Analysis
-
max time kernel
159s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2023, 02:57
Behavioral task
behavioral1
Sample
NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe
-
Size
1.4MB
-
MD5
5e2ccb97d6bf2f8bedd6d473079c33b0
-
SHA1
699314bf74a661917771308e7cd6d6b618af2827
-
SHA256
6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
-
SHA512
0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93
-
SSDEEP
24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3112 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3336 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3564 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4892 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3992 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3504 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3844 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5008 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4616 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4068 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4848 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4576 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3868 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3528 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 2564 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 2564 schtasks.exe 89 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe -
resource yara_rule behavioral2/memory/2424-0-0x0000000000B50000-0x0000000000CBC000-memory.dmp dcrat behavioral2/files/0x0006000000022e3a-36.dat dcrat behavioral2/files/0x000e000000022d4d-113.dat dcrat behavioral2/files/0x000d000000022d50-149.dat dcrat behavioral2/files/0x0007000000022e43-158.dat dcrat behavioral2/files/0x0008000000022e47-171.dat dcrat behavioral2/files/0x0006000000022e41-336.dat dcrat behavioral2/files/0x0006000000022e41-335.dat dcrat behavioral2/files/0x0006000000022e41-459.dat dcrat behavioral2/files/0x000c000000022e5e-469.dat dcrat behavioral2/files/0x0006000000022e41-487.dat dcrat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe -
Executes dropped EXE 3 IoCs
pid Process 5504 StartMenuExperienceHost.exe 5360 StartMenuExperienceHost.exe 2700 StartMenuExperienceHost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StartMenuExperienceHost.exe -
Drops file in Program Files directory 25 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC40.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\RCX2D2.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\RCX2E2.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\RCXA1B.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Program Files\Windows Sidebar\Gadgets\csrss.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXFC82.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\csrss.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXCCE.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Program Files\Windows Sidebar\Gadgets\886983d96e3d3e NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\eddb19405b7ce1 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXFC83.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RCXFE98.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RCXFE99.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\55b276f4edf653 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\55b276f4edf653 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\RCXA2C.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Resources\Ease of Access Themes\System.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Windows\Resources\Ease of Access Themes\27d1bcfc3c54e0 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Windows\Resources\Ease of Access Themes\RCX4F7.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Windows\Resources\Ease of Access Themes\RCX584.tmp NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File opened for modification C:\Windows\Resources\Ease of Access Themes\System.