Malware Analysis Report

2025-08-11 06:15

Sample ID 231118-dvex2saa55
Target NEAS.0e28ad7c051feab83c13d21b648a8d60.exe
SHA256 8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6

Threat Level: Known bad

The file NEAS.0e28ad7c051feab83c13d21b648a8d60.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

Process spawned unexpected child process

UAC bypass

DCRat payload

Dcrat family

DcRat

DCRat payload

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-18 03:19

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-18 03:19

Reported

2023-11-18 03:22

Platform

win7-20231023-en

Max time kernel

167s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Program Files (x86)\Windows Defender\de-DE\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXDED6.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\RCXEE07.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXDE58.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXD5D7.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXD5E8.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXDC34.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXDC44.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\RCXFA29.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\it-IT\Idle.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Windows\SoftwareDistribution\services.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Windows\SoftwareDistribution\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\TAPI\RCXE971.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\RCXC37.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\RCXC38.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Windows\it-IT\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\TAPI\smss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\en-US\RCXFC2C.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\en-US\RCXFC3D.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Windows\TAPI\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Windows\en-US\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\services.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\it-IT\RCX12D3.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Windows\TAPI\smss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Windows\en-US\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\Globalization\RCXA23.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\Globalization\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Windows\it-IT\Idle.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\it-IT\RCX12D2.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Windows\rescache\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Windows\Globalization\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Windows\Globalization\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\TAPI\RCXE982.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\en-US\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\Globalization\RCXA24.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\cmd.exe
PID 2008 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\cmd.exe
PID 2008 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\cmd.exe
PID 2800 wrote to memory of 1856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2800 wrote to memory of 1856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2800 wrote to memory of 1856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2800 wrote to memory of 1132 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe
PID 2800 wrote to memory of 1132 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe
PID 2800 wrote to memory of 1132 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe
PID 1132 wrote to memory of 2024 N/A C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe C:\Windows\System32\WScript.exe
PID 1132 wrote to memory of 2024 N/A C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe C:\Windows\System32\WScript.exe
PID 1132 wrote to memory of 2024 N/A C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe C:\Windows\System32\WScript.exe
PID 1132 wrote to memory of 876 N/A C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe C:\Windows\System32\WScript.exe
PID 1132 wrote to memory of 876 N/A C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe C:\Windows\System32\WScript.exe
PID 1132 wrote to memory of 876 N/A C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe C:\Windows\System32\WScript.exe
PID 2024 wrote to memory of 2108 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe
PID 2024 wrote to memory of 2108 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe
PID 2024 wrote to memory of 2108 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe
PID 2108 wrote to memory of 2772 N/A C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe C:\Windows\System32\WScript.exe
PID 2108 wrote to memory of 2772 N/A C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe C:\Windows\System32\WScript.exe
PID 2108 wrote to memory of 2772 N/A C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe C:\Windows\System32\WScript.exe
PID 2108 wrote to memory of 2448 N/A C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe C:\Windows\System32\WScript.exe
PID 2108 wrote to memory of 2448 N/A C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe C:\Windows\System32\WScript.exe
PID 2108 wrote to memory of 2448 N/A C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Globalization\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\it-IT\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\it-IT\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\Idle.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6iFNwlpp3j.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b021a110-1943-4e92-950f-57a501d99bef.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31ecb051-08ae-45de-9a05-c3a3735e1d76.vbs"

C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fdd770e-3515-4faa-a034-ba35e8489e30.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\315314a6-b10b-4bcf-9d64-428d03b0c61b.vbs"

Network

Country Destination Domain Proto
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp

