Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
08/04/2025, 14:11
General
-
Target
f98ee08aed6b41b1f9e6e1ca752d22cc.exe
-
Size
1.9MB
-
MD5
f98ee08aed6b41b1f9e6e1ca752d22cc
-
SHA1
0ad8d0bac5c76e5f79ba872cf3ae18a6717ee6dd
-
SHA256
82db60e8849ee07cae78c7f49afbbed2e3544618bfcd5d01daf09b120e97b1e0
-
SHA512
63dcfc32399062ec5bb65a3a579c75a86bd80bc9bae28d63ff5df3510ef319a5e3237629fcea17232cdbaf96bca0347cd8d8b7669698188cbf08bdc2f3caed5a
-
SSDEEP
24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD
Malware Config
Signatures
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 30 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Checks whether UAC is enabled 1 TTPs 20 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 10 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f98ee08aed6b41b1f9e6e1ca752d22cc.exe"C:\Users\Admin\AppData\Local\Temp\f98ee08aed6b41b1f9e6e1ca752d22cc.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f98ee08aed6b41b1f9e6e1ca752d22cc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Skins\TextInputHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\Download\SharedFileCache\taskhostw.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ngNW15ZW6j.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8dbf0e99-42b5-4086-930d-8a0df86f7467.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\StartMenuExperienceHost.exeC:\Recovery\WindowsRE\StartMenuExperienceHost.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1433a4f-9e1e-4aa1-98ae-07f9e6616c6c.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\StartMenuExperienceHost.exeC:\Recovery\WindowsRE\StartMenuExperienceHost.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62bbbae3-b815-41bc-b509-5b4a5e669493.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\StartMenuExperienceHost.exeC:\Recovery\WindowsRE\StartMenuExperienceHost.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b162010-1c4e-44a5-8b1f-bb6547eb9c7d.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\StartMenuExperienceHost.exeC:\Recovery\WindowsRE\StartMenuExperienceHost.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e49d5fa-84d2-4c87-bad7-43afd2c3f9e0.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\StartMenuExperienceHost.exeC:\Recovery\WindowsRE\StartMenuExperienceHost.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5aa38cdd-4468-4f38-a6de-597fa6dcdf12.vbs"14⤵
-
C:\Recovery\WindowsRE\StartMenuExperienceHost.exeC:\Recovery\WindowsRE\StartMenuExperienceHost.exe15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a92d182d-b7b9-4fbf-93da-41540a9ba7c9.vbs"16⤵
-
C:\Recovery\WindowsRE\StartMenuExperienceHost.exeC:\Recovery\WindowsRE\StartMenuExperienceHost.exe17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33b8df09-6480-4e06-8007-201b3a324405.vbs"18⤵
-
