Analysis
-
max time kernel
160s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
18/11/2023, 07:15
Behavioral task
behavioral1
Sample
NEAS.837e95e2cf296e26712186c895f4c200.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
NEAS.837e95e2cf296e26712186c895f4c200.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.837e95e2cf296e26712186c895f4c200.exe
-
Size
1.4MB
-
MD5
837e95e2cf296e26712186c895f4c200
-
SHA1
8c5995383c0c59169577cddd1e201c117532a688
-
SHA256
29d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786
-
SHA512
70d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f
-
SSDEEP
24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 656 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2676 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 2676 schtasks.exe 28 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.837e95e2cf296e26712186c895f4c200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.837e95e2cf296e26712186c895f4c200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.837e95e2cf296e26712186c895f4c200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
resource yara_rule behavioral1/memory/2580-0-0x00000000011E0000-0x000000000134C000-memory.dmp dcrat behavioral1/files/0x0006000000018b41-33.dat dcrat behavioral1/files/0x00050000000195ce-75.dat dcrat behavioral1/files/0x000500000001964f-89.dat dcrat behavioral1/files/0x0005000000019d6d-112.dat dcrat behavioral1/files/0x00070000000195d3-137.dat dcrat behavioral1/files/0x003b000000016d53-210.dat dcrat behavioral1/files/0x000b000000018f8e-241.dat dcrat behavioral1/files/0x000c000000018f8e-259.dat dcrat behavioral1/files/0x003b000000016d53-338.dat dcrat behavioral1/files/0x003b000000016d53-341.dat dcrat behavioral1/memory/1724-342-0x00000000000F0000-0x000000000025C000-memory.dmp dcrat behavioral1/files/0x003b000000016d53-432.dat dcrat behavioral1/files/0x000a00000001947e-441.dat dcrat behavioral1/files/0x003b000000016d53-470.dat dcrat behavioral1/files/0x000a00000001947e-479.dat dcrat -
Executes dropped EXE 3 IoCs
pid Process 1724 winlogon.exe 892 winlogon.exe 1272 winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.837e95e2cf296e26712186c895f4c200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.837e95e2cf296e26712186c895f4c200.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe -
Drops file in Program Files directory 25 IoCs
description ioc Process File created C:\Program Files\Windows NT\Accessories\ja-JP\System.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files\Windows Photo Viewer\de-DE\886983d96e3d3e NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files (x86)\Windows Portable Devices\56085415360792 NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files\Windows NT\Accessories\ja-JP\RCXC2E5.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXE6D7.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files\Windows NT\Accessories\ja-JP\System.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files\Windows NT\Accessories\ja-JP\RCXC267.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files (x86)\Windows Portable Devices\wininit.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\6203df4a6bafc7 NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXD8B8.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\RCXD132.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files (x86)\Windows NT\RCXDAEC.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\wininit.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\RCXD1A0.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXD8B7.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files (x86)\Windows NT\smss.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files\Windows NT\Accessories\ja-JP\27d1bcfc3c54e0 NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXF559.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files (x86)\Windows NT\smss.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files (x86)\Windows NT\69ddcba757bf72 NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files (x86)\Windows NT\RCXDADB.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File created C:\Windows\PLA\System\6ccacd8608530f NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Windows\Speech\RCXC77B.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Windows\PLA\System\Idle.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Windows\AppPatch\RCXDD5D.