Files

memory/2008-0-0x00000000000C0000-0x000000000022C000-memory.dmp

memory/2008-1-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

memory/2008-2-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-3-0x0000000000440000-0x000000000044E000-memory.dmp

memory/2008-4-0x0000000000450000-0x0000000000458000-memory.dmp

memory/2008-5-0x00000000005F0000-0x000000000060C000-memory.dmp

memory/2008-7-0x0000000000610000-0x0000000000620000-memory.dmp

memory/2008-6-0x0000000000460000-0x0000000000468000-memory.dmp

memory/2008-8-0x0000000000620000-0x0000000000636000-memory.dmp

memory/2008-9-0x0000000000640000-0x0000000000650000-memory.dmp

memory/2008-10-0x0000000000650000-0x000000000065A000-memory.dmp

memory/2008-11-0x0000000000660000-0x000000000066C000-memory.dmp

memory/2008-12-0x0000000000670000-0x000000000067C000-memory.dmp

memory/2008-14-0x0000000000690000-0x000000000069C000-memory.dmp

memory/2008-13-0x0000000000680000-0x0000000000688000-memory.dmp

memory/2008-15-0x00000000006A0000-0x00000000006A8000-memory.dmp

memory/2008-17-0x0000000002060000-0x000000000206E000-memory.dmp

memory/2008-16-0x0000000002050000-0x000000000205A000-memory.dmp

memory/2008-19-0x00000000020C0000-0x00000000020CE000-memory.dmp

memory/2008-18-0x00000000020B0000-0x00000000020B8000-memory.dmp

memory/2008-20-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-21-0x00000000020D0000-0x00000000020DC000-memory.dmp

memory/2008-22-0x00000000020E0000-0x00000000020E8000-memory.dmp

memory/2008-23-0x00000000020F0000-0x00000000020FA000-memory.dmp

memory/2008-24-0x0000000002070000-0x000000000207C000-memory.dmp

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe

MD5 0e28ad7c051feab83c13d21b648a8d60
SHA1 ed5e0a9db6860af386c099452870856b649d2841
SHA256 8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA512 68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

memory/2008-39-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-52-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-73-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-86-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-90-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-100-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-113-0x000000001B1B0000-0x000000001B230000-memory.dmp

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe

MD5 c1a2ec7f8a5c5ba1b62e690fa0ed6397
SHA1 cd41afe453b08ff0f7d2e6e57629a13eee0c8b48
SHA256 b30f2be203f8e3672cf25ff816a0b825e03e92c4094ece9a6c72cdb58073ca96
SHA512 0e874fc1d5dde6f9d051b13568ea970e2b17b4e19e438b09118368ac381d37d20f1a7a98195d1fc25721524ec723951f2f4c1c641e2faeb61b23d5384bba808f

memory/2008-125-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

memory/2008-126-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-128-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-129-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-130-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-131-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-132-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-133-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-159-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-160-0x000000001B1B0000-0x000000001B230000-memory.dmp

C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe

MD5 472354661a688f47ebeb0ff09c76c11e
SHA1 f32e7cd84f6a0cedc1b12e3f9df291f007b1f862
SHA256 6677642ee9c9b3a78ca2de479da5a310d52a6f88c3f53186fb89ef74e22f03cf
SHA512 5674676bdcc1276e0881f31424ecab742f3cefdedb82ea401d3c3f0d3cf48d91a12466b066c010b0db81004ca6c5c878847a985713ff5ac3a791f8ee4e7b8904

memory/2008-179-0x000000001B1B0000-0x000000001B230000-memory.dmp

C:\Windows\Globalization\RCXA23.tmp

MD5 89ab8ded0bccd01b0bb6606ce03537ff
SHA1 31024a017167b7d718eca33966b2c63027909aee
SHA256 2c02d082eeae6de4b66db36025011896b0756edd58f9e8625840f64d177aefa8
SHA512 c235567b2e302b06859b9a0176f2be1a698bc6265235372d59d79e6d69b7893c0b21cdf8c11f59accf404e413f6b7f57ecec72bb030d4b134afb220cd7994ba4