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe File created C:\Windows\ImmersiveControlPanel\es-ES\services.exe NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4184 schtasks.exe 952 schtasks.exe 3868 schtasks.exe 2404 schtasks.exe 404 schtasks.exe 4656 schtasks.exe 4860 schtasks.exe 1508 schtasks.exe 3336 schtasks.exe 4068 schtasks.exe 4848 schtasks.exe 1844 schtasks.exe 868 schtasks.exe 3564 schtasks.exe 4892 schtasks.exe 4576 schtasks.exe 544 schtasks.exe 3844 schtasks.exe 4348 schtasks.exe 640 schtasks.exe 3112 schtasks.exe 1556 schtasks.exe 3528 schtasks.exe 4492 schtasks.exe 4548 schtasks.exe 1192 schtasks.exe 5008 schtasks.exe 884 schtasks.exe 4616 schtasks.exe 1348 schtasks.exe 2324 schtasks.exe 3992 schtasks.exe 3504 schtasks.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings StartMenuExperienceHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings StartMenuExperienceHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 3456 powershell.exe 3456 powershell.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 2700 powershell.exe 2700 powershell.exe 4532 powershell.exe 4532 powershell.exe 3844 powershell.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Token: SeDebugPrivilege 3456 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 4532 powershell.exe Token: SeDebugPrivilege 3844 powershell.exe Token: SeDebugPrivilege 3816 powershell.exe Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeDebugPrivilege 1848 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 1756 powershell.exe Token: SeDebugPrivilege 4644 powershell.exe Token: SeDebugPrivilege 5504 StartMenuExperienceHost.exe Token: SeDebugPrivilege 5360 StartMenuExperienceHost.exe Token: SeDebugPrivilege 2700 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2424 wrote to memory of 4644 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 129 PID 2424 wrote to memory of 4644 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 129 PID 2424 wrote to memory of 3456 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 130 PID 2424 wrote to memory of 3456 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 130 PID 2424 wrote to memory of 1848 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 132 PID 2424 wrote to memory of 1848 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 132 PID 2424 wrote to memory of 3844 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 151 PID 2424 wrote to memory of 3844 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 151 PID 2424 wrote to memory of 1012 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 150 PID 2424 wrote to memory of 1012 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 150 PID 2424 wrote to memory of 4532 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 149 PID 2424 wrote to memory of 4532 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 149 PID 2424 wrote to memory of 1756 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 148 PID 2424 wrote to memory of 1756 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 148 PID 2424 wrote to memory of 2268 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 147 PID 2424 wrote to memory of 2268 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 147 PID 2424 wrote to memory of 3816 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 133 PID 2424 wrote to memory of 3816 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 133 PID 2424 wrote to memory of 2700 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 146 PID 2424 wrote to memory of 2700 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 146 PID 2424 wrote to memory of 2972 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 145 PID 2424 wrote to memory of 2972 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 145 PID 2424 wrote to memory of 1816 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 136 PID 2424 wrote to memory of 1816 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 136 PID 2424 wrote to memory of 5504 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 155 PID 2424 wrote to memory of 5504 2424 NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe 155 PID 5504 wrote to memory of 5672 5504 StartMenuExperienceHost.exe 156 PID 5504 wrote to memory of 5672 5504 StartMenuExperienceHost.exe 156 PID 5504 wrote to memory of 5600 5504 StartMenuExperienceHost.exe 157 PID 5504 wrote to memory of 5600 5504 