Analysis
-
max time kernel
151s -
max time network
174s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
18/11/2023, 01:46
Behavioral task
behavioral1
Sample
NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe
-
Size
1.4MB
-
MD5
3d10e6755ac9695dca6850bb1ad727d0
-
SHA1
b42d5db6a985f610548776ea62316c94940b183d
-
SHA256
978f287cea0349f2b401815bad60117a162621521acb4c726126953c685bc165
-
SHA512
f9c81db74335f953a1780d8eb1522908b709557093ca6d7aa8e8746d401a8ff8f847a13b6c5eca7f728d55f4f005b136bce835ff5877a39bcf0249ccd8b6c538
-
SSDEEP
24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2868 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2868 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2868 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2868 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2868 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2868 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2868 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2868 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2868 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2868 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2868 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 2868 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 2868 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2868 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2868 schtasks.exe 28 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe -
resource yara_rule behavioral1/memory/2512-0-0x0000000000E90000-0x0000000000FFC000-memory.dmp dcrat behavioral1/files/0x0008000000015caf-34.dat dcrat behavioral1/files/0x0009000000016ad4-99.dat dcrat behavioral1/files/0x0009000000016ad4-169.dat dcrat behavioral1/memory/2812-179-0x0000000000F00000-0x000000000106C000-memory.dmp dcrat behavioral1/files/0x0009000000016ad4-177.dat dcrat behavioral1/files/0x0009000000016ad4-275.dat dcrat behavioral1/files/0x000c000000016c25-282.dat dcrat behavioral1/files/0x0009000000016ad4-312.dat dcrat behavioral1/files/0x000c000000016c25-320.dat dcrat -
Executes dropped EXE 3 IoCs
pid Process 2812 services.exe 2344 services.exe 1712 services.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2716 schtasks.exe 2968 schtasks.exe 484 schtasks.exe 1096 schtasks.exe 1712 schtasks.exe 2700 schtasks.exe 320 schtasks.exe 2548 schtasks.exe 2896 schtasks.exe 2764 schtasks.exe 2692 schtasks.exe 2560 schtasks.exe 2608 schtasks.exe 2924 schtasks.exe 1952 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 1656 powershell.exe 3044 powershell.exe 2104 powershell.exe 2068 powershell.exe 2128 powershell.exe 2940 powershell.exe 1720 powershell.exe 2756 powershell.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 2080 powershell.exe 2812 services.exe 2088 powershell.exe 2812 services.exe 2216 powershell.exe 2392 powershell.exe 2812 services.exe 2812 services.exe 2812 services.exe 2812 services.exe 2812 services.exe 2812 services.exe 2812 services.exe 2812 services.exe 2812 services.exe 2812 services.exe 2812 services.exe 2812 services.exe 2812 services.exe 2812 services.exe 2812 services.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeDebugPrivilege 3044 powershell.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2812 services.exe Token: SeDebugPrivilege 2080 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2344 services.exe Token: SeDebugPrivilege 1712 services.