memory/2008-193-0x000000001B1B0000-0x000000001B230000-memory.dmp

C:\Users\Admin\Idle.exe

MD5 58a85e97a463a1e65893e02cd8d228e7
SHA1 b8a69533ed4200fc9d8751d2a68f654aca06f267
SHA256 5e3057040573fa8ff48494b706d98a25c025820f356abaf668c8776e41040e55
SHA512 a8fe1aa188558d21631542c3de2946482c9f4bc9ba623493219ae16eb544d456adea8574378140027fa9747376b267829d23549fada802c53b805f6b1ee07280

memory/2008-240-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-245-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-247-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-246-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-248-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2008-255-0x000000001B1B0000-0x000000001B230000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0b18178cc5c3019be2dbbc9b98c6d864
SHA1 186161c814eff60afa8f8d1802539dfe0d28c943
SHA256 bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466
SHA512 75e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0b18178cc5c3019be2dbbc9b98c6d864
SHA1 186161c814eff60afa8f8d1802539dfe0d28c943
SHA256 bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466
SHA512 75e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B07MGQ51CEKDSED8IAT0.temp

MD5 0b18178cc5c3019be2dbbc9b98c6d864
SHA1 186161c814eff60afa8f8d1802539dfe0d28c943
SHA256 bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466
SHA512 75e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0b18178cc5c3019be2dbbc9b98c6d864
SHA1 186161c814eff60afa8f8d1802539dfe0d28c943
SHA256 bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466
SHA512 75e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0b18178cc5c3019be2dbbc9b98c6d864
SHA1 186161c814eff60afa8f8d1802539dfe0d28c943
SHA256 bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466
SHA512 75e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b

memory/2008-289-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0b18178cc5c3019be2dbbc9b98c6d864
SHA1 186161c814eff60afa8f8d1802539dfe0d28c943
SHA256 bd4a1515d7f75d50a013625338f8964e8d8d6d95cd7420390b22401e435f1466
SHA512 75e9d0864a7c1ac9cb7c6a0e71cdfd313ffd5af4074bcc4fe89391ab7a04958fe2712d598ea54d3cac790152081e6c6e96598ac1043e7497713f5c2dd5a72e9b

C:\Users\Admin\AppData\Local\Temp\6iFNwlpp3j.bat

MD5 66ba54424b123927b07fe80323ced8b0
SHA1 7b869e62480dcc515f0fbcf91bb9708b3d41380e
SHA256 8e6e1243667296f11dc9afe13ecc1523124e85caee618e97c3275e23ec2c391f
SHA512 06309258cdb84496f58958c103f78ff2207adcfe33fc61c2c30f6e41571cd01ba02433a7e1fdfd8013d5dc87cde649468d8d245a4e22d3b2b8b683d3ebf1a86c

memory/304-298-0x000000001B330000-0x000000001B612000-memory.dmp

memory/304-299-0x0000000001E90000-0x0000000001E98000-memory.dmp

memory/304-300-0x000007FEED920000-0x000007FEEE2BD000-memory.dmp

memory/2948-301-0x000007FEED920000-0x000007FEEE2BD000-memory.dmp

memory/2488-303-0x000007FEED920000-0x000007FEEE2BD000-memory.dmp

memory/732-302-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2488-304-0x0000000002AE0000-0x0000000002B60000-memory.dmp

memory/2544-305-0x000007FEED920000-0x000007FEEE2BD000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe

MD5 0e28ad7c051feab83c13d21b648a8d60
SHA1 ed5e0a9db6860af386c099452870856b649d2841
SHA256 8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA512 68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

memory/2544-308-0x00000000029B0000-0x0000000002A30000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe

MD5 0e28ad7c051feab83c13d21b648a8d60
SHA1 ed5e0a9db6860af386c099452870856b649d2841
SHA256 8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA512 68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

memory/1680-309-0x000007FEED920000-0x000007FEEE2BD000-memory.dmp

memory/2948-310-0x00000000028E0000-0x0000000002960000-memory.dmp

memory/1132-311-0x00000000008A0000-0x0000000000A0C000-memory.dmp

memory/2184-312-0x000007FEED920000-0x000007FEEE2BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31ecb051-08ae-45de-9a05-c3a3735e1d76.vbs