C:\Recovery\WindowsRE\StartMenuExperienceHost.exeC:\Recovery\WindowsRE\StartMenuExperienceHost.exe19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0305544-5f7c-4a28-b8ea-31c28e4d8662.vbs"20⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46f30260-b8cb-466a-872d-545150cf657b.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3866c397-0c9b-4141-9d9f-b2468a680536.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93b33285-8e90-44f5-bfea-6efabc071b06.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8c9f235-fc8d-44e9-8993-cb8d42499778.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4b7bdc3-aee6-489b-b2ed-aab71d895125.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e8cf4e3-1f94-4acf-9003-2662494d53fb.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e317f089-b810-4285-83d3-9918e451ca20.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a015612f-6e00-496c-b0fa-e3eb0df23e59.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d3c1263-4015-460c-945f-15633a5e12cd.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\4d7dcf6448637544ea7e961be1ad\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\4d7dcf6448637544ea7e961be1ad\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD543f48688f792570e32d00bdf59968aa5
SHA1a786bd1e22f59b81dbf35111777743d1568ffc05
SHA25686b0e4f83b750684d9f5890dfe3c4d36d2d99a4590adbad3ccaf3b216b2be6e7
SHA512530a8e29b8fd8db897b978099f4b4c67aaa3cd3ba50e4ecc76657094522a91badec5ebbf7a775ec557ab2b4d8e07500fd85dc9fa82a5f2256ea2e290040e0376
-
Filesize
1.9MB
MD5a4df9e136a6d4209aad4e8c814b7dee9
SHA132c8164a3e86001a44b792b600ddf86cc0f4d273
SHA256e414cdf86be6a882d5601c489024c393c61849f31262bdf6784126d0ffad6a72
SHA512996cda05de64aa561c99ab8081d932d7ddabb31726fd4a230b30d5b6aa159932112f4c96558aec4d772d41653fad542fc9402d6a2f55b3fe6b8e89f4b047ac01
-
Filesize
1.9MB
MD5f4e4d1e04d87ee5f465101ef514d0a28
SHA1e68643551abc2f14f386fd39783c4cf4206d8716
SHA2567fbcdb7549b0a7ab49ca918487db9e16891411840cdbe9099a546c35da2a5980
SHA512ded583824d9edc0090f3ad8f3a824cf258ca0ee1d36bf3e92d9656755d290adcb6aa0799b632be5604939f5edba28df3a3c9408715f5e0406bc5c7b01d0e667e
-
Filesize
1.9MB
MD54ca5e4a520c1c172e359925f6922087b
SHA19085ed9a52d4b0bfe3b01ae97a4a14f12d558b99
SHA25666ff4d5b80f9e0ed11f4cbacad0b936f8b49311bfb57a0354334b3c87a97473d
SHA51288f37831736d6fe3f9c82c994a6b9b026f0e4bcb0c829d5d37499a4db2d8b63b301083f1d7505a43fdce651c964223f2baf1aff621f126f28217d051e7ffeab7
-
Filesize
1.9MB
MD5f98ee08aed6b41b1f9e6e1ca752d22cc
SHA10ad8d0bac5c76e5f79ba872cf3ae18a6717ee6dd
SHA25682db60e8849ee07cae78c7f49afbbed2e3544618bfcd5d01daf09b120e97b1e0
SHA51263dcfc32399062ec5bb65a3a579c75a86bd80bc9bae28d63ff5df3510ef319a5e3237629fcea17232cdbaf96bca0347cd8d8b7669698188cbf08bdc2f3caed5a
-
Filesize
1.9MB
MD5fb097c54334d0b402b8cb721b24fb5f8
SHA1c001f201b51a72d16303ddf60eab525a838dd63d
SHA256c93ae11851ce9184dfc3a413a7a4a70c03aeeec6669586ce700b16e02f158549