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Windows\Speech\886983d96e3d3e NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Windows\Speech\RCXC76A.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Windows\Speech\csrss.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Windows\PLA\System\RCXC9EC.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Windows\PLA\System\RCXCAA8.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Windows\AppPatch\RCXDDCB.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Windows\AppPatch\winlogon.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Windows\AppPatch\cc11b995f2a76d NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Windows\AppPatch\winlogon.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Windows\PLA\System\Idle.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Windows\Speech\csrss.exe NEAS.837e95e2cf296e26712186c895f4c200.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1056 schtasks.exe 1616 schtasks.exe 688 schtasks.exe 1672 schtasks.exe 2804 schtasks.exe 1064 schtasks.exe 2404 schtasks.exe 548 schtasks.exe 684 schtasks.exe 2332 schtasks.exe 2020 schtasks.exe 2056 schtasks.exe 1784 schtasks.exe 1956 schtasks.exe 2096 schtasks.exe 1300 schtasks.exe 1232 schtasks.exe 1848 schtasks.exe 1612 schtasks.exe 1700 schtasks.exe 2728 schtasks.exe 1504 schtasks.exe 1552 schtasks.exe 2984 schtasks.exe 2364 schtasks.exe 1152 schtasks.exe 2944 schtasks.exe 2616 schtasks.exe 1976 schtasks.exe 656 schtasks.exe 2344 schtasks.exe 2668 schtasks.exe 2488 schtasks.exe 1288 schtasks.exe 1764 schtasks.exe 1824 schtasks.exe 900 schtasks.exe 2700 schtasks.exe 1648 schtasks.exe 1572 schtasks.exe 1484 schtasks.exe 2144 schtasks.exe 2900 schtasks.exe 2712 schtasks.exe 1724 schtasks.exe 2024 schtasks.exe 2540 schtasks.exe 2888 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 2056 powershell.exe Token: SeDebugPrivilege 2900 powershell.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeDebugPrivilege 1916 powershell.exe Token: SeDebugPrivilege 1724 winlogon.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 1088 powershell.exe Token: SeDebugPrivilege 2684 powershell.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 892 winlogon.exe Token: SeDebugPrivilege 1272 winlogon.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2580 wrote to memory of 844 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 79 PID 2580 wrote to memory of 844 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 79 PID 2580 wrote to memory of 844 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 79 PID 2580 wrote to memory of 3048 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 80 PID 2580 wrote to memory of 3048 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 80 PID 2580 wrote to memory of 3048 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 80 PID 2580 wrote to memory of 1808 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 81 PID 2580 wrote to memory of 1808 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 81 PID 2580 wrote to memory of 1808 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 81 PID 2580 wrote to memory of 2848 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 90 PID 2580 wrote to memory of 2848 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 90 PID 2580 wrote to memory of 2848 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 90 PID 2580 wrote to memory of 2924 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 89 PID 2580 wrote to memory of 2924 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 89 PID 2580 wrote to memory of 2924 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 89 PID 2580 wrote to memory of 2900 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 88 PID 2580 wrote to memory of 2900 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 88 PID 2580 wrote to memory of 2900 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 88 PID 2580 wrote to memory of 2212 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 85 PID 2580 wrote to memory of 2212 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 85 PID 2580 wrote to memory of 2212 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 85 PID 2580 wrote to memory of 1916 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 82 PID 2580 wrote to memory of 1916 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 82 PID 2580 wrote to memory of 1916 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 82 PID 2580 wrote to memory