MD5 05ce8b7bc9ca8386cbb19c2d15e5b720
SHA1 27c92b391a0902b39ef3b3373d0c917247acfc1f
SHA256 3168ec7b8f86eef2799baffc7e21c8bffd05841abf6361084c024352ae69ff29
SHA512 eb539bade0f535b389af956c56936b3bec5da21acc7fe40d9a83f4b3e7715dea2e0a35714936d1e511bb0f8b5c90a6b6a12ad879bc913db67a2ce24db60e655b

C:\Users\Admin\AppData\Local\Temp\b021a110-1943-4e92-950f-57a501d99bef.vbs

MD5 c5cb7145aba1084a2bb003fe276be624
SHA1 f57a975bb0d36ec2cf967633e9af48cd8249d9f8
SHA256 5c8ab84053e19ed31eb32f54c88742c0de606d5f0ae88b087e4f5104d3164a63
SHA512 a7f74ded3c69512c20965fa28c1af5a2ab87ead3a9d1ff875e52b68976e9a6730358264618eed28e68de1bfcf43b88eda07d1f27ba3ca9b7565cd8e7c280fa3f

C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe

MD5 0e28ad7c051feab83c13d21b648a8d60
SHA1 ed5e0a9db6860af386c099452870856b649d2841
SHA256 8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA512 68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

C:\Users\Admin\AppData\Local\Temp\9102608d4360041de75102797364943e2d4065c2.exe

MD5 0e28ad7c051feab83c13d21b648a8d60
SHA1 ed5e0a9db6860af386c099452870856b649d2841
SHA256 8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA512 68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

C:\Users\Admin\AppData\Local\Temp\7fdd770e-3515-4faa-a034-ba35e8489e30.vbs

MD5 598552cedf323023e5b2389da6174832
SHA1 cedb410d339f509808c1bbb243aaf0e94d192040
SHA256 a27666c4363c0f469ef69822fe2e80614adc395b3e1e60d969be2fcf4cfb388a
SHA512 12c96ad6cf23774747869bd522c227acd638fd97e2b0a3733c187531af848b703c36ba58e16e0dd6d8fe4dd3d23701956f8d816a40353f1d454ab4ab2e33b3e8

C:\Users\Admin\AppData\Local\Temp\315314a6-b10b-4bcf-9d64-428d03b0c61b.vbs

MD5 05ce8b7bc9ca8386cbb19c2d15e5b720
SHA1 27c92b391a0902b39ef3b3373d0c917247acfc1f
SHA256 3168ec7b8f86eef2799baffc7e21c8bffd05841abf6361084c024352ae69ff29
SHA512 eb539bade0f535b389af956c56936b3bec5da21acc7fe40d9a83f4b3e7715dea2e0a35714936d1e511bb0f8b5c90a6b6a12ad879bc913db67a2ce24db60e655b

C:\Users\Admin\AppData\Local\Temp\315314a6-b10b-4bcf-9d64-428d03b0c61b.vbs

MD5 05ce8b7bc9ca8386cbb19c2d15e5b720
SHA1 27c92b391a0902b39ef3b3373d0c917247acfc1f
SHA256 3168ec7b8f86eef2799baffc7e21c8bffd05841abf6361084c024352ae69ff29
SHA512 eb539bade0f535b389af956c56936b3bec5da21acc7fe40d9a83f4b3e7715dea2e0a35714936d1e511bb0f8b5c90a6b6a12ad879bc913db67a2ce24db60e655b

