Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2023, 01:25
Behavioral task
behavioral1
Sample
NEAS.f83148f181f138db59182790125e3550.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.f83148f181f138db59182790125e3550.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.f83148f181f138db59182790125e3550.exe
-
Size
1.1MB
-
MD5
f83148f181f138db59182790125e3550
-
SHA1
59af834bd5049062d03068977b90fdd60ab75516
-
SHA256
8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
-
SHA512
fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f
-
SSDEEP
24576:aADdteLS1VO6wLVqq0aJSw69voIN7y7Di0:8E86MVX/SwHmf
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3996 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4900 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4220 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4200 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3288 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4308 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4996 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4852 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3384 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3724 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3144 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4112 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5064 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3676 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5012 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 460 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3904 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3840 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3748 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3844 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4988 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4196 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4896 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2264 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3220 2264 schtasks.exe 88 -
resource yara_rule behavioral2/memory/3032-0-0x0000000000730000-0x000000000085C000-memory.dmp dcrat behavioral2/files/0x0006000000022df7-19.dat dcrat behavioral2/files/0x000e00000002236e-136.dat dcrat behavioral2/files/0x0009000000022d01-146.dat dcrat behavioral2/files/0x0006000000022de9-182.dat dcrat behavioral2/files/0x0006000000022e42-296.dat dcrat behavioral2/files/0x0006000000022e42-297.dat dcrat behavioral2/files/0x0006000000022e42-316.dat dcrat behavioral2/files/0x0006000000022e84-324.dat dcrat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation NEAS.f83148f181f138db59182790125e3550.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation NEAS.f83148f181f138db59182790125e3550.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation winlogon.exe -
Executes dropped EXE 3 IoCs
pid Process 4964 NEAS.f83148f181f138db59182790125e3550.exe 3688 winlogon.exe 2912 winlogon.exe -
Drops file in Program Files directory 36 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Services\f3b6ecef712a24 NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files\7-Zip\Lang\smss.exe NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files\Common Files\microsoft shared\VGX\eddb19405b7ce1 NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\e1ef82546f0b02 NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files\Internet Explorer\en-US\dllhost.exe NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files (x86)\Common Files\Services\spoolsv.exe NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Program Files (x86)\Microsoft\Temp\unsecapp.exe NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VGX\backgroundTaskHost.exe NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Program Files (x86)\Common Files\Services\spoolsv.exe NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\StartMenuExperienceHost.exe NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files (x86)\Microsoft\Temp\unsecapp.exe NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files\Common Files\microsoft shared\VGX\backgroundTaskHost.exe NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCXB220.tmp NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files\7-Zip\Lang\69ddcba757bf72 NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files\Windows Multimedia Platform\eddb19405b7ce1 NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files\Internet Explorer\en-US\5940a34987c991 NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Program Files (x86)\Common