Malware Analysis Report

2025-08-11 06:15

Sample ID 231118-btevjshf3z
Target NEAS.f83148f181f138db59182790125e3550.exe
SHA256 8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09

Threat Level: Known bad

The file NEAS.f83148f181f138db59182790125e3550.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Process spawned unexpected child process

DCRat payload

Dcrat family

DcRat

DCRat payload

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-18 01:25

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-18 01:25

Reported

2023-11-18 01:28

Platform

win7-20231023-en

Max time kernel

156s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\en-US\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Network Sharing\RCXE388.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files\Windows Mail\en-US\RCXEC04.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\taskhost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\Windows Mail\en-US\lsass.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files (x86)\Internet Explorer\services.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\RCXDCE0.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Network Sharing\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files\Windows Mail\en-US\lsass.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\taskhost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files\Windows Media Player\en-US\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\Windows Mail\en-US\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files (x86)\Internet Explorer\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\RCXEE85.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXD212.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\services.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\Windows Media Player\en-US\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files\Windows Media Player\en-US\RCXCB5B.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXE9E1.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\addins\dwm.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Windows\addins\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Windows\addins\RCXD8BA.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Windows\addins\dwm.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1444 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe
PID 1444 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe
PID 1444 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe
PID 2780 wrote to memory of 2856 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe
PID 2780 wrote to memory of 2856 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe
PID 2780 wrote to memory of 2856 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe
PID 2780 wrote to memory of 848 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe
PID 2780 wrote to memory of 848 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe
PID 2780 wrote to memory of 848 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe
PID 2856 wrote to memory of 1764 N/A C:\Windows\System32\WScript.exe C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe
PID 2856 wrote to memory of 1764 N/A C:\Windows\System32\WScript.exe C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe
PID 2856 wrote to memory of 1764 N/A C:\Windows\System32\WScript.exe C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe
PID 1764 wrote to memory of 3052 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe
PID 1764 wrote to memory of 3052 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe
PID 1764 wrote to memory of 3052 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe
PID 1764 wrote to memory of 1088 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe
PID 1764 wrote to memory of 1088 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe
PID 1764 wrote to memory of 1088 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe
PID 3052 wrote to memory of 1116 N/A C:\Windows\System32\WScript.exe C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe
PID 3052 wrote to memory of 1116 N/A C:\Windows\System32\WScript.exe C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe
PID 3052 wrote to memory of 1116 N/A C:\Windows\System32\WScript.exe C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe
PID 1116 wrote to memory of 1748 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe
PID 1116 wrote to memory of 1748 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe
PID 1116 wrote to memory of 1748 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe
PID 1116 wrote to memory of 1672 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe
PID 1116 wrote to memory of 1672 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe
PID 1116 wrote to memory of 1672 N/A C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\en-US\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\en-US\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Favorites\MSN Websites\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\MSN Websites\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Favorites\MSN Websites\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\addins\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Push\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Push\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Push\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Recent\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Recent\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NEAS.f83148f181f138db59182790125e3550N" /sc MINUTE /mo 5 /tr "'C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NEAS.f83148f181f138db59182790125e3550" /sc ONLOGON /tr "'C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NEAS.f83148f181f138db59182790125e3550N" /sc MINUTE /mo 13 /tr "'C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\en-US\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f

C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe

"C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\153b8ef5-273b-46d5-ae29-78e40e0daa59.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b00b66a6-165c-45e7-9f69-ffa465cde458.vbs"

C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe

C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37ceb387-1e95-46bf-9844-32115c4da22b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee962708-473f-440e-b335-e0cd2841c6dd.vbs"

C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe

C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4e4b355-29c6-4cf4-b92d-dfb043007ec3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ac5a03a-a28f-4b83-8abc-038eddb96300.vbs"

Network

Country Destination Domain Proto
RU 5.42.92.132:80 tcp
RU 5.42.92.132:80 tcp
RU 5.42.92.132:80 tcp
RU 5.42.92.132:80 tcp
RU 5.42.92.132:80 tcp