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-18 03:19

Reported

2023-11-18 03:22

Platform

win10v2004-20231020-en

Max time kernel

158s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\SendTo\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\SendTo\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\SendTo\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\SendTo\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\SendTo\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\SendTo\sihost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\SendTo\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\SendTo\sihost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\SendTo\sihost.exe N/A
N/A N/A C:\Users\Admin\SendTo\sihost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\SendTo\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\SendTo\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\SendTo\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\SendTo\sihost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXE941.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXE942.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\tracing\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Windows\tracing\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\appcompat\Programs\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Windows\appcompat\Programs\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File created C:\Windows\appcompat\Programs\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\tracing\RCXE507.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\tracing\RCXE508.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\tracing\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\appcompat\Programs\RCXEB56.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
File opened for modification C:\Windows\appcompat\Programs\RCXEB67.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings C:\Users\Admin\SendTo\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings C:\Users\Admin\SendTo\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3440 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\cmd.exe
PID 3440 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe C:\Windows\System32\cmd.exe
PID 4752 wrote to memory of 6084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4752 wrote to memory of 6084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4752 wrote to memory of 5352 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\SendTo\sihost.exe
PID 4752 wrote to memory of 5352 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\SendTo\sihost.exe
PID 5352 wrote to memory of 2596 N/A C:\Users\Admin\SendTo\sihost.exe C:\Windows\System32\WScript.exe
PID 5352 wrote to memory of 2596 N/A C:\Users\Admin\SendTo\sihost.exe C:\Windows\System32\WScript.exe
PID 5352 wrote to memory of 1740 N/A C:\Users\Admin\SendTo\sihost.exe C:\Windows\System32\WScript.exe
PID 5352 wrote to memory of 1740 N/A C:\Users\Admin\SendTo\sihost.exe C:\Windows\System32\WScript.exe
PID 2596 wrote to memory of 3368 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\SendTo\sihost.exe
PID 2596 wrote to memory of 3368 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\SendTo\sihost.exe
PID 3368 wrote to memory of 5780 N/A C:\Users\Admin\SendTo\sihost.exe C:\Windows\System32\WScript.exe
PID 3368 wrote to memory of 5780 N/A C:\Users\Admin\SendTo\sihost.exe C:\Windows\System32\WScript.exe
PID 3368 wrote to memory of 4456 N/A C:\Users\Admin\SendTo\sihost.exe C:\Windows\System32\WScript.exe
PID 3368 wrote to memory of 4456 N/A C:\Users\Admin\SendTo\sihost.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\SendTo\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\SendTo\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\SendTo\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\SendTo\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\SendTo\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\SendTo\sihost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\odt\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\appcompat\Programs\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\appcompat\Programs\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Windows\appcompat\Programs\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\odt\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Default\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\sihost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Fc7N4hi3mv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\SendTo\sihost.exe

"C:\Users\Admin\SendTo\sihost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f95379a0-7df4-4338-a6b1-eac709e1129f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5297db2e-7162-4182-b6b3-533eefe8682b.vbs"

C:\Users\Admin\SendTo\sihost.exe

C:\Users\Admin\SendTo\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf555f34-dc56-430f-9bdf-9b836bfb9c85.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f3f8b9c-963e-4aba-be7c-ff74ae25a3b2.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 58.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp