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2104 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 44 PID 2512 wrote to memory of 2104 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 44 PID 2512 wrote to memory of 2104 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 44 PID 2512 wrote to memory of 2088 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 46 PID 2512 wrote to memory of 2088 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 46 PID 2512 wrote to memory of 2088 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 46 PID 2512 wrote to memory of 2068 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 48 PID 2512 wrote to memory of 2068 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 48 PID 2512 wrote to memory of 2068 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 48 PID 2512 wrote to memory of 2128 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 49 PID 2512 wrote to memory of 2128 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 49 PID 2512 wrote to memory of 2128 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 49 PID 2512 wrote to memory of 2080 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 67 PID 2512 wrote to memory of 2080 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 67 PID 2512 wrote to memory of 2080 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 67 PID 2512 wrote to memory of 2940 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 51 PID 2512 wrote to memory of 2940 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 51 PID 2512 wrote to memory of 2940 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 51 PID 2512 wrote to memory of 3044 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 66 PID 2512 wrote to memory of 3044 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 66 PID 2512 wrote to memory of 3044 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 66 PID 2512 wrote to memory of 1656 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 52 PID 2512 wrote to memory of 1656 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 52 PID 2512 wrote to memory of 1656 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 52 PID 2512 wrote to memory of 2216 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 65 PID 2512 wrote to memory of 2216 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 65 PID 2512 wrote to memory of 2216 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 65 PID 2512 wrote to memory of 1720 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 53 PID 2512 wrote to memory of 1720 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 53 PID 2512 wrote to memory of 1720 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 53 PID 2512 wrote to memory of 2756 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 56 PID 2512 wrote to memory of 2756 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 56 PID 2512 wrote to memory of 2756 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 56 PID 2512 wrote to memory of 2392 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 62 PID 2512 wrote to memory of 2392 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 62 PID 2512 wrote to memory of 2392 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 62 PID 2512 wrote to memory of 2812 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 68 PID 2512 wrote to memory of 2812 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 68 PID 2512 wrote to memory of 2812 2512 NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe 68 PID 2812 wrote to memory of 3068 2812 services.exe 71 PID 2812 wrote to memory of 3068 2812 services.exe 71 PID 2812 wrote to memory of 3068 2812 services.exe 71 PID 2812 wrote to memory of 2164 