Files

memory/1444-0-0x0000000000810000-0x000000000093C000-memory.dmp

memory/1444-1-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

memory/1444-2-0x000000001B150000-0x000000001B1D0000-memory.dmp

memory/1444-3-0x00000000007E0000-0x00000000007FC000-memory.dmp

memory/1444-4-0x0000000000240000-0x0000000000250000-memory.dmp

memory/1444-5-0x0000000002170000-0x0000000002186000-memory.dmp

memory/1444-6-0x0000000000450000-0x0000000000462000-memory.dmp

memory/1444-7-0x0000000000800000-0x000000000080A000-memory.dmp

memory/1444-8-0x00000000022A0000-0x00000000022AE000-memory.dmp

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe

MD5 f83148f181f138db59182790125e3550
SHA1 59af834bd5049062d03068977b90fdd60ab75516
SHA256 8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512 fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

memory/1444-70-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

memory/1444-98-0x000000001B150000-0x000000001B1D0000-memory.dmp

C:\Program Files\Windows Mail\en-US\lsass.exe

MD5 e74fb4d109aa8dadacbd4d5e51a85bc9
SHA1 cfec51de0d7f03c1ee788a682a4e09c8d3f2d361
SHA256 593a24f68e9efcf094a4e61bad0d4a5285a9459013c836c7a4b3d528568335f9
SHA512 bf70a68c8c38818d931173acaf6f8bfc7e963196d14f03aad212f0ccd0a8bcca58f9ba3054e3c4d5c822820427ed6186df952dca008d98b8d838761b96244a36

C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe

MD5 f83148f181f138db59182790125e3550
SHA1 59af834bd5049062d03068977b90fdd60ab75516
SHA256 8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512 fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe

MD5 f83148f181f138db59182790125e3550
SHA1 59af834bd5049062d03068977b90fdd60ab75516
SHA256 8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512 fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

memory/2780-189-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

memory/2780-188-0x0000000001250000-0x000000000137C000-memory.dmp

memory/2780-190-0x000000001AF00000-0x000000001AF80000-memory.dmp

memory/1444-191-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

memory/2780-192-0x0000000000580000-0x0000000000592000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b00b66a6-165c-45e7-9f69-ffa465cde458.vbs

MD5 9d68d443cc516cb82c5cf50559cf7f38
SHA1 3258da2b6228618529a945c5e9e04cefb1bceb9a
SHA256 d4e3ca64523e4f19fd162cfbdbf075b5ef9fe9333b7690da843eec566a8afd51
SHA512 41d2b06b7d301bfa0579d2bd30b0635c62aba1e0ec850d761a5cda40a711d1f0c0387149aed98b32a4d080f878c6afdbb821831ff8640dcdb6ffd4ff34445ddc

C:\Users\Admin\AppData\Local\Temp\153b8ef5-273b-46d5-ae29-78e40e0daa59.vbs

MD5 8aa29192fd80fb01b4667f25d1c4918d
SHA1 f0aa7d140ddfbeb49c1f55daa6690617be3e7b37
SHA256 d26209861186cc05dcb87aa9cf18b0369dda4a529c2a38c8735e09d272a487bd
SHA512 3dc666f9f0fe0ad667ce1b2b1b5afc2136d3bac149a266b66c327379935651bc7110b344d711bff633a7a81ba62d34259aedcf79962d28ca432a5920a31791a7

memory/2780-202-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

memory/2780-203-0x000000001AF00000-0x000000001AF80000-memory.dmp

memory/2780-204-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe

MD5 f83148f181f138db59182790125e3550
SHA1 59af834bd5049062d03068977b90fdd60ab75516
SHA256 8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512 fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

memory/1764-206-0x000007FEF4770000-0x000007FEF515C000-memory.dmp

memory/1764-207-0x00000000002C0000-0x00000000003EC000-memory.dmp

memory/1764-208-0x000000001B170000-0x000000001B1F0000-memory.dmp

memory/1764-209-0x0000000000290000-0x00000000002A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ef5f5af7dd7205e68f812d2851aa03e2d8785cc.exe

MD5 f83148f181f138db59182790125e3550
SHA1 59af834bd5049062d03068977b90fdd60ab75516
SHA256 8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512 fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

C:\Users\Admin\AppData\Local\Temp\ee962708-473f-440e-b335-e0cd2841c6dd.vbs

MD5 9d68d443cc516cb82c5cf50559cf7f38
SHA1 3258da2b6228618529a945c5e9e04cefb1bceb9a
SHA256 d4e3ca64523e4f19fd162cfbdbf075b5ef9fe9333b7690da843eec566a8afd51
SHA512 41d2b06b7d301bfa0579d2bd30b0635c62aba1e0ec850d761a5cda40a711d1f0c0387149aed98b32a4d080f878c6afdbb821831ff8640dcdb6ffd4ff34445ddc