of 2056 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 83 PID 2580 wrote to memory of 2056 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 83 PID 2580 wrote to memory of 2056 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 83 PID 2580 wrote to memory of 1088 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 94 PID 2580 wrote to memory of 1088 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 94 PID 2580 wrote to memory of 1088 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 94 PID 2580 wrote to memory of 2844 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 95 PID 2580 wrote to memory of 2844 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 95 PID 2580 wrote to memory of 2844 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 95 PID 2580 wrote to memory of 2684 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 97 PID 2580 wrote to memory of 2684 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 97 PID 2580 wrote to memory of 2684 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 97 PID 2580 wrote to memory of 1724 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 103 PID 2580 wrote to memory of 1724 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 103 PID 2580 wrote to memory of 1724 2580 NEAS.837e95e2cf296e26712186c895f4c200.exe 103 PID 1724 wrote to memory of 2296 1724 winlogon.exe 104 PID 1724 wrote to memory of 2296 1724 winlogon.exe 104 PID 1724 wrote to memory of 2296 1724 winlogon.exe 104 PID 1724 wrote to memory of 1548 1724 winlogon.exe 105 PID 1724 wrote to memory of 1548 1724 winlogon.exe 105 PID 1724 wrote to memory of 1548 1724 winlogon.exe 105 PID 2296 wrote to memory of 892 2296 WScript.exe 106 PID 2296 wrote to memory of 892 2296 WScript.exe 106 PID 2296 wrote to memory of 892 2296 WScript.exe 106 PID 892 wrote to memory of 1568 892 winlogon.exe 107 PID 892 wrote to memory of 1568 892 winlogon.exe 107 PID 892 wrote to memory of 1568 892 winlogon.exe 107 PID 892 wrote to memory of 2468 892 winlogon.exe 108 PID 892 wrote to memory of 2468 892 winlogon.exe 108 PID 892 wrote to memory of 2468 892 winlogon.exe 108 PID 1568 wrote to memory of 1272 1568 WScript.exe 109 PID 1568 wrote to memory of 1272 1568 WScript.exe 109 PID 1568 wrote to memory of 1272 1568 WScript.exe 109 PID 1272 wrote to memory of 2760 1272 winlogon.exe 110 PID 1272 wrote to memory of 2760 1272 winlogon.exe 110 PID 1272 wrote to memory of 2760 1272 winlogon.exe 110 PID 1272 wrote to memory of 2212 1272 winlogon.exe 111 PID 1272 wrote to memory of 2212 1272 winlogon.exe 111 PID 1272 wrote to memory of 2212 1272 winlogon.exe 111 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.837e95e2cf296e26712186c895f4c200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.837e95e2cf296e26712186c895f4c200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.837e95e2cf296e26712186c895f4c200.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\AppPatch\winlogon.exe"C:\Windows\AppPatch\winlogon.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1724 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4eab582-ea61-495b-819c-ffb42036e025.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\AppPatch\winlogon.exeC:\Windows\AppPatch\winlogon.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:892 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e687f3cc-5078-4993-be01-c2902206c72a.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\AppPatch\winlogon.exeC:\Windows\AppPatch\winlogon.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1272 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\480746f3-ab36-402e-ad2f-ef83ab52e3a9.vbs"7⤵PID:2760
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea6f1a0c-a453-4eaf-89a3-c6ab276a4eb5.vbs"7⤵PID:2212
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4751d6a6-9cd5-4138-85a1-3383245d8c60.vbs"5⤵PID:2468
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\057faeef-c58c-4ef0-830b-db04c3f0620d.vbs"3⤵PID:1548
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Speech\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\System\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\AppPatch\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\AppPatch\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\73725a82-739a-11ee-b301-ca9cbbc363d2\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\73725a82-739a-11ee-b301-ca9cbbc363d2\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\73725a82-739a-11ee-b301-ca9cbbc363d2\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5837e95e2cf296e26712186c895f4c200