Files

memory/3440-0-0x00000000008B0000-0x0000000000A1C000-memory.dmp

memory/3440-2-0x000000001B730000-0x000000001B740000-memory.dmp

memory/3440-1-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

memory/3440-3-0x0000000001240000-0x000000000124E000-memory.dmp

memory/3440-4-0x0000000002B40000-0x0000000002B48000-memory.dmp

memory/3440-5-0x0000000002B50000-0x0000000002B6C000-memory.dmp

memory/3440-6-0x000000001B6A0000-0x000000001B6F0000-memory.dmp

memory/3440-7-0x0000000002B70000-0x0000000002B78000-memory.dmp

memory/3440-8-0x0000000002B80000-0x0000000002B90000-memory.dmp

memory/3440-9-0x0000000002B90000-0x0000000002BA6000-memory.dmp

memory/3440-10-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

memory/3440-11-0x000000001B6F0000-0x000000001B6FA000-memory.dmp

memory/3440-12-0x000000001B700000-0x000000001B70C000-memory.dmp

memory/3440-13-0x000000001B710000-0x000000001B71C000-memory.dmp

memory/3440-14-0x000000001B720000-0x000000001B728000-memory.dmp

memory/3440-15-0x000000001BC50000-0x000000001BC5C000-memory.dmp

memory/3440-16-0x000000001BE60000-0x000000001BE68000-memory.dmp

memory/3440-18-0x000000001B730000-0x000000001B740000-memory.dmp

memory/3440-17-0x000000001B730000-0x000000001B740000-memory.dmp

memory/3440-22-0x000000001BEE0000-0x000000001BEEE000-memory.dmp

memory/3440-21-0x000000001BED0000-0x000000001BED8000-memory.dmp

memory/3440-20-0x000000001BEC0000-0x000000001BECE000-memory.dmp

memory/3440-19-0x000000001BEB0000-0x000000001BEBA000-memory.dmp

memory/3440-23-0x0000000002B00000-0x0000000002B0C000-memory.dmp

memory/3440-24-0x0000000002B10000-0x0000000002B18000-memory.dmp

memory/3440-25-0x0000000002B20000-0x0000000002B2A000-memory.dmp

memory/3440-26-0x0000000002B30000-0x0000000002B3C000-memory.dmp

memory/3440-31-0x000000001B730000-0x000000001B740000-memory.dmp

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe

MD5 0e28ad7c051feab83c13d21b648a8d60
SHA1 ed5e0a9db6860af386c099452870856b649d2841
SHA256 8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA512 68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

memory/3440-64-0x000000001B730000-0x000000001B740000-memory.dmp

memory/3996-166-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

memory/3996-167-0x000002922A7E0000-0x000002922A7F0000-memory.dmp

memory/3996-168-0x000002922A7E0000-0x000002922A7F0000-memory.dmp

memory/1552-169-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

memory/1552-173-0x000002CD42790000-0x000002CD427A0000-memory.dmp

memory/524-171-0x0000021C9F9B0000-0x0000021C9F9C0000-memory.dmp

memory/524-170-0x0000021C9F9B0000-0x0000021C9F9C0000-memory.dmp

memory/3440-174-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_esrr0rd3.w52.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4880-180-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

memory/4880-182-0x00000230210A0000-0x00000230210B0000-memory.dmp

memory/4880-183-0x00000230210A0000-0x00000230210B0000-memory.dmp

memory/524-181-0x0000021C87340000-0x0000021C87362000-memory.dmp

memory/396-220-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

memory/2596-261-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

memory/396-289-0x000001E2BF1D0000-0x000001E2BF1E0000-memory.dmp

memory/2596-290-0x0000020AA3EF0000-0x0000020AA3F00000-memory.dmp

memory/1460-291-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

memory/1460-293-0x0000024C3DFB0000-0x0000024C3DFC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Fc7N4hi3mv.bat

MD5 e0a107d4ea3d8827855411fdcf4dbfc3
SHA1 63eb45dfee77fe6a36e104d334a67fd50e00c71c
SHA256 f11de31a51c7359af43c5b1a84f8dc381426e6f9da8485b3b325ab24a6e28280
SHA512 e8afc9baafe27d505d8b3a6a881d4dd5f5a90c1dd74c3af538287a0fbf55cba714969986e8260565495deb9ccf83e2c215678b2ce72013746fced16ea7123a0d