Files\Services\RCXC36D.tmp NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files\Microsoft Office\PackageManifests\55b276f4edf653 NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files (x86)\Windows Media Player\ja-JP\22eafd247d37c3 NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\TextInputHost.exe NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VGX\RCXA7BA.tmp NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCXD300.tmp NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Program Files\7-Zip\Lang\smss.exe NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files (x86)\Windows Media Player\ja-JP\TextInputHost.exe NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\RCXC61E.tmp NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files (x86)\Microsoft\Temp\29c1c3cc0f7685 NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\7a0fd90576e088 NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Program Files\Internet Explorer\en-US\RCXBF45.tmp NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Program Files\Internet Explorer\en-US\dllhost.exe NEAS.f83148f181f138db59182790125e3550.exe File created C:\Program Files\Microsoft Office\PackageManifests\StartMenuExperienceHost.exe NEAS.f83148f181f138db59182790125e3550.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\Migration\WTR\Registry.exe NEAS.f83148f181f138db59182790125e3550.exe File created C:\Windows\Migration\WTR\ee2ad38f3d4382 NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Windows\Cursors\dllhost.exe NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Windows\appcompat\encapsulation\unsecapp.exe NEAS.f83148f181f138db59182790125e3550.exe File created C:\Windows\Cursors\dllhost.exe NEAS.f83148f181f138db59182790125e3550.exe File created C:\Windows\Cursors\5940a34987c991 NEAS.f83148f181f138db59182790125e3550.exe File created C:\Windows\appcompat\encapsulation\29c1c3cc0f7685 NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Windows\Migration\WTR\Registry.exe NEAS.f83148f181f138db59182790125e3550.exe File created C:\Windows\Cursors\886983d96e3d3e NEAS.f83148f181f138db59182790125e3550.exe File created C:\Windows\appcompat\encapsulation\unsecapp.exe NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Windows\Migration\WTR\RCXD738.tmp NEAS.f83148f181f138db59182790125e3550.exe File created C:\Windows\Cursors\csrss.exe NEAS.f83148f181f138db59182790125e3550.exe File opened for modification C:\Windows\Cursors\csrss.exe NEAS.f83148f181f138db59182790125e3550.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3220 schtasks.exe 1516 schtasks.exe 2588 schtasks.exe 2788 schtasks.exe 1504 schtasks.exe 452 schtasks.exe 2184 schtasks.exe 5012 schtasks.exe 1444 schtasks.exe 4424 schtasks.exe 2312 schtasks.exe 264 schtasks.exe 4896 schtasks.exe 460 schtasks.exe 1064 schtasks.exe 5064 schtasks.exe 5012 schtasks.exe 1140 schtasks.exe 4200 schtasks.exe 4308 schtasks.exe 756 schtasks.exe 3384 schtasks.exe 4940 schtasks.exe 664 schtasks.exe 2912 schtasks.exe 1840 schtasks.exe 460 schtasks.exe 4900 schtasks.exe 2012 schtasks.exe 4872 schtasks.exe 4988 schtasks.exe 2752 schtasks.exe 1588 schtasks.exe 2468 schtasks.exe 4220 schtasks.exe 4076 schtasks.exe 3904 schtasks.exe 4604 schtasks.exe 4324 schtasks.exe 3100 schtasks.exe 2344 schtasks.exe 3384 schtasks.exe 3724 schtasks.exe 4620 schtasks.exe 3844 schtasks.exe 1324 schtasks.exe 4364 schtasks.exe 884 schtasks.exe 1064 schtasks.exe 4852 schtasks.exe 5064 schtasks.exe 2680 schtasks.exe 1668 schtasks.exe 4552 schtasks.exe 1216 schtasks.exe 3656 schtasks.exe 1784 schtasks.exe 864 schtasks.exe 3676 schtasks.exe 3060 schtasks.exe 2332 schtasks.exe 632 schtasks.exe 4964 schtasks.exe 3748 schtasks.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings NEAS.f83148f181f138db59182790125e3550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ NEAS.f83148f181f138db59182790125e3550.exe Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings winlogon.