SHA18c5995383c0c59169577cddd1e201c117532a688
SHA25629d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786
SHA51270d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f
-
Filesize
1.4MB
MD5d17a8b9a4531302c1a3fca0f65f4954f
SHA177da4a04a80058891335ed32500bcc060832ce0c
SHA25620d396c92086507718557693c3455389c853cdf1dd740d66785f9760df5af97f
SHA5124c22cf0e018181265fe34b8042f99c3860a59ec508b92e145b4ef0a0b9a95e4015afd773b8355c8c75e14b98b06bdc3a55967380bad82e78c9493193c9887805
-
Filesize
1.4MB
MD55edaae71145f757dbff8d3f46de2fd48
SHA1497ca8f9b09e82ee7c37af0a6ca09afeef882f01
SHA256221a6b2997c69ce7b01d1b70f50b8c157dee1ff829a8dc58c0bb0a76d476c0af
SHA512e386a2c0d6f297b64c8df593107969cebfdc00d2d68834a5b61830fcaec0fb7be8800a2909aa80dc96cf6f83a8abe73848220953a85fc8f3ea70f11daf27ceee
-
Filesize
1.4MB
MD5256a12e0e46a0ce5466408e4cfa84496
SHA1c64dd354bb19f5976aa7746cd5d9ac21451179e6
SHA256a3c9754ca961b3df62e63cea38ff885327bfc2e3f803733b5269fee067583157
SHA5124b0eab0fd48c2070408ea4ac9ac31a8f40a303e22ca7ee7c455c30c09d3ff2e733bf7dd47af204291e35c78cbeaa377b9e6a60c84b398bb4ff11390a649c6bba
-
Filesize
1.4MB
MD5dfe73fc48629bc87b3b4af881183172d
SHA1e13e3922d4e233453bd14334c87702bada05f21d
SHA256c57c21fcf140b3d8cb6ddc28e2920edbf61c90f8c6eff3e7604754dd94f5431f
SHA512b532b666ceb40234e76691fa4140b41ef4b07b612cae3fc905080034a061da5389839523260cb2e13cdce01932ec725c35152a78ce3a19f5ad8d824f6930eb45
-
Filesize
484B
MD59d7b5c4ccd553785a2459391f602de89
SHA18948f5c1ed84213ab2b5d2ee854ec4616459b148
SHA256973b930d19ab14385cdeadae4c3be8c0a79cad045297a1c19e649fbc7c99cf6e
SHA512b800af1accc41e3afe184271c38a56413a295975a38850e2b63c23357b154de79439e4eb56b192d58dec0babe735d0da155933d2e1869c0e7477383622f6a2f8
-
Filesize
484B
MD59d7b5c4ccd553785a2459391f602de89
SHA18948f5c1ed84213ab2b5d2ee854ec4616459b148
SHA256973b930d19ab14385cdeadae4c3be8c0a79cad045297a1c19e649fbc7c99cf6e
SHA512b800af1accc41e3afe184271c38a56413a295975a38850e2b63c23357b154de79439e4eb56b192d58dec0babe735d0da155933d2e1869c0e7477383622f6a2f8
-
Filesize
484B
MD59d7b5c4ccd553785a2459391f602de89
SHA18948f5c1ed84213ab2b5d2ee854ec4616459b148
SHA256973b930d19ab14385cdeadae4c3be8c0a79cad045297a1c19e649fbc7c99cf6e
SHA512b800af1accc41e3afe184271c38a56413a295975a38850e2b63c23357b154de79439e4eb56b192d58dec0babe735d0da155933d2e1869c0e7477383622f6a2f8
-
Filesize
708B
MD5f55af5637208c214073b9ea8c6cea4e9
SHA1708b3607dec0b7fcdc5abf782055d2faab075220
SHA256440029bc331acaabf3d3c856986e3e82ee654e86b4c12cab3e9e97dd65e4e248
SHA512f62e954df8065e038f57e41b0252035f8258e73f847465677822e91388dacf92777026ec5e11deff281ee51f74aef7a65760b0efa82c9313d4337603fdf857bd
-
Filesize
708B
MD585c59c19532fee2ffa134482b5da6ea3
SHA1acf015f064ff039d588757b4aa19028704b9046b
SHA2567739f7553fa20a10a1982ba95017c504f4758378188a9bd5de36e7c84c0a8253
SHA512d04989befb09a11936a4bb2388922a26e3c26c2d1fa62dc994252c4fb9efd86add7a1d8573327d8d614053427d5d1dada627a2de12dd9c5c53c83dfd942a5823
-
Filesize
1.4MB
MD5e0b5d786ffd5d7c9c7cfec82f746b16f
SHA1cc3c3a490e006968f05fe47057a9108a65da6d8e
SHA256a5f1aa9e1475c9150924abb886f06462cb6573fb38b5af825a0bd8099db75156
SHA5123e0b15151d9d76ded481f11a786275e2485b6f1ff84a602d13f1c779c1a98094dad55a090a33a490ecb0c508cc7411391df1477ce609cfd76fc8fcd376976b5b
-
Filesize
1.4MB
MD5e0b5d786ffd5d7c9c7cfec82f746b16f
SHA1cc3c3a490e006968f05fe47057a9108a65da6d8e
SHA256a5f1aa9e1475c9150924abb886f06462cb6573fb38b5af825a0bd8099db75156
SHA5123e0b15151d9d76ded481f11a786275e2485b6f1ff84a602d13f1c779c1a98094dad55a090a33a490ecb0c508cc7411391df1477ce609cfd76fc8fcd376976b5b
-
Filesize
707B
MD54dbada9a2185a67e31774ab1440f249d
SHA1df9cc813e28fcf76f6f65a19c87ad034b227acf3
SHA2565f07a124e20b8fe22c016e9efc84a3b74ebdc33463f195593de952c85a3f9e9c
SHA5128e7661eaef0bdd824ae361c5ad12287cf81b137477ef99d31824e9564e1401438ce7fd064108eaf970364d85ece065f034f65c271527f7f0b8cb59ee44b27f1e
-
Filesize
484B
MD59d7b5c4ccd553785a2459391f602de89
SHA18948f5c1ed84213ab2b5d2ee854ec4616459b148
SHA256973b930d19ab14385cdeadae4c3be8c0a79cad045297a1c19e649fbc7c99cf6e
SHA512b800af1accc41e3afe184271c38a56413a295975a38850e2b63c23357b154de79439e4eb56b192d58dec0babe735d0da155933d2e1869c0e7477383622f6a2f8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ae53334baabcb9afbdcc4f8005aab774
SHA1fe2b04629a300ba8cabc751e84a495150d1b8088