C:\Users\Admin\AppData\Local\Temp\37ceb387-1e95-46bf-9844-32115c4da22b.vbs

MD5 2bc0184d1fcefa52a8b463e31611fc1e
SHA1 204d70abaf21ec62ca5986f2d662edcb71e5a898
SHA256 e526d1f7dab7031b70badc6a8726f0bad374edbdad45f4a565dfb706ad10a9df
SHA512 a7908657f21cbb8485c5e691d023efe6b7dcd02001f12ae0e99d565c551d32116c05fe62b568c9aa40718edc8875b7d1ced92a865b8722dbe8273c37d985e2c7

C:\Users\Admin\AppData\Local\Temp\ee962708-473f-440e-b335-e0cd2841c6dd.vbs

MD5 9d68d443cc516cb82c5cf50559cf7f38
SHA1 3258da2b6228618529a945c5e9e04cefb1bceb9a
SHA256 d4e3ca64523e4f19fd162cfbdbf075b5ef9fe9333b7690da843eec566a8afd51
SHA512 41d2b06b7d301bfa0579d2bd30b0635c62aba1e0ec850d761a5cda40a711d1f0c0387149aed98b32a4d080f878c6afdbb821831ff8640dcdb6ffd4ff34445ddc

memory/1764-220-0x000007FEF4770000-0x000007FEF515C000-memory.dmp

memory/1764-221-0x000000001B170000-0x000000001B1F0000-memory.dmp

memory/1764-222-0x000007FEF4770000-0x000007FEF515C000-memory.dmp

C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe

MD5 f83148f181f138db59182790125e3550
SHA1 59af834bd5049062d03068977b90fdd60ab75516
SHA256 8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512 fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

memory/1116-224-0x0000000000D60000-0x0000000000E8C000-memory.dmp

memory/1116-225-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

memory/1116-226-0x000000001B020000-0x000000001B0A0000-memory.dmp

memory/1116-227-0x0000000000420000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ef5f5af7dd7205e68f812d2851aa03e2d8785cc.exe

MD5 f83148f181f138db59182790125e3550
SHA1 59af834bd5049062d03068977b90fdd60ab75516
SHA256 8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512 fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

C:\Users\Admin\AppData\Local\Temp\e4e4b355-29c6-4cf4-b92d-dfb043007ec3.vbs

MD5 7b9250e8560a0a07fb7d5358912eabaa
SHA1 f8cd47b79cbdc0d888a25fc1fdbafd7ff3a670d1
SHA256 5e4c2e2a5a6fb03daa0c7ffcd6cdcb33ff8151c512612563574905c74169a842
SHA512 2e4095f45ad6387b8e4e24c11369a4691a341204ae5f64b5a92f247c5f0fffdbac027ae1a8ba55a1998deb79521f5295f678e4dd74ac7dfcf36eb73fe8a108a3

C:\Users\Admin\AppData\Local\Temp\1ac5a03a-a28f-4b83-8abc-038eddb96300.vbs

MD5 9d68d443cc516cb82c5cf50559cf7f38
SHA1 3258da2b6228618529a945c5e9e04cefb1bceb9a
SHA256 d4e3ca64523e4f19fd162cfbdbf075b5ef9fe9333b7690da843eec566a8afd51
SHA512 41d2b06b7d301bfa0579d2bd30b0635c62aba1e0ec850d761a5cda40a711d1f0c0387149aed98b32a4d080f878c6afdbb821831ff8640dcdb6ffd4ff34445ddc

