Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2023, 02:31
Behavioral task
behavioral1
Sample
NEAS.12512b9fc15ed49fb1066046fb8fed90.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.12512b9fc15ed49fb1066046fb8fed90.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.12512b9fc15ed49fb1066046fb8fed90.exe
-
Size
1.4MB
-
MD5
12512b9fc15ed49fb1066046fb8fed90
-
SHA1
480b04304f83fa8b96d28e060068fbc11c9b3a05
-
SHA256
cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0
-
SHA512
d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9
-
SSDEEP
24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4164 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3492 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 212 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3360 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3456 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3888 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3316 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4228 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4680 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4248 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4740 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4556 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3520 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3656 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3936 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3304 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4276 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4312 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4888 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3540 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3744 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3188 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3672 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 1484 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 1484 schtasks.exe 90 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.12512b9fc15ed49fb1066046fb8fed90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.12512b9fc15ed49fb1066046fb8fed90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.12512b9fc15ed49fb1066046fb8fed90.exe -
resource yara_rule behavioral2/memory/760-0-0x0000000000590000-0x00000000006FC000-memory.dmp dcrat behavioral2/files/0x0009000000022d69-40.dat dcrat behavioral2/files/0x0007000000022e59-96.dat dcrat behavioral2/files/0x00070000000223f5-142.dat dcrat behavioral2/files/0x0009000000022e46-180.dat dcrat behavioral2/files/0x000a000000022e50-203.dat dcrat behavioral2/files/0x0007000000022e62-237.dat dcrat behavioral2/files/0x000a000000022e50-461.dat dcrat behavioral2/files/0x000a000000022e50-462.dat dcrat behavioral2/files/0x000a000000022e50-488.dat dcrat behavioral2/files/0x0011000000022e97-498.dat dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation NEAS.12512b9fc15ed49fb1066046fb8fed90.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe -
Executes dropped EXE 2 IoCs
pid Process 5436 backgroundTaskHost.exe 5132 backgroundTaskHost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.12512b9fc15ed49fb1066046fb8fed90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.12512b9fc15ed49fb1066046fb8fed90.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File opened for modification C:\Program Files\Windows Media Player\Visualizations\sysmon.exe NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCX3ACA.tmp NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCX400E.tmp NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCX408C.tmp NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File created C:\Program Files\Windows Media Player\Visualizations\sysmon.exe NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCX3AFA.tmp NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\9e8d7a4ca61bd9 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File opened for modification C:\Program Files\Windows Media Player\Visualizations\RCX2ECD.tmp NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File created C:\Program Files\Windows Media Player\Visualizations\121e5b5079f7c0 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\886983d96e3d3e NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File opened for modification C:\Program Files\Windows Media Player\Visualizations\RCX2EBC.tmp NEAS.12512b9fc15ed49fb1066046fb8fed90.