StartMenuExperienceHost.exe 157 PID 5672 wrote to memory of 5360 5672 WScript.exe 160 PID 5672 wrote to memory of 5360 5672 WScript.exe 160 PID 5360 wrote to memory of 5376 5360 StartMenuExperienceHost.exe 161 PID 5360 wrote to memory of 5376 5360 StartMenuExperienceHost.exe 161 PID 5360 wrote to memory of 5308 5360 StartMenuExperienceHost.exe 162 PID 5360 wrote to memory of 5308 5360 StartMenuExperienceHost.exe 162 PID 5376 wrote to memory of 2700 5376 WScript.exe 166 PID 5376 wrote to memory of 2700 5376 WScript.exe 166 PID 2700 wrote to memory of 2924 2700 StartMenuExperienceHost.exe 170 PID 2700 wrote to memory of 2924 2700 StartMenuExperienceHost.exe 170 PID 2700 wrote to memory of 3964 2700 StartMenuExperienceHost.exe 171 PID 2700 wrote to memory of 3964 2700 StartMenuExperienceHost.exe 171 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3844
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5504 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db891c56-9be3-4948-8d71-ef50d2690d66.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:5672 -
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5360 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\749528d9-d491-47f5-aee3-c6ad106a9dbe.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:5376 -
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2700 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb357d0b-eebf-485b-97b5-712a2ed5cbba.vbs"7⤵PID:2924
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95d425b5-178e-4d9b-8bfe-4349d79ee7f3.vbs"7⤵PID:3964
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b419a1a-9570-4208-b185-6f2eab245d33.vbs"5⤵PID:5308
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\229c264e-eaa2-4747-8101-d27050df70c4.vbs"3⤵PID:5600
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Ease of Access Themes\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Ease of Access Themes\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\odt\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD51ecfae0fc756d98d3d8892e610af1e21
SHA14a6a2ff7d044f4ae1dac43c4b116cc6adb8bebbc
SHA256532d50a9c11b17415c6d1ff2fadec8513962fa60811815179425319ef510f7ee
SHA512c3b12bb1c537e931e822a60319568abc740193b8ea4861451c2636c5ccc727e0e484ba89e56f1cef4689d8c578300e097142e676eb3a39979de54bab03cc4439
-
Filesize
1.4MB
MD55e2ccb97d6bf2f8bedd6d473079c33b0
SHA1699314bf74a661917771308e7cd6d6b618af2827
SHA2566f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA5120f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93
-
Filesize
1.4MB
MD55e2ccb97d6bf2f8bedd6d473079c33b0
SHA1699314bf74a661917771308e7cd6d6b618af2827
SHA2566f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA5120f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93
-
Filesize
1.4MB
MD55e2ccb97d6bf2f8bedd6d473079c33b0
SHA1699314bf74a661917771308e7cd6d6b618af2827
SHA2566f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA5120f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93
-
Filesize
1.4MB
MD55e2ccb97d6bf2f8bedd6d473079c33b0
SHA1699314bf74a661917771308e7cd6d6b618af2827
SHA2566f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA5120f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93
-
Filesize
1.4MB
MD5aaf836b48a20837229d669d91b1e6c37
SHA19aa0ba258afc28939a271e6a809bfc95645287a3
SHA25666afac73bf70cb149180ebc2b44269998eded52254c01f707e41c4b39181ea38
SHA512407b6b5de69618c1c4b1abaecb7f77bdc360fa60323c7ccdd5724cd30bd584df3e0fe61779335bc55f561e527957e5a380693e6045d4c4c200c1f72d23a482f2
-
Filesize
1KB
MD59b0256da3bf9a5303141361b3da59823
SHA1d73f34951777136c444eb2c98394f62912ebcdac
SHA25696cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA5129f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD517fbfbe3f04595e251287a6bfcdc35de
SHA1b576aabfd5e6d5799d487011506ed1ae70688987
SHA2562e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6
-
Filesize
944B
MD517fbfbe3f04595e251287a6bfcdc35de
SHA1b576aabfd5e6d5799d487011506ed1ae70688987
SHA2562e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6
-
Filesize
944B
MD522fbec4acba323d04079a263526cef3c
SHA1eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e
-
Filesize
944B
MD517fbfbe3f04595e251287a6bfcdc35de