memory/3484-294-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

memory/3484-295-0x0000025DAE630000-0x0000025DAE640000-memory.dmp

memory/2180-296-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

memory/3400-297-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

memory/3400-298-0x00000219D78A0000-0x00000219D78B0000-memory.dmp

memory/3400-299-0x00000219D78A0000-0x00000219D78B0000-memory.dmp

memory/4996-300-0x00000265DFA20000-0x00000265DFA30000-memory.dmp

memory/4996-301-0x00000265DFA20000-0x00000265DFA30000-memory.dmp

memory/524-302-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

memory/752-303-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

memory/4996-304-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

memory/3996-305-0x000002922A7E0000-0x000002922A7F0000-memory.dmp

memory/4880-306-0x00000230210A0000-0x00000230210B0000-memory.dmp

memory/524-307-0x0000021C9F9B0000-0x0000021C9F9C0000-memory.dmp

memory/752-309-0x000002013B7D0000-0x000002013B7E0000-memory.dmp

memory/4996-310-0x00000265DFA20000-0x00000265DFA30000-memory.dmp

memory/1552-308-0x000002CD42790000-0x000002CD427A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ae96ca6d5f605116d027b60ee601dbf8
SHA1 227fd9141f215138fb1bf85391accfc97a691d47
SHA256 30e866ae47fec01989b6ae6ced870828b089a8ce68580ee70204ae5db88451bf
SHA512 03a324722a5fd70a59bfa341bf2606dd6cb943b9f2c415c22b2913140837e3c12acfdf929b1db8535f943a805900164a12528d4bf2b1933cd2bfbcd22e03d374

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ae96ca6d5f605116d027b60ee601dbf8
SHA1 227fd9141f215138fb1bf85391accfc97a691d47
SHA256 30e866ae47fec01989b6ae6ced870828b089a8ce68580ee70204ae5db88451bf
SHA512 03a324722a5fd70a59bfa341bf2606dd6cb943b9f2c415c22b2913140837e3c12acfdf929b1db8535f943a805900164a12528d4bf2b1933cd2bfbcd22e03d374

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c2ce5f364d6f19da44a34ce23f13e28b
SHA1 a7fc544cc9e62c759c0b0aeaecf324d7196a127e
SHA256 443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb
SHA512 fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ae96ca6d5f605116d027b60ee601dbf8
SHA1 227fd9141f215138fb1bf85391accfc97a691d47
SHA256 30e866ae47fec01989b6ae6ced870828b089a8ce68580ee70204ae5db88451bf
SHA512 03a324722a5fd70a59bfa341bf2606dd6cb943b9f2c415c22b2913140837e3c12acfdf929b1db8535f943a805900164a12528d4bf2b1933cd2bfbcd22e03d374

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ae96ca6d5f605116d027b60ee601dbf8
SHA1 227fd9141f215138fb1bf85391accfc97a691d47
SHA256 30e866ae47fec01989b6ae6ced870828b089a8ce68580ee70204ae5db88451bf
SHA512 03a324722a5fd70a59bfa341bf2606dd6cb943b9f2c415c22b2913140837e3c12acfdf929b1db8535f943a805900164a12528d4bf2b1933cd2bfbcd22e03d374

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60804e808a88131a5452fed692914a8e
SHA1 fdb74669923b31d573787fe024dbd701fa21bb5b
SHA256 064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61
SHA512 d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 377c375f814a335a131901ed5d5eca44
SHA1 9919811b18b4f8153541b332232ae88eec42f9f7
SHA256 7a73ac126468f3a94954656a0da1b494b18b6f7fc4ee09beb87573e82f300a10
SHA512 c511dff1a34a5e32cf0ce2c56aa3adf71bd51e9a5afc7ae75320ac7563ebb4571f6ac5cd771fa52e9c7966112431bbdd20e4b74e1a125c273bc835f127b599b5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 293a5e452e148112857e22e746feff34
SHA1 7a5018bf98a3e38970809531288a7e3efb979532
SHA256 05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551
SHA512 7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 293a5e452e148112857e22e746feff34
SHA1 7a5018bf98a3e38970809531288a7e3efb979532
SHA256 05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551
SHA512 7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60804e808a88131a5452fed692914a8e
SHA1 fdb74669923b31d573787fe024dbd701fa21bb5b
SHA256 064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61
SHA512 d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60804e808a88131a5452fed692914a8e
SHA1 fdb74669923b31d573787fe024dbd701fa21bb5b
SHA256 064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61
SHA512 d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe

MD5 0e28ad7c051feab83c13d21b648a8d60
SHA1 ed5e0a9db6860af386c099452870856b649d2841
SHA256 8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA512 68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