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3032 NEAS.f83148f181f138db59182790125e3550.exe 3032 NEAS.f83148f181f138db59182790125e3550.exe 3032 NEAS.f83148f181f138db59182790125e3550.exe 3032 NEAS.f83148f181f138db59182790125e3550.exe 3032 NEAS.f83148f181f138db59182790125e3550.exe 3032 NEAS.f83148f181f138db59182790125e3550.exe 3032 NEAS.f83148f181f138db59182790125e3550.exe 3032 NEAS.f83148f181f138db59182790125e3550.exe 3032 NEAS.f83148f181f138db59182790125e3550.exe 3032 NEAS.f83148f181f138db59182790125e3550.exe 3032 NEAS.f83148f181f138db59182790125e3550.exe 4964 NEAS.f83148f181f138db59182790125e3550.exe 4964 NEAS.f83148f181f138db59182790125e3550.exe 4964 NEAS.f83148f181f138db59182790125e3550.exe 4964 NEAS.f83148f181f138db59182790125e3550.exe 4964 NEAS.f83148f181f138db59182790125e3550.exe 4964 NEAS.f83148f181f138db59182790125e3550.exe 4964 NEAS.f83148f181f138db59182790125e3550.exe 4964 NEAS.f83148f181f138db59182790125e3550.exe 4964 NEAS.f83148f181f138db59182790125e3550.exe 4964 NEAS.f83148f181f138db59182790125e3550.exe 4964 NEAS.f83148f181f138db59182790125e3550.exe 4964 NEAS.f83148f181f138db59182790125e3550.exe 3688 winlogon.exe 3688 winlogon.exe 2912 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3032 NEAS.f83148f181f138db59182790125e3550.exe Token: SeDebugPrivilege 4964 NEAS.f83148f181f138db59182790125e3550.exe Token: SeDebugPrivilege 3688 winlogon.exe Token: SeDebugPrivilege 2912 winlogon.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3032 wrote to memory of 8 3032 NEAS.f83148f181f138db59182790125e3550.exe 155 PID 3032 wrote to memory of 8 3032 NEAS.f83148f181f138db59182790125e3550.exe 155 PID 8 wrote to memory of 4892 8 cmd.exe 157 PID 8 wrote to memory of 4892 8 cmd.exe 157 PID 8 wrote to memory of 4964 8 cmd.exe 158 PID 8 wrote to memory of 4964 8 cmd.exe 158 PID 4964 wrote to memory of 3688 4964 NEAS.f83148f181f138db59182790125e3550.exe 199 PID 4964 wrote to memory of 3688 4964 NEAS.f83148f181f138db59182790125e3550.exe 199 PID 3688 wrote to memory of 4840 3688 winlogon.exe 202 PID 3688 wrote to memory of 4840 3688 winlogon.exe 202 PID 3688 wrote to memory of 3708 3688 winlogon.exe 203 PID 3688 wrote to memory of 3708 3688 winlogon.exe 203 PID 4840 wrote to memory of 2912 4840 WScript.exe 207 PID 4840 wrote to memory of 2912 4840 WScript.exe 207 PID 2912 wrote to memory of 2024 2912 winlogon.exe 208 PID 2912 wrote to memory of 2024 2912 winlogon.exe 208 PID 2912 wrote to memory of 4500 2912 winlogon.exe 209 PID 2912 wrote to memory of 4500 2912 winlogon.exe 209 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hy3B39XMXx.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4892
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\All Users\Templates\winlogon.exe"C:\Users\All Users\Templates\winlogon.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\045eca76-3656-471f-b030-849723d4466a.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\All Users\Templates\winlogon.exe"C:\Users\All Users\Templates\winlogon.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53b7fce0-ff84-4cf9-88e0-a29b4068b307.vbs"7⤵PID:2024
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47999871-8ad1-4ce1-bce8-9653152f8f95.vbs"7⤵PID:4500
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\308aa1bf-4cf9-4895-9303-d003053bda0d.vbs"5⤵PID:3708
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\microsoft shared\VGX\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
PID:3996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\VGX\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\microsoft shared\VGX\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\odt\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\odt\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\odt\Registry.exe'" /f1⤵
- Process spawned unexpected child process
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Documents\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\odt\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\en-US\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Music\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Music\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Music\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
PID:3840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /f1⤵
- Process spawned unexpected child process
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:5064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\winlogon.exe'" /f1⤵
- Creates scheduled task(s)
PID:3656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Templates\winlogon.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\winlogon.exe'" /rl HIGHEST /f1⤵PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\dllhost.exe'" /f1⤵
- Creates scheduled task(s)
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Cursors\dllhost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\dllhost.exe'" /rl HIGHEST /f1⤵PID:3676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Creates scheduled task(s)
PID:4424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\StartMenuExperienceHost.exe'" /f1⤵
- Creates scheduled task(s)
