Analysis
-
max time kernel
167s -
max time network
184s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
18/11/2023, 03:19
Behavioral task
behavioral1
Sample
NEAS.0e28ad7c051feab83c13d21b648a8d60.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.0e28ad7c051feab83c13d21b648a8d60.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.0e28ad7c051feab83c13d21b648a8d60.exe
-
Size
1.4MB
-
MD5
0e28ad7c051feab83c13d21b648a8d60
-
SHA1
ed5e0a9db6860af386c099452870856b649d2841
-
SHA256
8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
-
SHA512
68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda
-
SSDEEP
24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 528 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 440 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 632 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1400 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 2496 schtasks.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2496 schtasks.exe 27 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
resource yara_rule behavioral1/memory/2008-0-0x00000000000C0000-0x000000000022C000-memory.dmp dcrat behavioral1/files/0x0006000000015e34-33.dat dcrat behavioral1/files/0x0007000000018ab2-120.dat dcrat behavioral1/files/0x0007000000016057-166.dat dcrat behavioral1/files/0x00070000000167ef-184.dat dcrat behavioral1/files/0x000a0000000167ef-214.dat dcrat behavioral1/files/0x00070000000120ed-307.dat dcrat behavioral1/files/0x00070000000120ed-306.dat dcrat behavioral1/memory/1132-311-0x00000000008A0000-0x0000000000A0C000-memory.dmp dcrat behavioral1/files/0x00070000000120ed-408.dat dcrat behavioral1/files/0x000a000000016cb7-417.dat dcrat -
Executes dropped EXE 2 IoCs
pid Process 1132 smss.exe 2108 smss.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Drops file in Program Files directory 20 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Program Files (x86)\Windows Defender\de-DE\886983d96e3d3e NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXDED6.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\RCXEE07.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\6ccacd8608530f NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXDE58.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXD5D7.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXD5E8.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXDC34.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXDC44.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\69ddcba757bf72 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\0a1fd5f707cd16 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\RCXFA29.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File opened for modification C:\Windows\it-IT\Idle.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Windows\SoftwareDistribution\services.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Windows\SoftwareDistribution\c5b4cb5e9653cc NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\TAPI\RCXE971.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\SoftwareDistribution\RCXC37.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\SoftwareDistribution\RCXC38.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Windows\it-IT\6ccacd8608530f NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\TAPI\smss.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\en-US\RCXFC2C.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\en-US\RCXFC3D.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Windows\TAPI\69ddcba757bf72 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Windows\en-US\csrss.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\SoftwareDistribution\services.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\it-IT\RCX12D3.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Windows\TAPI\smss.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Windows\en-US\886983d96e3d3e NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\Globalization\RCXA23.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\Globalization\csrss.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Windows\it-IT\Idle.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\it-IT\RCX12D2.