2812 services.exe 72 PID 2812 wrote to memory of 2164 2812 services.exe 72 PID 2812 wrote to memory of 2164 2812 services.exe 72 PID 3068 wrote to memory of 2344 3068 WScript.exe 73 PID 3068 wrote to memory of 2344 3068 WScript.exe 73 PID 3068 wrote to memory of 2344 3068 WScript.exe 73 PID 2344 wrote to memory of 2792 2344 services.exe 74 PID 2344 wrote to memory of 2792 2344 services.exe 74 PID 2344 wrote to memory of 2792 2344 services.exe 74 PID 2344 wrote to memory of 1100 2344 services.exe 75 PID 2344 wrote to memory of 1100 2344 services.exe 75 PID 2344 wrote to memory of 1100 2344 services.exe 75 PID 2792 wrote to memory of 1712 2792 WScript.exe 76 PID 2792 wrote to memory of 1712 2792 WScript.exe 76 PID 2792 wrote to memory of 1712 2792 WScript.exe 76 PID 1712 wrote to memory of 344 1712 services.exe 77 PID 1712 wrote to memory of 344 1712 services.exe 77 PID 1712 wrote to memory of 344 1712 services.exe 77 PID 1712 wrote to memory of 2000 1712 services.exe 78 PID 1712 wrote to memory of 2000 1712 services.exe 78 PID 1712 wrote to memory of 2000 1712 services.exe 78 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.3d10e6755ac9695dca6850bb1ad727d0.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2512 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\services.exe"C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\services.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2812 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f903ddf-34cc-4d12-a827-2847f7ef9a2e.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\services.exeC:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\services.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2344 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3a14cf4-a342-4850-b71a-44f925ae1b2b.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\services.exeC:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\services.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1712 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d10282b-13c8-4b6b-8d6f-5ad838a593cc.vbs"7⤵PID:344
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fc1a8ea-80a4-44c3-9ec1-24250d685233.vbs"7⤵PID:2000
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07093549-197a-4b58-a4d1-93efef89a493.vbs"5⤵PID:1100
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69466eb1-95a6-4a68-813d-dbb7b08b410c.vbs"3⤵PID:2164
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD53d10e6755ac9695dca6850bb1ad727d0
SHA1b42d5db6a985f610548776ea62316c94940b183d
SHA256978f287cea0349f2b401815bad60117a162621521acb4c726126953c685bc165
SHA512f9c81db74335f953a1780d8eb1522908b709557093ca6d7aa8e8746d401a8ff8f847a13b6c5eca7f728d55f4f005b136bce835ff5877a39bcf0249ccd8b6c538
-
Filesize
1.4MB
MD58cf5d53a6b4cba960d5caee895028a8e
SHA1edac8b842ac28160e1e536c50de948b7a86c56f4
SHA2569bb8a08885c093b3eafc349f341b3d5b4a934e0cd88f6b266993d1d5e91adc9d
SHA51270cdc1963b033c4556f0c6bad5086cd2d53f57b69774bc829947e6e7901ae5ebdf55e6bb40113b156484f16e114e5427e8bbc71623a0f96236cdc1d4814da46f
-
Filesize
1.4MB
MD58cf5d53a6b4cba960d5caee895028a8e
SHA1edac8b842ac28160e1e536c50de948b7a86c56f4
SHA2569bb8a08885c093b3eafc349f341b3d5b4a934e0cd88f6b266993d1d5e91adc9d
SHA51270cdc1963b033c4556f0c6bad5086cd2d53f57b69774bc829947e6e7901ae5ebdf55e6bb40113b156484f16e114e5427e8bbc71623a0f96236cdc1d4814da46f
-
Filesize
1.4MB
MD58cf5d53a6b4cba960d5caee895028a8e
SHA1edac8b842ac28160e1e536c50de948b7a86c56f4
SHA2569bb8a08885c093b3eafc349f341b3d5b4a934e0cd88f6b266993d1d5e91adc9d