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-18 01:25

Reported

2023-11-18 01:28

Platform

win10v2004-20231020-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Templates\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Templates\winlogon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Services\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\7-Zip\Lang\smss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VGX\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\Internet Explorer\en-US\dllhost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files (x86)\Common Files\Services\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Temp\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VGX\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Services\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VGX\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCXB220.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\7-Zip\Lang\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\Windows Multimedia Platform\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\Internet Explorer\en-US\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Services\RCXC36D.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files (x86)\Windows Media Player\ja-JP\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VGX\RCXA7BA.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCXD300.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\smss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files (x86)\Windows Media Player\ja-JP\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\RCXC61E.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\RCXBF45.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\dllhost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Migration\WTR\Registry.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Windows\Migration\WTR\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Windows\Cursors\dllhost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Windows\appcompat\encapsulation\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Windows\Cursors\dllhost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Windows\Cursors\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Windows\appcompat\encapsulation\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Windows\Migration\WTR\Registry.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Windows\Cursors\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Windows\appcompat\encapsulation\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Windows\Migration\WTR\RCXD738.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File created C:\Windows\Cursors\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
File opened for modification C:\Windows\Cursors\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings C:\Users\All Users\Templates\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings C:\Users\All Users\Templates\winlogon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
N/A N/A C:\Users\All Users\Templates\winlogon.exe N/A
N/A N/A C:\Users\All Users\Templates\winlogon.exe N/A
N/A N/A C:\Users\All Users\Templates\winlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Templates\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Templates\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\cmd.exe
PID 3032 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe C:\Windows\System32\cmd.exe
PID 8 wrote to memory of 4892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 8 wrote to memory of 4892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 8 wrote to memory of 4964 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe
PID 8 wrote to memory of 4964 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe
PID 4964 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe C:\Users\All Users\Templates\winlogon.exe
PID 4964 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe C:\Users\All Users\Templates\winlogon.exe
PID 3688 wrote to memory of 4840 N/A C:\Users\All Users\Templates\winlogon.exe C:\Windows\System32\WScript.exe
PID 3688 wrote to memory of 4840 N/A C:\Users\All Users\Templates\winlogon.exe C:\Windows\System32\WScript.exe
PID 3688 wrote to memory of 3708 N/A C:\Users\All Users\Templates\winlogon.exe C:\Windows\System32\WScript.exe
PID 3688 wrote to memory of 3708 N/A C:\Users\All Users\Templates\winlogon.exe C:\Windows\System32\WScript.exe
PID 4840 wrote to memory of 2912 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Templates\winlogon.exe
PID 4840 wrote to memory of 2912 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Templates\winlogon.exe
PID 2912 wrote to memory of 2024 N/A C:\Users\All Users\Templates\winlogon.exe C:\Windows\System32\WScript.exe
PID 2912 wrote to memory of 2024 N/A C:\Users\All Users\Templates\winlogon.exe C:\Windows\System32\WScript.exe
PID 2912 wrote to memory of 4500 N/A C:\Users\All Users\Templates\winlogon.exe C:\Windows\System32\WScript.exe
PID 2912 wrote to memory of 4500 N/A C:\Users\All Users\Templates\winlogon.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\microsoft shared\VGX\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\VGX\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\microsoft shared\VGX\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\odt\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\odt\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\odt\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Documents\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\odt\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\en-US\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Music\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Music\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Music\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\Registry.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hy3B39XMXx.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Templates\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Cursors\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\PackageManifests\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Desktop\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\appcompat\encapsulation\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\appcompat\encapsulation\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Temp\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Temp\unsecapp.exe'" /rl HIGHEST /f

C:\Users\All Users\Templates\winlogon.exe

"C:\Users\All Users\Templates\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\045eca76-3656-471f-b030-849723d4466a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\308aa1bf-4cf9-4895-9303-d003053bda0d.vbs"

C:\Users\All Users\Templates\winlogon.exe

"C:\Users\All Users\Templates\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53b7fce0-ff84-4cf9-88e0-a29b4068b307.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47999871-8ad1-4ce1-bce8-9653152f8f95.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 218.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 5.42.92.132:80 tcp
RU 5.42.92.132:80 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 5.42.92.132:80 tcp
RU 5.42.92.132:80 tcp

Files

memory/3032-0-0x0000000000730000-0x000000000085C000-memory.dmp

memory/3032-1-0x00007FFCFA4C0000-0x00007FFCFAF81000-memory.dmp

memory/3032-2-0x000000001B390000-0x000000001B3A0000-memory.dmp

memory/3032-3-0x000000001B350000-0x000000001B36C000-memory.dmp

memory/3032-4-0x000000001BC40000-0x000000001BC90000-memory.dmp

memory/3032-5-0x000000001B370000-0x000000001B380000-memory.dmp

memory/3032-6-0x000000001B3A0000-0x000000001B3B6000-memory.dmp

memory/3032-7-0x000000001B380000-0x000000001B392000-memory.dmp

memory/3032-8-0x000000001C420000-0x000000001C948000-memory.dmp

memory/3032-10-0x000000001BC00000-0x000000001BC0E000-memory.dmp

memory/3032-9-0x000000001BBF0000-0x000000001BBFA000-memory.dmp

C:\Recovery\WindowsRE\dwm.exe

MD5 f83148f181f138db59182790125e3550
SHA1 59af834bd5049062d03068977b90fdd60ab75516
SHA256 8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512 fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