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Windows\rescache\csrss.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Windows\Globalization\csrss.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Windows\Globalization\886983d96e3d3e NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\TAPI\RCXE982.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\en-US\csrss.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\Globalization\RCXA24.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 624 schtasks.exe 1228 schtasks.exe 2288 schtasks.exe 2524 schtasks.exe 2472 schtasks.exe 632 schtasks.exe 2784 schtasks.exe 1500 schtasks.exe 1684 schtasks.exe 2588 schtasks.exe 2564 schtasks.exe 1668 schtasks.exe 568 schtasks.exe 2680 schtasks.exe 2860 schtasks.exe 2240 schtasks.exe 1880 schtasks.exe 1804 schtasks.exe 2724 schtasks.exe 2844 schtasks.exe 1892 schtasks.exe 1648 schtasks.exe 2388 schtasks.exe 2376 schtasks.exe 1612 schtasks.exe 2000 schtasks.exe 2404 schtasks.exe 1448 schtasks.exe 2064 schtasks.exe 1400 schtasks.exe 2040 schtasks.exe 1136 schtasks.exe 2032 schtasks.exe 2764 schtasks.exe 528 schtasks.exe 2140 schtasks.exe 872 schtasks.exe 2508 schtasks.exe 2972 schtasks.exe 440 schtasks.exe 1760 schtasks.exe 2324 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Token: SeDebugPrivilege 304 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 732 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 2488 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeDebugPrivilege 1064 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 928 powershell.exe Token: SeDebugPrivilege 1148 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 1132 smss.exe Token: SeDebugPrivilege 2108 smss.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2544 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 72 PID 2008 wrote to memory of 2544 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 72 PID 2008 wrote to memory of 2544 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 72 PID 2008 wrote to memory of 2724 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 73 PID 2008 wrote to memory of 2724 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 73 PID 2008 wrote to memory of 2724 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 73 PID 2008 wrote to memory of 2184 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 75 PID 2008 wrote to memory of 2184 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 75 PID 2008 wrote to memory of 2184 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 75 PID 2008 wrote to memory of 304 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 74 PID 2008 wrote to memory of 304 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 74 PID 2008 wrote to memory of 304 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 74 PID 2008 wrote to memory of 1680 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 93 PID 2008 wrote to memory of 1680 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 93 PID 2008 wrote to memory of 1680 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 93 PID 2008 wrote to memory of 1148 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 76 PID 2008 wrote to memory of 1148 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 76 PID 2008 wrote to memory of 1148 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 76 PID 2008 wrote to memory of 1656 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 91 PID 2008 wrote to memory of 1656 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 91 PID 2008 wrote to memory of 1656 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 91 PID 2008 wrote to memory of 732 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 90 PID 2008 wrote to memory of 732 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 90 PID 2008 wrote to memory of 732 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 90 PID 2008 wrote to memory of 928 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 77 PID 2008 wrote to memory of 928 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 77 PID 2008 wrote to memory of 928 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 77 PID 2008 wrote to memory of 1064 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 78 PID 2008 wrote to