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\L2Schemas\RCX2484.tmp NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File opened for modification C:\Windows\L2Schemas\System.exe NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File created C:\Windows\L2Schemas\System.exe NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File created C:\Windows\L2Schemas\27d1bcfc3c54e0 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe File opened for modification C:\Windows\L2Schemas\RCX2464.tmp NEAS.12512b9fc15ed49fb1066046fb8fed90.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3936 schtasks.exe 4312 schtasks.exe 3492 schtasks.exe 1984 schtasks.exe 2796 schtasks.exe 2200 schtasks.exe 3320 schtasks.exe 1552 schtasks.exe 2988 schtasks.exe 4552 schtasks.exe 3888 schtasks.exe 4276 schtasks.exe 1236 schtasks.exe 4860 schtasks.exe 1688 schtasks.exe 2764 schtasks.exe 1312 schtasks.exe 3672 schtasks.exe 1936 schtasks.exe 2712 schtasks.exe 3520 schtasks.exe 3304 schtasks.exe 2332 schtasks.exe 3188 schtasks.exe 4680 schtasks.exe 4556 schtasks.exe 3744 schtasks.exe 5072 schtasks.exe 1692 schtasks.exe 2860 schtasks.exe 3316 schtasks.exe 4228 schtasks.exe 4956 schtasks.exe 3456 schtasks.exe 2172 schtasks.exe 1372 schtasks.exe 3360 schtasks.exe 3540 schtasks.exe 4952 schtasks.exe 4888 schtasks.exe 2660 schtasks.exe 2192 schtasks.exe 4164 schtasks.exe 4480 schtasks.exe 2284 schtasks.exe 1548 schtasks.exe 968 schtasks.exe 2844 schtasks.exe 4248 schtasks.exe 4740 schtasks.exe 3656 schtasks.exe 2128 schtasks.exe 212 schtasks.exe 2180 schtasks.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings NEAS.12512b9fc15ed49fb1066046fb8fed90.exe Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings backgroundTaskHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe Token: SeDebugPrivilege 3136 powershell.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 3492 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 404 powershell.exe Token: SeDebugPrivilege 644 powershell.exe Token: SeDebugPrivilege 4168 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 932 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeDebugPrivilege 5436 backgroundTaskHost.exe Token: SeDebugPrivilege 5132 backgroundTaskHost.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 760 wrote to memory of 4808 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 154 PID 760 wrote to memory of 4808 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 154 PID 760 wrote to memory of 3492 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 155 PID 760 wrote to memory of 3492 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 155 PID 760 wrote to memory of 644 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 156 PID 760 wrote to memory of 644 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 156 PID 760 wrote to memory of 3004 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 157 PID 760 wrote to memory of 3004 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 157 PID 760 wrote to memory of 3020 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 158 PID 760 wrote to memory of 3020 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 158 PID 760 wrote to memory of 404 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 176 PID 760 wrote to memory of 404 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 176 PID 760 wrote to memory of 2144 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 175 PID 760 wrote to memory of 2144 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 175 PID 760 wrote to memory of 2412 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 174 PID 760 wrote to memory of 2412 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 174 PID 760 wrote to memory of 4168 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 159 PID 760 wrote to memory of 4168 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 159 PID 760 wrote to memory of 932 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 173 PID 760 wrote to memory of 932 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 173 PID 760 wrote to memory of 1660 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 172 PID 760 wrote to memory of 1660 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 172 PID 760 wrote to memory of 3136 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 170 PID 760 wrote to memory of 3136 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 170 PID 760 wrote to memory of 3776 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 178 PID 760 wrote to memory of 3776 760 