C:\Users\Default\Music\RCXC159.tmp

MD5 34fe4f639ea17809e3bf767cf63a62d0
SHA1 f3067d86855f145be7b8ca5df2653b6c9499d240
SHA256 f66342e64f9689d5d7fbab44a39880caeeb881e6be35ced12212d9a2b03f8f27
SHA512 cd0b04b69a462121479cc3cf711942346d2191f06947ee76230c6afb8240ad4bd95a4c48029b30819ecab04fe53fe8a44b2ae807b46560ee607d7b6bd183b9a0

C:\Program Files (x86)\Common Files\Services\spoolsv.exe

MD5 6ddfc9054ea9ffff277554a16756c662
SHA1 7b82b617a47af48ed60f81d8445818cf01adffa8
SHA256 4b776022e8622d4142ad3d70399bc24a759ee8eb7a76ab061666f3062c345ff9
SHA512 c3da51a54a989f2e1ba866595ed6db4f1232a578e0c502c85d0b76392045fa2a997ce33d579c1755fb2af5c750155ecee0ba7f06c5aaf5f8c41a2829a5b67c4a

C:\Users\Admin\AppData\Local\Temp\hy3B39XMXx.bat

MD5 1cd7354c734be69a69312893e8a02f18
SHA1 a56dbe7cec5245ea240328db2d155bc365940b2e
SHA256 27036f9fa3e734ece23d4f3e51c27d4bd400038a45d11c321a8d3a7acea4eca8
SHA512 01919527515fab735755146c38decf92b5e113aefd96c926d99ea410c3d32eab010963d5043b5ecbe171e119b362b4b87c3b5d5bcbc7bcbea75d310877c1c2d3

memory/3032-181-0x00007FFCFA4C0000-0x00007FFCFAF81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe

MD5 f83148f181f138db59182790125e3550
SHA1 59af834bd5049062d03068977b90fdd60ab75516
SHA256 8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512 fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NEAS.f83148f181f138db59182790125e3550.exe.log

MD5 bbb951a34b516b66451218a3ec3b0ae1
SHA1 7393835a2476ae655916e0a9687eeaba3ee876e9
SHA256 eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA512 63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

memory/4964-184-0x00007FFCF9D10000-0x00007FFCFA7D1000-memory.dmp

memory/4964-185-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

memory/4964-186-0x0000000003050000-0x0000000003062000-memory.dmp

C:\odt\RuntimeBroker.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\odt\9e8d7a4ca61bd9

MD5 aa423de80de419ded78a7d1f10acd15d
SHA1 fd6ca3be8a2825a21aeec9001c71e1102089ffe3
SHA256 931e2ee9e20e6ad9f23a4737fe2e5c6a3d8f82560d52bb7301c8e5cf162211ad
SHA512 3a7fe91420d9307828d207551cbcd929f18402c51f1c32fa8df4b8da64dcf14abdfc7206616b83a523874c3bbecb0e092d301f0c20cca714b9b4b0b1d408fe60

memory/4964-234-0x00007FFCF9D10000-0x00007FFCFA7D1000-memory.dmp

C:\ProgramData\Microsoft\Windows\Templates\winlogon.exe

MD5 f83148f181f138db59182790125e3550
SHA1 59af834bd5049062d03068977b90fdd60ab75516
SHA256 8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512 fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

C:\Users\All Users\Templates\winlogon.exe

MD5 f83148f181f138db59182790125e3550
SHA1 59af834bd5049062d03068977b90fdd60ab75516
SHA256 8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512 fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

memory/4964-298-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

memory/3688-299-0x00007FFCF9D10000-0x00007FFCFA7D1000-memory.dmp

memory/4964-301-0x00007FFCF9D10000-0x00007FFCFA7D1000-memory.dmp

memory/3688-300-0x000000001BAC0000-0x000000001BAD0000-memory.dmp

memory/3688-302-0x000000001B820000-0x000000001B832000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\045eca76-3656-471f-b030-849723d4466a.vbs