memory of 1064 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 78 PID 2008 wrote to memory of 1064 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 78 PID 2008 wrote to memory of 2948 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 89 PID 2008 wrote to memory of 2948 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 89 PID 2008 wrote to memory of 2948 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 89 PID 2008 wrote to memory of 2488 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 79 PID 2008 wrote to memory of 2488 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 79 PID 2008 wrote to memory of 2488 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 79 PID 2008 wrote to memory of 2800 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 96 PID 2008 wrote to memory of 2800 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 96 PID 2008 wrote to memory of 2800 2008 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 96 PID 2800 wrote to memory of 1856 2800 cmd.exe 98 PID 2800 wrote to memory of 1856 2800 cmd.exe 98 PID 2800 wrote to memory of 1856 2800 cmd.exe 98 PID 2800 wrote to memory of 1132 2800 cmd.exe 99 PID 2800 wrote to memory of 1132 2800 cmd.exe 99 PID 2800 wrote to memory of 1132 2800 cmd.exe 99 PID 1132 wrote to memory of 2024 1132 smss.exe 100 PID 1132 wrote to memory of 2024 1132 smss.exe 100 PID 1132 wrote to memory of 2024 1132 smss.exe 100 PID 1132 wrote to memory of 876 1132 smss.exe 101 PID 1132 wrote to memory of 876 1132 smss.exe 101 PID 1132 wrote to memory of 876 1132 smss.exe 101 PID 2024 wrote to memory of 2108 2024 WScript.exe 102 PID 2024 wrote to memory of 2108 2024 WScript.exe 102 PID 2024 wrote to memory of 2108 2024 WScript.exe 102 PID 2108 wrote to memory of 2772 2108 smss.exe 103 PID 2108 wrote to memory of 2772 2108 smss.exe 103 PID 2108 wrote to memory of 2772 2108 smss.exe 103 PID 2108 wrote to memory of 2448 2108 smss.exe 104 PID 2108 wrote to memory of 2448 2108 smss.exe 104 PID 2108 wrote to memory of 2448 2108 smss.exe 104 -
System policy modification 1 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2008 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6iFNwlpp3j.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1856
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1132 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b021a110-1943-4e92-950f-57a501d99bef.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2108 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fdd770e-3515-4faa-a034-ba35e8489e30.vbs"6⤵PID:2772
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\315314a6-b10b-4bcf-9d64-428d03b0c61b.vbs"6⤵PID:2448
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31ecb051-08ae-45de-9a05-c3a3735e1d76.vbs"4⤵PID:876
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Globalization\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\it-IT\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\it-IT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD50e28ad7c051feab83c13d21b648a8d60
SHA1ed5e0a9db6860af386c099452870856b649d2841
SHA2568732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA51268031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda
-
Filesize
1.4MB
MD50e28ad7c051feab83c13d21b648a8d60
SHA1ed5e0a9db6860af386c099452870856b649d2841
SHA2568732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA51268031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda
-
Filesize
1.4MB
MD50e28ad7c051feab83c13d21b648a8d60
SHA1ed5e0a9db6860af386c099452870856b649d2841
SHA2568732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA51268031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda
-
Filesize
1.4MB
MD50e28ad7c051feab83c13d21b648a8d60
SHA1ed5e0a9db6860af386c099452870856b649d2841
SHA2568732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA51268031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda
-
Filesize
1.4MB
MD5c1a2ec7f8a5c5ba1b62e690fa0ed6397
SHA1cd41afe453b08ff0f7d2e6e57629a13eee0c8b48
SHA256b30f2be203f8e3672cf25ff816a0b825e03e92c4094ece9a6c72cdb58073ca96
SHA5120e874fc1d5dde6f9d051b13568ea970e2b17b4e19e438b09118368ac381d37d20f1a7a98195d1fc25721524ec723951f2f4c1c641e2faeb61b23d5384bba808f
-
Filesize
1.4MB
MD5472354661a688f47ebeb0ff09c76c11e