SHA51270cdc1963b033c4556f0c6bad5086cd2d53f57b69774bc829947e6e7901ae5ebdf55e6bb40113b156484f16e114e5427e8bbc71623a0f96236cdc1d4814da46f
-
Filesize
1.4MB
MD58cf5d53a6b4cba960d5caee895028a8e
SHA1edac8b842ac28160e1e536c50de948b7a86c56f4
SHA2569bb8a08885c093b3eafc349f341b3d5b4a934e0cd88f6b266993d1d5e91adc9d
SHA51270cdc1963b033c4556f0c6bad5086cd2d53f57b69774bc829947e6e7901ae5ebdf55e6bb40113b156484f16e114e5427e8bbc71623a0f96236cdc1d4814da46f
-
Filesize
1.4MB
MD58cf5d53a6b4cba960d5caee895028a8e
SHA1edac8b842ac28160e1e536c50de948b7a86c56f4
SHA2569bb8a08885c093b3eafc349f341b3d5b4a934e0cd88f6b266993d1d5e91adc9d
SHA51270cdc1963b033c4556f0c6bad5086cd2d53f57b69774bc829947e6e7901ae5ebdf55e6bb40113b156484f16e114e5427e8bbc71623a0f96236cdc1d4814da46f
-
Filesize
513B
MD5624b9334f77e4daea95b16ee7ea4b053
SHA1f312086ca5a518c4981c38f782b7749a835ce7b3
SHA256ac183c4d51ed23788f7fb63481371506c7dcb7b6790ae30be37036f341c4bfcc
SHA5126c7d70bd5f6ac612a88b0dd8fdc30673afd318774ed0eaa10893bd0305487ae5ac68eff2b8b48e5aee6f8a6b83c05bd2e372c39a56daea1f8a633814a24a7627
-
Filesize
513B
MD5624b9334f77e4daea95b16ee7ea4b053
SHA1f312086ca5a518c4981c38f782b7749a835ce7b3
SHA256ac183c4d51ed23788f7fb63481371506c7dcb7b6790ae30be37036f341c4bfcc
SHA5126c7d70bd5f6ac612a88b0dd8fdc30673afd318774ed0eaa10893bd0305487ae5ac68eff2b8b48e5aee6f8a6b83c05bd2e372c39a56daea1f8a633814a24a7627
-
Filesize
737B
MD5294687663fbc7461cbb92eb48601f97c
SHA1be18edc19cb3ddc8b8a6bf5d43047a078d94cc87
SHA25633d37f66f8d26ede81a636c844adab47e56a4129c2696add04f87ae3957c2283
SHA51224c6233969ed6afb7b358a5f49df85cfd9b81497b1b082a1f2454b46f1b1fcdde7e7bd906970e67e1b0c470cf2d5f4ba552d8725b48d477f226e9a88219a4cd0
-
Filesize
737B
MD53ed51a13f79d03086f50f28ee87ced5c
SHA1533de0b183947a6f7c8b4b2df9a9c628ed136894
SHA256c8d8212c102524e0f743ae9ee1ae8656f8df13d481d0aa65a19cd0ca8278366f
SHA5129bf8e335dae1f5b5fb6bafe5198ba1dc2d0af7d76dd9c5fd439a9270a26d0efe7593afa147ccaddbafa021c1b0b57f9cef9df2e88353ca122c217dbd32eabc82
-
Filesize
513B
MD5624b9334f77e4daea95b16ee7ea4b053
SHA1f312086ca5a518c4981c38f782b7749a835ce7b3
SHA256ac183c4d51ed23788f7fb63481371506c7dcb7b6790ae30be37036f341c4bfcc
SHA5126c7d70bd5f6ac612a88b0dd8fdc30673afd318774ed0eaa10893bd0305487ae5ac68eff2b8b48e5aee6f8a6b83c05bd2e372c39a56daea1f8a633814a24a7627
-
Filesize
513B
MD5624b9334f77e4daea95b16ee7ea4b053
SHA1f312086ca5a518c4981c38f782b7749a835ce7b3
SHA256ac183c4d51ed23788f7fb63481371506c7dcb7b6790ae30be37036f341c4bfcc
SHA5126c7d70bd5f6ac612a88b0dd8fdc30673afd318774ed0eaa10893bd0305487ae5ac68eff2b8b48e5aee6f8a6b83c05bd2e372c39a56daea1f8a633814a24a7627
-
Filesize
1.4MB
MD58cf5d53a6b4cba960d5caee895028a8e
SHA1edac8b842ac28160e1e536c50de948b7a86c56f4
SHA2569bb8a08885c093b3eafc349f341b3d5b4a934e0cd88f6b266993d1d5e91adc9d
SHA51270cdc1963b033c4556f0c6bad5086cd2d53f57b69774bc829947e6e7901ae5ebdf55e6bb40113b156484f16e114e5427e8bbc71623a0f96236cdc1d4814da46f
-
Filesize
1.4MB
MD58cf5d53a6b4cba960d5caee895028a8e
SHA1edac8b842ac28160e1e536c50de948b7a86c56f4
SHA2569bb8a08885c093b3eafc349f341b3d5b4a934e0cd88f6b266993d1d5e91adc9d
SHA51270cdc1963b033c4556f0c6bad5086cd2d53f57b69774bc829947e6e7901ae5ebdf55e6bb40113b156484f16e114e5427e8bbc71623a0f96236cdc1d4814da46f
-
Filesize
737B
MD5f424b738c5a4b2b1df667caeb3d8d8a2
SHA1e160e817f5809031d656bda712cb36810e0608c0
SHA256ac1bf0770c65cfd42529d8b8d3a403b8d1bc661a5eb08b6944e4c249d7f4a16b
SHA512fe6e1104ccc8e3483f9a41676fe7f8c02407773b67e34791c64a378de415449fa7da2a144e5efa9d1ecfe100fad740244add7b612a860b7e2505c8051bb76cab
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57f3866f4d73226336c9a8b7d69c27780
SHA1c57ca183a042d951e24f1635dbd75fe0f5bcb8e0
SHA256291c7a4da24f82d331f1099b695ee5ad6cdc2cbbaf059113a6c7eced5f244677