PID:5012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\PackageManifests\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Desktop\OfficeClickToRun.exe'" /f1⤵PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\appcompat\encapsulation\unsecapp.exe'" /f1⤵PID:228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\unsecapp.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\appcompat\encapsulation\unsecapp.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /f1⤵PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Temp\unsecapp.exe'" /f1⤵
- Creates scheduled task(s)
PID:452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\unsecapp.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Temp\unsecapp.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD56ddfc9054ea9ffff277554a16756c662
SHA17b82b617a47af48ed60f81d8445818cf01adffa8
SHA2564b776022e8622d4142ad3d70399bc24a759ee8eb7a76ab061666f3062c345ff9
SHA512c3da51a54a989f2e1ba866595ed6db4f1232a578e0c502c85d0b76392045fa2a997ce33d579c1755fb2af5c750155ecee0ba7f06c5aaf5f8c41a2829a5b67c4a
-
Filesize
1.1MB
MD5f83148f181f138db59182790125e3550
SHA159af834bd5049062d03068977b90fdd60ab75516
SHA2568cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f
-
Filesize
1.1MB
MD5f83148f181f138db59182790125e3550
SHA159af834bd5049062d03068977b90fdd60ab75516
SHA2568cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f
-
Filesize
1.1MB
MD5f83148f181f138db59182790125e3550
SHA159af834bd5049062d03068977b90fdd60ab75516
SHA2568cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NEAS.f83148f181f138db59182790125e3550.exe.log
Filesize1KB
MD5bbb951a34b516b66451218a3ec3b0ae1
SHA17393835a2476ae655916e0a9687eeaba3ee876e9
SHA256eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA51263bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
717B
MD5a737bd76933023857186c6582db2c58d
SHA1fcb0b8e92eb281c16b5f6f77e4c787ab60700575
SHA2567b63e91a06544d9e6336a34ae231a5351f79b24c0fa3bc9598aaff1ff885c03a
SHA512a862df8dea0a5f88a2e769f1d3acffdca78471681f996dfedc27c706b89367ea5e751e4d288b4fb5cacf0cf59377b51668c8cd5a90bee843ad882ce8c94e76aa
-
Filesize
493B
MD5ee45689b45f8e8ed747675f74714619f
SHA11aef6412163004574cdeda35002ec5f0283b4f51
SHA256df0e1e59f43be1f887487e8e74fd3344038aa52bc14aa25e2cfbd55fb594bac9
SHA512d7499149fee49fa16c83ab5495fa73ebaeb4508727f6fda6d29ccb788777d7eaddea295780e8a9ccace91508b8a00efd6209c5389d43d033fa6d399eafd99639
-
Filesize
493B
MD5ee45689b45f8e8ed747675f74714619f
SHA11aef6412163004574cdeda35002ec5f0283b4f51
SHA256df0e1e59f43be1f887487e8e74fd3344038aa52bc14aa25e2cfbd55fb594bac9
SHA512d7499149fee49fa16c83ab5495fa73ebaeb4508727f6fda6d29ccb788777d7eaddea295780e8a9ccace91508b8a00efd6209c5389d43d033fa6d399eafd99639
-
Filesize
493B
MD5ee45689b45f8e8ed747675f74714619f
SHA11aef6412163004574cdeda35002ec5f0283b4f51
SHA256df0e1e59f43be1f887487e8e74fd3344038aa52bc14aa25e2cfbd55fb594bac9
SHA512d7499149fee49fa16c83ab5495fa73ebaeb4508727f6fda6d29ccb788777d7eaddea295780e8a9ccace91508b8a00efd6209c5389d43d033fa6d399eafd99639
-
Filesize
717B
MD5bed10a4892c94be5dc10200860828574
SHA18a49545fbf6c404e6d40a9aae2663c0bbaaebf3b
SHA256695cd59cceb324bc5c7526d7ca3193eb8db8f1c70ad7c748ffc4442a93dcd300
SHA5120876828d374820e864b4c5118d2157846868c510117290fca7334547f545ad1fc6348d9dedbb64786031c0d5c7e574a8b22d64c5364f011461815ca066a41e7b
-
Filesize
1.1MB
MD5f83148f181f138db59182790125e3550
SHA159af834bd5049062d03068977b90fdd60ab75516
SHA2568cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f
-
Filesize
1.1MB
MD5f83148f181f138db59182790125e3550
SHA159af834bd5049062d03068977b90fdd60ab75516
SHA2568cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f
-
Filesize
240B
MD51cd7354c734be69a69312893e8a02f18
SHA1a56dbe7cec5245ea240328db2d155bc365940b2e
SHA25627036f9fa3e734ece23d4f3e51c27d4bd400038a45d11c321a8d3a7acea4eca8
SHA51201919527515fab735755146c38decf92b5e113aefd96c926d99ea410c3d32eab010963d5043b5ecbe171e119b362b4b87c3b5d5bcbc7bcbea75d310877c1c2d3
-
Filesize
1.1MB
MD5f83148f181f138db59182790125e3550
SHA159af834bd5049062d03068977b90fdd60ab75516
SHA2568cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f
-
Filesize
1.1MB
MD534fe4f639ea17809e3bf767cf63a62d0
SHA1f3067d86855f145be7b8ca5df2653b6c9499d240
SHA256f66342e64f9689d5d7fbab44a39880caeeb881e6be35ced12212d9a2b03f8f27
SHA512cd0b04b69a462121479cc3cf711942346d2191f06947ee76230c6afb8240ad4bd95a4c48029b30819ecab04fe53fe8a44b2ae807b46560ee607d7b6bd183b9a0
-
Filesize
406B
MD5aa423de80de419ded78a7d1f10acd15d
SHA1fd6ca3be8a2825a21aeec9001c71e1102089ffe3
SHA256931e2ee9e20e6ad9f23a4737fe2e5c6a3d8f82560d52bb7301c8e5cf162211ad
SHA5123a7fe91420d9307828d207551cbcd929f18402c51f1c32fa8df4b8da64dcf14abdfc7206616b83a523874c3bbecb0e092d301f0c20cca714b9b4b0b1d408fe60