SHA1f32e7cd84f6a0cedc1b12e3f9df291f007b1f862
SHA2566677642ee9c9b3a78ca2de479da5a310d52a6f88c3f53186fb89ef74e22f03cf
SHA5125674676bdcc1276e0881f31424ecab742f3cefdedb82ea401d3c3f0d3cf48d91a12466b066c010b0db81004ca6c5c878847a985713ff5ac3a791f8ee4e7b8904
-
Filesize
516B
MD505ce8b7bc9ca8386cbb19c2d15e5b720
SHA127c92b391a0902b39ef3b3373d0c917247acfc1f
SHA2563168ec7b8f86eef2799baffc7e21c8bffd05841abf6361084c024352ae69ff29
SHA512eb539bade0f535b389af956c56936b3bec5da21acc7fe40d9a83f4b3e7715dea2e0a35714936d1e511bb0f8b5c90a6b6a12ad879bc913db67a2ce24db60e655b
-
Filesize
516B
MD505ce8b7bc9ca8386cbb19c2d15e5b720
SHA127c92b391a0902b39ef3b3373d0c917247acfc1f
SHA2563168ec7b8f86eef2799baffc7e21c8bffd05841abf6361084c024352ae69ff29
SHA512eb539bade0f535b389af956c56936b3bec5da21acc7fe40d9a83f4b3e7715dea2e0a35714936d1e511bb0f8b5c90a6b6a12ad879bc913db67a2ce24db60e655b
-
Filesize
516B
MD505ce8b7bc9ca8386cbb19c2d15e5b720
SHA127c92b391a0902b39ef3b3373d0c917247acfc1f
SHA2563168ec7b8f86eef2799baffc7e21c8bffd05841abf6361084c024352ae69ff29
SHA512eb539bade0f535b389af956c56936b3bec5da21acc7fe40d9a83f4b3e7715dea2e0a35714936d1e511bb0f8b5c90a6b6a12ad879bc913db67a2ce24db60e655b
-
Filesize
229B
MD566ba54424b123927b07fe80323ced8b0
SHA17b869e62480dcc515f0fbcf91bb9708b3d41380e
SHA2568e6e1243667296f11dc9afe13ecc1523124e85caee618e97c3275e23ec2c391f
SHA51206309258cdb84496f58958c103f78ff2207adcfe33fc61c2c30f6e41571cd01ba02433a7e1fdfd8013d5dc87cde649468d8d245a4e22d3b2b8b683d3ebf1a86c
-
Filesize
740B
MD5598552cedf323023e5b2389da6174832
SHA1cedb410d339f509808c1bbb243aaf0e94d192040
SHA256a27666c4363c0f469ef69822fe2e80614adc395b3e1e60d969be2fcf4cfb388a
SHA51212c96ad6cf23774747869bd522c227acd638fd97e2b0a3733c187531af848b703c36ba58e16e0dd6d8fe4dd3d23701956f8d816a40353f1d454ab4ab2e33b3e8
-
Filesize
1.4MB
MD50e28ad7c051feab83c13d21b648a8d60
SHA1ed5e0a9db6860af386c099452870856b649d2841
SHA2568732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA51268031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda
-
Filesize
740B
MD5c5cb7145aba1084a2bb003fe276be624
SHA1f57a975bb0d36ec2cf967633e9af48cd8249d9f8
SHA2565c8ab84053e19ed31eb32f54c88742c0de606d5f0ae88b087e4f5104d3164a63
SHA512a7f74ded3c69512c20965fa28c1af5a2ab87ead3a9d1ff875e52b68976e9a6730358264618eed28e68de1bfcf43b88eda07d1f27ba3ca9b7565cd8e7c280fa3f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50b18178cc5c3019be2dbbc9b98c6d864
SHA1186161c814eff60afa8f8d1802539dfe0d28c943
SHA256bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466
SHA51275e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50b18178cc5c3019be2dbbc9b98c6d864
SHA1186161c814eff60afa8f8d1802539dfe0d28c943
SHA256bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466
SHA51275e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50b18178cc5c3019be2dbbc9b98c6d864
SHA1186161c814eff60afa8f8d1802539dfe0d28c943
SHA256bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466
SHA51275e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50b18178cc5c3019be2dbbc9b98c6d864
SHA1186161c814eff60afa8f8d1802539dfe0d28c943
SHA256bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466
SHA51275e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50b18178cc5c3019be2dbbc9b98c6d864
SHA1186161c814eff60afa8f8d1802539dfe0d28c943
SHA256bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466
SHA51275e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B07MGQ51CEKDSED8IAT0.temp
Filesize7KB
MD50b18178cc5c3019be2dbbc9b98c6d864
SHA1186161c814eff60afa8f8d1802539dfe0d28c943
SHA256bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466
SHA51275e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b
-
Filesize
1.4MB
MD558a85e97a463a1e65893e02cd8d228e7
SHA1b8a69533ed4200fc9d8751d2a68f654aca06f267
SHA2565e3057040573fa8ff48494b706d98a25c025820f356abaf668c8776e41040e55
SHA512a8fe1aa188558d21631542c3de2946482c9f4bc9ba623493219ae16eb544d456adea8574378140027fa9747376b267829d23549fada802c53b805f6b1ee07280
-
Filesize
1.4MB
MD589ab8ded0bccd01b0bb6606ce03537ff
SHA131024a017167b7d718eca33966b2c63027909aee
SHA2562c02d082eeae6de4b66db36025011896b0756edd58f9e8625840f64d177aefa8
SHA512c235567b2e302b06859b9a0176f2be1a698bc6265235372d59d79e6d69b7893c0b21cdf8c11f59accf404e413f6b7f57ecec72bb030d4b134afb220cd7994ba4