SHA512f44fe86418cee92a2a9d721e3eb7100a9deedf55ee7990771534be469043796ff727886d9695f5ae777358b407fc47390402c697e889b453728896682b378a99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57f3866f4d73226336c9a8b7d69c27780
SHA1c57ca183a042d951e24f1635dbd75fe0f5bcb8e0
SHA256291c7a4da24f82d331f1099b695ee5ad6cdc2cbbaf059113a6c7eced5f244677
SHA512f44fe86418cee92a2a9d721e3eb7100a9deedf55ee7990771534be469043796ff727886d9695f5ae777358b407fc47390402c697e889b453728896682b378a99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57f3866f4d73226336c9a8b7d69c27780
SHA1c57ca183a042d951e24f1635dbd75fe0f5bcb8e0
SHA256291c7a4da24f82d331f1099b695ee5ad6cdc2cbbaf059113a6c7eced5f244677
SHA512f44fe86418cee92a2a9d721e3eb7100a9deedf55ee7990771534be469043796ff727886d9695f5ae777358b407fc47390402c697e889b453728896682b378a99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57f3866f4d73226336c9a8b7d69c27780
SHA1c57ca183a042d951e24f1635dbd75fe0f5bcb8e0
SHA256291c7a4da24f82d331f1099b695ee5ad6cdc2cbbaf059113a6c7eced5f244677
SHA512f44fe86418cee92a2a9d721e3eb7100a9deedf55ee7990771534be469043796ff727886d9695f5ae777358b407fc47390402c697e889b453728896682b378a99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57f3866f4d73226336c9a8b7d69c27780
SHA1c57ca183a042d951e24f1635dbd75fe0f5bcb8e0
SHA256291c7a4da24f82d331f1099b695ee5ad6cdc2cbbaf059113a6c7eced5f244677
SHA512f44fe86418cee92a2a9d721e3eb7100a9deedf55ee7990771534be469043796ff727886d9695f5ae777358b407fc47390402c697e889b453728896682b378a99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57f3866f4d73226336c9a8b7d69c27780
SHA1c57ca183a042d951e24f1635dbd75fe0f5bcb8e0
SHA256291c7a4da24f82d331f1099b695ee5ad6cdc2cbbaf059113a6c7eced5f244677
SHA512f44fe86418cee92a2a9d721e3eb7100a9deedf55ee7990771534be469043796ff727886d9695f5ae777358b407fc47390402c697e889b453728896682b378a99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57f3866f4d73226336c9a8b7d69c27780
SHA1c57ca183a042d951e24f1635dbd75fe0f5bcb8e0
SHA256291c7a4da24f82d331f1099b695ee5ad6cdc2cbbaf059113a6c7eced5f244677
SHA512f44fe86418cee92a2a9d721e3eb7100a9deedf55ee7990771534be469043796ff727886d9695f5ae777358b407fc47390402c697e889b453728896682b378a99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57f3866f4d73226336c9a8b7d69c27780
SHA1c57ca183a042d951e24f1635dbd75fe0f5bcb8e0
SHA256291c7a4da24f82d331f1099b695ee5ad6cdc2cbbaf059113a6c7eced5f244677
SHA512f44fe86418cee92a2a9d721e3eb7100a9deedf55ee7990771534be469043796ff727886d9695f5ae777358b407fc47390402c697e889b453728896682b378a99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57f3866f4d73226336c9a8b7d69c27780
SHA1c57ca183a042d951e24f1635dbd75fe0f5bcb8e0
SHA256291c7a4da24f82d331f1099b695ee5ad6cdc2cbbaf059113a6c7eced5f244677
SHA512f44fe86418cee92a2a9d721e3eb7100a9deedf55ee7990771534be469043796ff727886d9695f5ae777358b407fc47390402c697e889b453728896682b378a99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57f3866f4d73226336c9a8b7d69c27780
SHA1c57ca183a042d951e24f1635dbd75fe0f5bcb8e0
SHA256291c7a4da24f82d331f1099b695ee5ad6cdc2cbbaf059113a6c7eced5f244677
SHA512f44fe86418cee92a2a9d721e3eb7100a9deedf55ee7990771534be469043796ff727886d9695f5ae777358b407fc47390402c697e889b453728896682b378a99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FCDL5PI9MXK2XAU071R0.temp
Filesize7KB
MD57f3866f4d73226336c9a8b7d69c27780
SHA1c57ca183a042d951e24f1635dbd75fe0f5bcb8e0
SHA256291c7a4da24f82d331f1099b695ee5ad6cdc2cbbaf059113a6c7eced5f244677
SHA512f44fe86418cee92a2a9d721e3eb7100a9deedf55ee7990771534be469043796ff727886d9695f5ae777358b407fc47390402c697e889b453728896682b378a99