SHA512fcb73f92c24bc9abaf9f99f6995449229e87bec23711d66eea934543d2fb18f0de6a596f1a0ea7a401b8ccdd96de48fc86455321f45e566c708a1a7d76ed08af
-
Filesize
1KB
MD5364147c1feef3565925ea5b4ac701a01
SHA19a46393ac3ffad3bb3c8f0e074b65d68d75e21ef
SHA25638cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b
SHA512bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5cae19674c4dd6a419a8ce8bc65e65167
SHA18b3f7e010483412b803e756c850fecd29cf9fb8a
SHA256f4a34d2ff32e49df841e87405dab2661bcae83c20ee781a13fbe73924fd672cd
SHA5129865dd43b4494081bb625844fcedb56dfc335b5f2cadd5c4094f0848df07ab5fa40faeb3adbbb91e1355ed436dfbf44ff4ae9ad39cdbd5fbfdef4d1813f3ee74
-
Filesize
944B
MD576c4d3c87da7e0fe580b97f942028fe6
SHA1d182259b34f7c96471edd28e97470888ffe150d1
SHA256d9f1c9c92ee57bbb51767eeba0cdab1c3b11d4cd735f07fc206b6f2014f15439
SHA51223466bc0414638ac0d90ecf79e47c21fbe7a0308acb69d64b4cc72ae6cf045b66147c54ae7488ca76391b0fffd7c7ca39d093789b25af720b8a0e62f3e0841ed
-
Filesize
944B
MD547d9df7fab0d0c96afdd2ca49f2b5030
SHA192583883bcf376062ddef5db2333f066d8d36612
SHA2560f244dd39698dace2c650435886b1175ea01131e581d6c13888576c07fa40b02
SHA5121844ce4f35849b70c246127482040986caa1bbae2d81119c77e9841f2a3280aabae0ad0db52fc29fe48023b4f4c073fe759b1f54e70e1562289d5e349c015200
-
Filesize
944B
MD53357c199be211a745818714039e25935
SHA17d50d07ff2e234f3d10a88363796cbd615b1e9a3
SHA256668bb751b77a8c5c53c7efcb71e3ee9b2902388e0503e6d6ad3647587a0a0a38
SHA512052751067bede3dba675313a1c0d88c0e76d62bbc903dbd9ba4cf2b8d03530716c021926bbe34242af9516a77e27df080d1cedde04d8cb51c88c1484ea8a1077
-
Filesize
944B
MD57ebbb17f3791dea62cf267d83cf036a4
SHA1266c27acf64b85afd8380277f767cc54f91ab2b0
SHA2562345628c466a33c557a0fba468c06436ce7121c56e6260492c5d6ce52d05ba19
SHA5126e519f44c8d4e9fe752471f19ec9956e3cd6d73f741496d09bb0fb0c8f0048636b6a52204fa475436c0403d022500fd33452e0ad8f18b3ed2245b24b5bd7bb51
-
Filesize
1.9MB
MD5d1c9f138b9f5af99f1d9783e21679b1a
SHA122cd93b08c812a610a7a84674533c35c4ca9e6e9
SHA2561c684800f3c8e447be1de1556d6ffb7b5af52f58d56c0ec1b47cfd27b08aea2a
SHA512c951137b83c1511dfad3648e8fc711abd2f07dff10438e9bca871d82e316b1eb757840f5342b099f9868e9976a5e7faba1a46ff9146848b22e41e170c967e74c
-
Filesize
724B
MD5602269e09a7e06482baf06a06ec4aeeb
SHA121e4004a244e044462d74159f3633d3da200362d
SHA2566ef24fea7e66938a1698a58f059ad76c34a09fb01ca21b62c92c1318233b0386
SHA51277bfbf05f8e5d192f2417445c47742ce1fb56c78389dbca2a3d8c86db0f2c126dcc2b1bb604cdee6ccc21631150bb43ffe711078fcc67433ecdceef857e2a59d
-
Filesize
725B
MD5e3a0f64544e70348893e5a382ccdd47c
SHA121888f08fe195dc19b18864ed879195c660f3713
SHA2561233da8fc71ce66be7acdddcbaff5aef7c17bd39c3c431cacfd5f934ff7e9da7
SHA5126f695d0b2bc75c65f715ed2b95a7f2a1640d7dd680f09798b723dc5e72cdaad52af378a142af61d417d47167ae0d6bfb9094413a674ec7f45f9145e753ff5b1c
-
Filesize
725B
MD5fc62cc4cc1211910f5c1f3a6a1677b42
SHA16b27d756a1de5cbe8d36415ddc45f93958d5f0b5
SHA2560656fd4a3d80aa5fcb9487665474dc701e6cb922ed625bea338b64b24a520ac0