SHA25677148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA5125957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ae53334baabcb9afbdcc4f8005aab774
SHA1fe2b04629a300ba8cabc751e84a495150d1b8088
SHA25677148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA5125957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ae53334baabcb9afbdcc4f8005aab774
SHA1fe2b04629a300ba8cabc751e84a495150d1b8088
SHA25677148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA5125957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ae53334baabcb9afbdcc4f8005aab774
SHA1fe2b04629a300ba8cabc751e84a495150d1b8088
SHA25677148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA5125957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ae53334baabcb9afbdcc4f8005aab774
SHA1fe2b04629a300ba8cabc751e84a495150d1b8088
SHA25677148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA5125957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ae53334baabcb9afbdcc4f8005aab774
SHA1fe2b04629a300ba8cabc751e84a495150d1b8088
SHA25677148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA5125957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ae53334baabcb9afbdcc4f8005aab774
SHA1fe2b04629a300ba8cabc751e84a495150d1b8088
SHA25677148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA5125957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ae53334baabcb9afbdcc4f8005aab774
SHA1fe2b04629a300ba8cabc751e84a495150d1b8088
SHA25677148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA5125957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ae53334baabcb9afbdcc4f8005aab774
SHA1fe2b04629a300ba8cabc751e84a495150d1b8088
SHA25677148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA5125957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ae53334baabcb9afbdcc4f8005aab774
SHA1fe2b04629a300ba8cabc751e84a495150d1b8088
SHA25677148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA5125957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ae53334baabcb9afbdcc4f8005aab774
SHA1fe2b04629a300ba8cabc751e84a495150d1b8088
SHA25677148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA5125957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J5LXRM4BHHBKSFRH6FVH.temp
Filesize7KB
MD5ae53334baabcb9afbdcc4f8005aab774
SHA1fe2b04629a300ba8cabc751e84a495150d1b8088
SHA25677148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA5125957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d
-
Filesize
1.4MB
MD5fff3fcff9312852b284de98e1aab8242
SHA174257cd895d8dd0a31194040e36711e5f4e71d8c
SHA2567b4f9c51671cd94987a17e9880fe9607cd1c138ca38ec95278cd3e3cd5a46005
SHA512269d765819abebbdb05758e091444994d9b5168037dabd4d529998305822e69cafdf0cb1ae4d5b557e79899bf1f9299b1d8c6989314af9bc5d45dc7971f300a3
-
Filesize
1.4MB
MD5e0b5d786ffd5d7c9c7cfec82f746b16f
SHA1cc3c3a490e006968f05fe47057a9108a65da6d8e
SHA256a5f1aa9e1475c9150924abb886f06462cb6573fb38b5af825a0bd8099db75156
SHA5123e0b15151d9d76ded481f11a786275e2485b6f1ff84a602d13f1c779c1a98094dad55a090a33a490ecb0c508cc7411391df1477ce609cfd76fc8fcd376976b5b
-
Filesize
1.4MB
MD5e0b5d786ffd5d7c9c7cfec82f746b16f
SHA1cc3c3a490e006968f05fe47057a9108a65da6d8e
SHA256a5f1aa9e1475c9150924abb886f06462cb6573fb38b5af825a0bd8099db75156
SHA5123e0b15151d9d76ded481f11a786275e2485b6f1ff84a602d13f1c779c1a98094dad55a090a33a490ecb0c508cc7411391df1477ce609cfd76fc8fcd376976b5b
-
Filesize
1.4MB
MD5e0b5d786ffd5d7c9c7cfec82f746b16f
SHA1cc3c3a490e006968f05fe47057a9108a65da6d8e
SHA256a5f1aa9e1475c9150924abb886f06462cb6573fb38b5af825a0bd8099db75156
SHA5123e0b15151d9d76ded481f11a786275e2485b6f1ff84a602d13f1c779c1a98094dad55a090a33a490ecb0c508cc7411391df1477ce609cfd76fc8fcd376976b5b
-
Filesize
1.4MB
MD5e0b5d786ffd5d7c9c7cfec82f746b16f
SHA1cc3c3a490e006968f05fe47057a9108a65da6d8e
SHA256a5f1aa9e1475c9150924abb886f06462cb6573fb38b5af825a0bd8099db75156
SHA5123e0b15151d9d76ded481f11a786275e2485b6f1ff84a602d13f1c779c1a98094dad55a090a33a490ecb0c508cc7411391df1477ce609cfd76fc8fcd376976b5b
-
Filesize
1.4MB
MD5e0b5d786ffd5d7c9c7cfec82f746b16f
SHA1cc3c3a490e006968f05fe47057a9108a65da6d8e
SHA256a5f1aa9e1475c9150924abb886f06462cb6573fb38b5af825a0bd8099db75156
SHA5123e0b15151d9d76ded481f11a786275e2485b6f1ff84a602d13f1c779c1a98094dad55a090a33a490ecb0c508cc7411391df1477ce609cfd76fc8fcd376976b5b
-
Filesize
1.4MB
MD5cbc5784a6592d16781d7ce3382fc87e2
SHA100b41783ff10024de1bc59013e75875b97abff6c
SHA256bf1aa3e90ca1f1712d8df6d7a648a067bb47dd1f3ed6b3f1a4cf11b104c2341c
SHA512b4eb833321649489540a2c949a429c2b79468a435344a940d09902d293af03d986edae081e6c12c110ad8927332ff6240e0edb1ba00a5ed2521622d3be3b8e3f