C:\Users\Admin\SendTo\sihost.exe

MD5 0e28ad7c051feab83c13d21b648a8d60
SHA1 ed5e0a9db6860af386c099452870856b649d2841
SHA256 8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA512 68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

C:\Users\Admin\AppData\Local\Temp\f95379a0-7df4-4338-a6b1-eac709e1129f.vbs

MD5 19e510f875e0fde82eaaf54180eb6948
SHA1 07de5685ffbf644b9ff84e28cff07a36533bfc54
SHA256 8f6f641a09462214d2cd6aa4897058abf3ac39b56cfbe6d037aa8005711ce351
SHA512 cb4cb31958e2351e324a1ffface45bc4ea043a9ba42694b7391f51b78f1b26010bc688ae9be4f8e54a5b66e574a135a086561b9a9748d195f06802ee16a9774b

C:\Users\Admin\AppData\Local\Temp\5297db2e-7162-4182-b6b3-533eefe8682b.vbs

MD5 4bf89bb07d666d8672f1d91a7ad976c2
SHA1 d0a64fef9c06d3ec7a4b7193382f7ac1361e4244
SHA256 85f7e3865f825b6a92651036c451d5ee065fc1972490a2c63264bcda84d30134
SHA512 10fb57da9f1a69b1c4122c734a7422ce2c40b750f60a729e41ebbaa0b043ea8396af3290e0565802a8d18d750cc1839ac7de8ab60020a5253d05581951e4ff07

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe

MD5 0e28ad7c051feab83c13d21b648a8d60
SHA1 ed5e0a9db6860af386c099452870856b649d2841
SHA256 8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA512 68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

MD5 9b0256da3bf9a5303141361b3da59823
SHA1 d73f34951777136c444eb2c98394f62912ebcdac
SHA256 96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA512 9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

C:\Users\Admin\AppData\Local\Temp\3eaab76534dabca3ac8a3b02468784da6a9bb0af.exe

MD5 0e28ad7c051feab83c13d21b648a8d60
SHA1 ed5e0a9db6860af386c099452870856b649d2841
SHA256 8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA512 68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

C:\Users\Admin\AppData\Local\Temp\4f3f8b9c-963e-4aba-be7c-ff74ae25a3b2.vbs

MD5 4bf89bb07d666d8672f1d91a7ad976c2
SHA1 d0a64fef9c06d3ec7a4b7193382f7ac1361e4244
SHA256 85f7e3865f825b6a92651036c451d5ee065fc1972490a2c63264bcda84d30134
SHA512 10fb57da9f1a69b1c4122c734a7422ce2c40b750f60a729e41ebbaa0b043ea8396af3290e0565802a8d18d750cc1839ac7de8ab60020a5253d05581951e4ff07

C:\Users\Admin\AppData\Local\Temp\bf555f34-dc56-430f-9bdf-9b836bfb9c85.vbs

MD5 846fb61165a9464fb7e0dc0a5ce0fced
SHA1 5b2a514345c1e3c0da12d639b0b3a9c123fa6883
SHA256 7ec7ed10a399e90e050d7c229c2b6abaebc8a16441b9be088f3bf3a7fdd477ff
SHA512 cd9feec6729d02e9deac256087872caba5c32ce9c7518bfb2761877b84972c39649ad44d037ab8b17453fe4a8d2963a5a8d51dcf69f2f70dc3525dbe67f00de8

C:\Users\Admin\AppData\Local\Temp\4f3f8b9c-963e-4aba-be7c-ff74ae25a3b2.vbs

MD5 4bf89bb07d666d8672f1d91a7ad976c2
SHA1 d0a64fef9c06d3ec7a4b7193382f7ac1361e4244
SHA256 85f7e3865f825b6a92651036c451d5ee065fc1972490a2c63264bcda84d30134
SHA512 10fb57da9f1a69b1c4122c734a7422ce2c40b750f60a729e41ebbaa0b043ea8396af3290e0565802a8d18d750cc1839ac7de8ab60020a5253d05581951e4ff07