MD5 a737bd76933023857186c6582db2c58d
SHA1 fcb0b8e92eb281c16b5f6f77e4c787ab60700575
SHA256 7b63e91a06544d9e6336a34ae231a5351f79b24c0fa3bc9598aaff1ff885c03a
SHA512 a862df8dea0a5f88a2e769f1d3acffdca78471681f996dfedc27c706b89367ea5e751e4d288b4fb5cacf0cf59377b51668c8cd5a90bee843ad882ce8c94e76aa

C:\Users\Admin\AppData\Local\Temp\308aa1bf-4cf9-4895-9303-d003053bda0d.vbs

MD5 ee45689b45f8e8ed747675f74714619f
SHA1 1aef6412163004574cdeda35002ec5f0283b4f51
SHA256 df0e1e59f43be1f887487e8e74fd3344038aa52bc14aa25e2cfbd55fb594bac9
SHA512 d7499149fee49fa16c83ab5495fa73ebaeb4508727f6fda6d29ccb788777d7eaddea295780e8a9ccace91508b8a00efd6209c5389d43d033fa6d399eafd99639

memory/3688-312-0x00007FFCF9D10000-0x00007FFCFA7D1000-memory.dmp

memory/3688-313-0x000000001BAC0000-0x000000001BAD0000-memory.dmp

memory/3688-315-0x00007FFCF9D10000-0x00007FFCFA7D1000-memory.dmp

C:\ProgramData\Microsoft\Windows\Templates\winlogon.exe

MD5 f83148f181f138db59182790125e3550
SHA1 59af834bd5049062d03068977b90fdd60ab75516
SHA256 8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512 fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

memory/2912-318-0x00007FFCF9D80000-0x00007FFCFA841000-memory.dmp

memory/2912-319-0x000000001B050000-0x000000001B060000-memory.dmp

memory/2912-320-0x000000001B800000-0x000000001B812000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f8901282d4c602a9b5b95cb5aeb411efc3b72249.exe

MD5 f83148f181f138db59182790125e3550
SHA1 59af834bd5049062d03068977b90fdd60ab75516
SHA256 8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09
SHA512 fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

C:\Users\Admin\AppData\Local\Temp\47999871-8ad1-4ce1-bce8-9653152f8f95.vbs

MD5 ee45689b45f8e8ed747675f74714619f
SHA1 1aef6412163004574cdeda35002ec5f0283b4f51
SHA256 df0e1e59f43be1f887487e8e74fd3344038aa52bc14aa25e2cfbd55fb594bac9
SHA512 d7499149fee49fa16c83ab5495fa73ebaeb4508727f6fda6d29ccb788777d7eaddea295780e8a9ccace91508b8a00efd6209c5389d43d033fa6d399eafd99639

C:\Users\Admin\AppData\Local\Temp\53b7fce0-ff84-4cf9-88e0-a29b4068b307.vbs

MD5 bed10a4892c94be5dc10200860828574
SHA1 8a49545fbf6c404e6d40a9aae2663c0bbaaebf3b
SHA256 695cd59cceb324bc5c7526d7ca3193eb8db8f1c70ad7c748ffc4442a93dcd300
SHA512 0876828d374820e864b4c5118d2157846868c510117290fca7334547f545ad1fc6348d9dedbb64786031c0d5c7e574a8b22d64c5364f011461815ca066a41e7b

C:\Users\Admin\AppData\Local\Temp\47999871-8ad1-4ce1-bce8-9653152f8f95.vbs

MD5 ee45689b45f8e8ed747675f74714619f
SHA1 1aef6412163004574cdeda35002ec5f0283b4f51
SHA256 df0e1e59f43be1f887487e8e74fd3344038aa52bc14aa25e2cfbd55fb594bac9
SHA512 d7499149fee49fa16c83ab5495fa73ebaeb4508727f6fda6d29ccb788777d7eaddea295780e8a9ccace91508b8a00efd6209c5389d43d033fa6d399eafd99639

memory/2912-331-0x00007FFCF9D80000-0x00007FFCFA841000-memory.dmp

memory/2912-332-0x000000001B050000-0x000000001B060000-memory.dmp

memory/2912-333-0x00007FFCF9D80000-0x00007FFCFA841000-memory.dmp