NEAS.12512b9fc15ed49fb1066046fb8fed90.exe 178 PID 3776 wrote to memory of 5952 3776 cmd.exe 180 PID 3776 wrote to memory of 5952 3776 cmd.exe 180 PID 3776 wrote to memory of 5436 3776 cmd.exe 181 PID 3776 wrote to memory of 5436 3776 cmd.exe 181 PID 5436 wrote to memory of 5832 5436 backgroundTaskHost.exe 183 PID 5436 wrote to memory of 5832 5436 backgroundTaskHost.exe 183 PID 5436 wrote to memory of 5908 5436 backgroundTaskHost.exe 184 PID 5436 wrote to memory of 5908 5436 backgroundTaskHost.exe 184 PID 5832 wrote to memory of 5132 5832 WScript.exe 190 PID 5832 wrote to memory of 5132 5832 WScript.exe 190 PID 5132 wrote to memory of 4448 5132 backgroundTaskHost.exe 194 PID 5132 wrote to memory of 4448 5132 backgroundTaskHost.exe 194 PID 5132 wrote to memory of 5032 5132 backgroundTaskHost.exe 195 PID 5132 wrote to memory of 5032 5132 backgroundTaskHost.exe 195 -
System policy modification 1 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.12512b9fc15ed49fb1066046fb8fed90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.12512b9fc15ed49fb1066046fb8fed90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.12512b9fc15ed49fb1066046fb8fed90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P5Gj8VmPD3.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:5952
-
-
C:\odt\backgroundTaskHost.exe"C:\odt\backgroundTaskHost.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5436 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4b1d779-692b-4770-8bbb-2d46d5b7df9a.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:5832 -
C:\odt\backgroundTaskHost.exeC:\odt\backgroundTaskHost.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5132 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4db556d6-1db3-4f25-9272-2e713f3a6062.vbs"6⤵PID:4448
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\600259e1-1932-4b2a-ae21-d3b49c2bbc36.vbs"6⤵PID:5032
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc67fda2-50a5-4cc2-bb40-cd4b18ed469f.vbs"4⤵PID:5908
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\odt\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\odt\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\odt\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\L2Schemas\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Application Data\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\odt\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Visualizations\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Visualizations\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\odt\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\odt\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\odt\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "NEAS.12512b9fc15ed49fb1066046fb8fed90N" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "NEAS.12512b9fc15ed49fb1066046fb8fed90" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "NEAS.12512b9fc15ed49fb1066046fb8fed90N" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\odt\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5a6aed1429a806016f08a6f39a17cd1e8
SHA1fa09aa2f6eeeac777e0d86afcc943309a425d056
SHA25600b7a0580d1c12c142be5f12cab1ba1672b6bfb0a2543d372e095569093197f2
SHA5127340be3706b5304350ae7a3f18a4cec8fc7226f0d2a6a43428ba3b59a34dd0a547258c4919463a59a75323a97536daad98deee9becb36ff852308ab2598b1b10
-
Filesize
1KB
MD59b0256da3bf9a5303141361b3da59823
SHA1d73f34951777136c444eb2c98394f62912ebcdac
SHA25696cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA5129f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD522fbec4acba323d04079a263526cef3c
SHA1eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e
-
Filesize
944B
MD522fbec4acba323d04079a263526cef3c
SHA1eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e
-
Filesize
944B
MD522fbec4acba323d04079a263526cef3c
SHA1eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e
-
Filesize
944B
MD522fbec4acba323d04079a263526cef3c
SHA1eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e
-
Filesize
944B
MD522fbec4acba323d04079a263526cef3c
SHA1eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e
-
Filesize
944B
MD522fbec4acba323d04079a263526cef3c
SHA1eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e
-
Filesize
944B
MD522fbec4acba323d04079a263526cef3c
SHA1eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e
-
Filesize
944B
MD522fbec4acba323d04079a263526cef3c
SHA1eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e
-
Filesize
944B
MD522fbec4acba323d04079a263526cef3c
SHA1eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
