff838f4134356ed1ccb73e1793a71e667509c69d36527df4faca3a621b0f8e3427fe162f77f6ea16f57a17aa4808353c62bbbcad603ccd699c4bcb45a58666fa
-
Filesize
710B
MD5c87caab1b015238bff7112bb2a0c8bda
SHA150e1cb03490256ca7ac0fbab7ab853a2d124c39e
SHA256284a0d86b39752b0187c1c6cb8aad6ee206a29f74afc94d3e9aecc7f75e7b55e
SHA512782aebc14ef90cfa406c995e1df8bbed8b11f035668915c65be2f89618346564df75c7cb85a2fa6f4621bac14a9ef69376b2399bdc65d40d4a3ac076225b41f7
-
Filesize
1.9MB
MD50d7cbc882298f639d31191a03ec81bd3
SHA193124a821e8fe02c1736cb62e9a613c8dc8379e6
SHA25656d64aaeab87dad048e08ea98237bcc727bbab88d97cc126e328ea1adf7fc913
SHA5125bfbbefb14b200ded88943b685b22e5ac26ea281c9948d8a5fae49f3d19899d82730d52c8034c0b5d5c1b5fe1da1cb583d26b4d2ce3264903e5416d5480b3cf9
-
Filesize
1.9MB
MD5f44cf68f799db30fa11009305b99a4d0
SHA11dce175c1a2c20b6a0fce147f2bf620ce23d4683
SHA256c48017e59fdd7374f95f5d2c9e9e4d30905b0e137f3add71ff2df310557f285b
SHA512365405c7afcc9b52b7f50bec677e3b2ef8f289c63b6f869b52ecf1bf792cbf026ebc951d62d4a065296915e307e30427061ad7f4bec490c948b6811baf09e173
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
1.9MB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
112KB
-
Filesize
5.2MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
344KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
344KB
-
Filesize
72KB
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
344KB
-
Filesize
344KB