SHA1b576aabfd5e6d5799d487011506ed1ae70688987
SHA2562e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6
-
Filesize
944B
MD517fbfbe3f04595e251287a6bfcdc35de
SHA1b576aabfd5e6d5799d487011506ed1ae70688987
SHA2562e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6
-
Filesize
944B
MD517fbfbe3f04595e251287a6bfcdc35de
SHA1b576aabfd5e6d5799d487011506ed1ae70688987
SHA2562e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6
-
Filesize
944B
MD517fbfbe3f04595e251287a6bfcdc35de
SHA1b576aabfd5e6d5799d487011506ed1ae70688987
SHA2562e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6
-
Filesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
Filesize
944B
MD522fbec4acba323d04079a263526cef3c
SHA1eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e
-
Filesize
944B
MD522fbec4acba323d04079a263526cef3c
SHA1eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e
-
Filesize
944B
MD522fbec4acba323d04079a263526cef3c
SHA1eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e
-
Filesize
545B
MD56e9bbd2f1a1bc765611caddb63c92e67
SHA1ef4d626338e16d1e891e9cd347d16f9547c9da64
SHA256c1ba202b6a6afda021cc4430128734e9e3dc1033da43357644f341a55d2607dc
SHA51227746d25faaada6f8e797501838f2e5cded0efeca93379db2589a14ae442e0e947d7a0c6d21193dfed5361d3680f928988cde31e1f8a10172c62903283fe011d
-
Filesize
545B
MD56e9bbd2f1a1bc765611caddb63c92e67
SHA1ef4d626338e16d1e891e9cd347d16f9547c9da64
SHA256c1ba202b6a6afda021cc4430128734e9e3dc1033da43357644f341a55d2607dc
SHA51227746d25faaada6f8e797501838f2e5cded0efeca93379db2589a14ae442e0e947d7a0c6d21193dfed5361d3680f928988cde31e1f8a10172c62903283fe011d
-
Filesize
545B
MD56e9bbd2f1a1bc765611caddb63c92e67
SHA1ef4d626338e16d1e891e9cd347d16f9547c9da64
SHA256c1ba202b6a6afda021cc4430128734e9e3dc1033da43357644f341a55d2607dc
SHA51227746d25faaada6f8e797501838f2e5cded0efeca93379db2589a14ae442e0e947d7a0c6d21193dfed5361d3680f928988cde31e1f8a10172c62903283fe011d
-
Filesize
769B
MD5842cd4719713fc8a4042cbae3ffa046e
SHA134242f42686f484dbfd549fc471c81890630db60
SHA256668a5a3c5df19c798475cd5aee11d05331bd9b8617affc2e9a4fcc1d28f0bfd8
SHA512ea9a5d90dd8eac04f3dfb1761ded5caeefd299322fcbd32ff487070a49707b120762d2a769447be846691eba8968107813622bd7b6a73453ba60713a69e81fbd
-
Filesize
545B
MD56e9bbd2f1a1bc765611caddb63c92e67
SHA1ef4d626338e16d1e891e9cd347d16f9547c9da64
SHA256c1ba202b6a6afda021cc4430128734e9e3dc1033da43357644f341a55d2607dc
SHA51227746d25faaada6f8e797501838f2e5cded0efeca93379db2589a14ae442e0e947d7a0c6d21193dfed5361d3680f928988cde31e1f8a10172c62903283fe011d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.4MB
MD55e2ccb97d6bf2f8bedd6d473079c33b0
SHA1699314bf74a661917771308e7cd6d6b618af2827
SHA2566f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA5120f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93
-
Filesize
769B
MD51dfc292a98891f836f589fe53d139f74
SHA1806b3f6a003e0519594d1c60b0ba6fdcdca4746a
SHA2561d953e61f09dc1489bce5da7708092eb983f163f185144f57f754812189f74a8
SHA51269f3ec7ea0b13d13dcf80cc77c62b96f97a3c7df20dc043396a13eacb99b59d1119eeb4b759d31c63379209b51cd99c396aa1572aa70e1faac11c66bd6dc781f
-
Filesize
769B
MD5a86c25657d7182ff4e92546a5c26ba03
SHA1fd8960561484d309747d731e3f47241aa0b4ead1
SHA2567cdad492f7ab3baa12cc31b72611986a63d8e18b65dace5979d7e1c964a02f69
SHA51218738c0a0da53c640bcfbae970fb34dc3ee11d4588e97222a8ce908d5a586b83381ebf46a0833847541c15077f5542d5c8059933b7c9c613b173603107aaa558
-
Filesize
1.4MB
MD55e2ccb97d6bf2f8bedd6d473079c33b0
SHA1699314bf74a661917771308e7cd6d6b618af2827
SHA2566f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA5120f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93
-
Filesize
1.4MB
MD59c3caf358a154b0ad16b39bc268e8fa0
SHA15aed72c786c54abf6437dbfd3929ad633bd7b940
SHA256a521c3be86728c55f9aac6c330dbd704dc1927beb312236f34b0cb5482295d96
SHA51244dad40780500dd6b2705979d66058e82c04fce82e425f0a1b8e0841be37e7038fc15c0d14db99851b6bf1602a7f25a9941b3097b52350efb303f508ac12765a
-
Filesize
1.4MB
MD5eb54b734dce6b99765cfb815d9de9bb2
SHA15ab3d016e9c75fc465c3c742503a3b06e44bef85
SHA256502bd19b4632ec42df5ca0c541b0b02d7aeefc302d41c8d4b35e8c5d084cc87f
SHA512725af1e9bbbcfcca5b76a9f8cfd903edf962c9399143249728ce904ec5a1822af1572ad24fee83ad16c358054c65aaa944ed59be7f87b7b76163a3d0709a6f58