705B
MD59a31c951f04889231e8d26a196fb5514
SHA166a121716fb6c653cf96f2da52ace7a3beea20d4
SHA25610c27c103d11dd7475be13690f65a0bb688a58875023ae8e3a126c4fceb25166
SHA512afa83c8a1e4e2fb62d5ec4697edecbdbf3b5d6ae2ed3bb4f6eb84bee2d54458dd9e0338e0ce14a466023e37b9538897f3c662285090ff69e88677cfcc2f4b985
-
Filesize
481B
MD58f2dc3bdc9004ce03a6f79d348a1da4d
SHA1a63427416e6bfaf0698b0f25db0e6aa089ba73f6
SHA256d643f0983326c089cd42db2c9db4d4aee3fb585eda7ed7029b0186a12f3ed538
SHA512d0b1ab67451d7079e7c3ca36492e64be4ec0ac19890d232a41f1d7813f46f0047b54093229bdd2e534fabc9410e929690bb8a57f5805d768789204b65dbf7024
-
Filesize
481B
MD58f2dc3bdc9004ce03a6f79d348a1da4d
SHA1a63427416e6bfaf0698b0f25db0e6aa089ba73f6
SHA256d643f0983326c089cd42db2c9db4d4aee3fb585eda7ed7029b0186a12f3ed538
SHA512d0b1ab67451d7079e7c3ca36492e64be4ec0ac19890d232a41f1d7813f46f0047b54093229bdd2e534fabc9410e929690bb8a57f5805d768789204b65dbf7024
-
Filesize
194B
MD593cc5e6659b0d5f81a607be4b7f66862
SHA19cface1233684dbda38366bb6876e9a833b18b62
SHA256bd8f7a3fa6d6e46befb0f43ba3ed9ff6dd16ceca5de17f7faeae9e45d4c3f884
SHA512caecd5e1ff367aff4faa9b7f173cbd78142ef5a004962ba21fbb9ea6ec79730b855b67253479ca7b3d01b8de1c5bf4ffde8956d3551c1fc273bdbf31d7c4ca4c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.4MB
MD5662290f458afb73df9df2e3245b4c0b6
SHA16278b4a95a718b42b91b9714a32dded4fd6ffc0e
SHA256aba696a34049ea7d188bf6366797cc2f708c75417ecf6e193d29a7e01acc7640
SHA51258d364202888cd7a9ffcb6ad3b3e337bb415b45c2f013c59bacb944f6f4c38cce22891c60659deb7558732a75973147bf78f2e6033de68fdc81d982364d11028
-
Filesize
481B
MD58f2dc3bdc9004ce03a6f79d348a1da4d
SHA1a63427416e6bfaf0698b0f25db0e6aa089ba73f6
SHA256d643f0983326c089cd42db2c9db4d4aee3fb585eda7ed7029b0186a12f3ed538
SHA512d0b1ab67451d7079e7c3ca36492e64be4ec0ac19890d232a41f1d7813f46f0047b54093229bdd2e534fabc9410e929690bb8a57f5805d768789204b65dbf7024
-
Filesize
705B
MD52a95f82ae5efa9d75b75df78cdf6ea47
SHA11a57cfa6e27aa91a6c5ef80aba247548ad96360b
SHA2569065b36e9226c6cc91372503b304760d5b5f7c14cec559c0293181269d2642b9
SHA5125fceff9b454577e1634d5a09bcca0e30224a68c1d47ef6441afa99845bc30a7ad430f9f7e4d2c77c3e6ddfcfbb38be3ed8fb1929eb5f88f9d9bb0dc34ca36555
-
Filesize
1.4MB
MD5e36003ccaeed48476f1bb1aa4ec6bfe2
SHA18154f23ec6b4a8df17c0edb982dc0e200b28251c
SHA2560f90b25254754f6c988153efbbc26b9a3f121f15c638249b06962ce52c066b58
SHA5120b9f951acd8df55d62c6c2d1bb1a35a461e3d60a734391d07bf75ce53a55e25be493a8e8324f5bb10bd156d6f7acae4436a5ecfd38cb0f5953ee25253c898258
-
Filesize
1.4MB
MD512512b9fc15ed49fb1066046fb8fed90
SHA1480b04304f83fa8b96d28e060068fbc11c9b3a05
SHA256cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0
SHA512d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9
-
Filesize
1.4MB
MD5c460c9d52f216a2d7a43e9bcef493df2
SHA15cecd227f317c2131734e9ea69a6c59e7f17cd8b
SHA256bf8af2bd976f2fcc0648edc2d7537b8f7739e7c12593f6af8a981c13f0658f7c
SHA512ce212460d735bd8fb08b0dee9cde7d69fc3d1f00fa7f8f9da4781c71a52959a5349a8bea985ad607cc92bfe2e41c6c049ff8d76d879a260a61f87222b2c270d1
-
Filesize
1.4MB
MD5662290f458afb73df9df2e3245b4c0b6
SHA16278b4a95a718b42b91b9714a32dded4fd6ffc0e
SHA256aba696a34049ea7d188bf6366797cc2f708c75417ecf6e193d29a7e01acc7640
SHA51258d364202888cd7a9ffcb6ad3b3e337bb415b45c2f013c59bacb944f6f4c38cce22891c60659deb7558732a75973147bf78f2e6033de68fdc81d982364d11028
-
Filesize
1.4MB
MD5662290f458afb73df9df2e3245b4c0b6
SHA16278b4a95a718b42b91b9714a32dded4fd6ffc0e
SHA256aba696a34049ea7d188bf6366797cc2f708c75417ecf6e193d29a7e01acc7640
SHA51258d364202888cd7a9ffcb6ad3b3e337bb415b45c2f013c59bacb944f6f4c38cce22891c60659deb7558732a75973147bf78f2e6033de68fdc81d982364d11028
-
Filesize
1.4MB
MD5662290f458afb73df9df2e3245b4c0b6
SHA16278b4a95a718b42b91b9714a32dded4fd6ffc0e
SHA256aba696a34049ea7d188bf6366797cc2f708c75417ecf6e193d29a7e01acc7640
SHA51258d364202888cd7a9ffcb6ad3b3e337bb415b45c2f013c59bacb944f6f4c38cce22891c60659deb7558732a75973147bf78f2e6033de68fdc81d982364d11028
-
Filesize
1.4MB
MD5662290f458afb73df9df2e3245b4c0b6
SHA16278b4a95a718b42b91b9714a32dded4fd6ffc0e
SHA256aba696a34049ea7d188bf6366797cc2f708c75417ecf6e193d29a7e01acc7640
SHA51258d364202888cd7a9ffcb6ad3b3e337bb415b45c2f013c59bacb944f6f4c38cce22891c60659deb7558732a75973147bf78f2e6033de68fdc81d982364d11028
-
Filesize
1.4MB
MD5bda00b2e1ce2afc699185e3babb0c967
SHA17c15c36a61e8ec824d59e3cead34b10d7bb23fa3
SHA2561c1bd72699bfa0b02e2f1523d0f93f65339309655f4d61b80aa8cc6de7c604ee
SHA512681748916cb9d6d967ef192837e8e7d8cfc0c8f37a2555d6f16c787a50aeca9b2369d113f856adfa0a191a1f5f876f3882048d2b186de4c6ccf841af671c169c