SHA5124b7d9945401a00952331e7f3376e2d422e22f0b3db926658d5229520cc3aa85619065f7a048f05387f57bd1d1ded29d0255c2da468e24a7c960827a9e152a902
-
Filesize
725B
MD5b46f1e2a63cbccb51378b59e84ce5234
SHA1cab84ee55048c760d0e45f0ff69917cb928db0ab
SHA2567d370a04e48514905f16c46891ed760d1d9a4c30b0ae879c071eaba3bfd3c5c8
SHA512aa0e7289c3fea58cd95c5c888ea42968993fdef3eeaddef5e4b6a1fa294b7fc94131f05c52dab0a03697a22e2f9b618d929e92384c550360a79c82a6c8eb0baa
-
Filesize
725B
MD5f5d41ea3b59114ed06bdc06ffd1d3be1
SHA15ef634ada072127766a76cd8aa299b529ff9c114
SHA256eb3a7c26a31a3ff9e0415b2017455f79ab0d19227ec7d44f3c60a7e9cc6ab3d5
SHA512b6ec61c6a3d169464f58200cec720b9bbe7acaef2353fbf675b23ccf295b1ab887dd440d4df3502f2ebb93402b9d9fa282e1dc8bfed5b8a7e02349ed46b07c9c
-
Filesize
501B
MD5d435f465421ca9b1a5dbd93d2d362e77
SHA116d3961cb14eea0497b2f8f9bed8bd3d6b14613c
SHA256436fd7f25782e0c96623d179561cd9b1846123b3802b24a4f548b179b1c93856
SHA512d0c644e100790a1cd743e0fcd0f0706d817aa795973b17172acae9d405b7bcec1fb4bd7df7a0345a84a2dcc403202c31d65008fbaa17ea5995c9b1cf5bd846bb
-
Filesize
725B
MD594b21f21bd8de8e073b8cd1959504b82
SHA1f359e32301be0825eb7623a04000d489e6b06f9f
SHA25638d9c1aa98752a507231ac9fa42b9b5d157b5594a9106c8498ce99f005096802
SHA512b68f6ae1e340844a9c9d600673889dc0c6bfda3fa7de256abd06a97040a3c0ba994d17b2a80794bd507d7fc697aad22e5a79d9a7612529295d464bee5918e9ed
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
725B
MD5520200353a328a7c8ed9e4203dcd10b9
SHA1d8ab6115ad6fb4a394f5499dee74bd2b0c2748b1
SHA2568004b3272bfc0934ba5bff4c9c0ed99a63acfde121ba4348dbbb65726644658e
SHA512f856f998e321feca683c8d30009ee2ae6c6fc210ea8fe80921ae99030dacc8e4d35768be8b5b37ac70f88037d01395f0057cd56f05f71014f284214b68251bd4
-
Filesize
725B
MD5344d7ab09ae4e5cd65ffc00cfce3a257
SHA19230acb20981232f27ecab6ceff35463e3e805f1
SHA256c37b765819e6346697bea70440352c9901654f2da4c1de338713412b396efa22
SHA512f67915da070b620433e5683ae55263f5e1f32715749f94e140039551c00b31a3545e6b210878b5b515c67c98bbcce51faacc6483ce49146637990182b55be3f8
-
Filesize
725B
MD59508cc245d8731cca38690cd66918adc
SHA122198d6d212da0dbc281c2601d623367def29433
SHA256e4edf2b93cc999d85bb676efa7ab3c8979d0cf816fec747841e2067c9231df87
SHA512b1942304d35cb3b36d233fe1c3c06f8797b35f4017d6d909ac3f0c2337157e769db8ca0866e8deb09e371b3d516ba2f050977659d2d3bb30e5a54afaaefaf0a9
-
Filesize
214B
MD57d698830edcaa3d533dd20135d96f154
SHA14446bfc0e465c1967fe350081b86b64bdddc9181
SHA25632f4bd1c9b459bd5181211fc6a35dbf724d66060cb6bd7c087a15431dcac57f3
SHA512a7ff7f81942bf96ccd753fdc97351d7b607fd2a5f022335e42455e0cb03e2ecb81046a621eaf943d31807cc34e40d2d2857ffbb2e3d2d4b93c1fdc051c1f9e52
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
344KB
-
Filesize
1.9MB
-
Filesize
72KB
-
Filesize
344KB
-
Filesize
88KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
5.2MB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
1.9MB
-
Filesize
344KB