Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2023, 07:15
Behavioral task
behavioral1
Sample
NEAS.837e95e2cf296e26712186c895f4c200.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
NEAS.837e95e2cf296e26712186c895f4c200.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.837e95e2cf296e26712186c895f4c200.exe
-
Size
1.4MB
-
MD5
837e95e2cf296e26712186c895f4c200
-
SHA1
8c5995383c0c59169577cddd1e201c117532a688
-
SHA256
29d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786
-
SHA512
70d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f
-
SSDEEP
24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4744 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4040 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4844 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3268 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4856 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4428 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 368 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3932 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4164 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 932 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3588 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 60 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3136 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3872 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4528 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4704 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5044 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3900 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3160 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4500 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4372 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4336 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3200 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3720 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 3224 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 3224 schtasks.exe 86 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.837e95e2cf296e26712186c895f4c200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.837e95e2cf296e26712186c895f4c200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.837e95e2cf296e26712186c895f4c200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe -
resource yara_rule behavioral2/memory/2588-0-0x0000000000900000-0x0000000000A6C000-memory.dmp dcrat behavioral2/files/0x0006000000022e0b-36.dat dcrat behavioral2/files/0x0006000000022e0f-497.dat dcrat behavioral2/files/0x0006000000022e0f-498.dat dcrat behavioral2/files/0x0006000000022e0f-512.dat dcrat behavioral2/files/0x0008000000022d1f-518.dat dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation NEAS.837e95e2cf296e26712186c895f4c200.exe Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation services.exe Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation services.exe -
Executes dropped EXE 2 IoCs
pid Process 5348 services.exe 3196 services.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.837e95e2cf296e26712186c895f4c200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.837e95e2cf296e26712186c895f4c200.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\System32\pt-BR\RCXE44F.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Windows\System32\pt-BR\RCXE4AE.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Windows\System32\pt-BR\System.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Windows\System32\pt-BR\System.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Windows\System32\pt-BR\27d1bcfc3c54e0 NEAS.837e95e2cf296e26712186c895f4c200.exe -
Drops file in Program Files directory 25 IoCs
description ioc Process File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\RCXFED5.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\SppExtComObj.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCXCF3.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCXD410.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\RCXADE.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\sysmon.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\sppsvc.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files (x86)\Windows Media Player\ja-JP\e1ef82546f0b02 NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\RCXAAE.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\121e5b5079f7c0 NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files (x86)\Windows Mail\55b276f4edf653 NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\RCXF116.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\sysmon.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files\Windows NT\TableTextService\en-US\9e8d7a4ca61bd9 NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files (x86)\Windows Media Player\ja-JP\SppExtComObj.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\RCX58C.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\0a1fd5f707cd16 NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\RCXEE46.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\sppsvc.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCXCE23.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCXCF2.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\fr-FR\RCX178A.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Windows\fr-FR\taskhostw.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Windows\fr-FR\taskhostw.exe NEAS.837e95e2cf296e26712186c895f4c200.exe File created C:\Windows\fr-FR\ea9f0e6c9e2dcd NEAS.837e95e2cf296e26712186c895f4c200.exe File opened for modification C:\Windows\fr-FR\RCX176A.tmp NEAS.837e95e2cf296e26712186c895f4c200.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4744 schtasks.exe 2424 schtasks.exe 2768 schtasks.exe 1064 schtasks.exe 4488 schtasks.exe 3136 schtasks.exe 2492 schtasks.exe 468 schtasks.exe 4508 schtasks.exe 1644 schtasks.exe 2456 schtasks.exe 4604 schtasks.exe 3872 schtasks.exe 2004 schtasks.exe 4040 schtasks.exe 4844 schtasks.exe 60 schtasks.exe 1816 schtasks.exe 812 schtasks.exe 3160 schtasks.exe 4856 schtasks.exe 3932 schtasks.exe 1580 schtasks.exe 4500 schtasks.exe 912 schtasks.exe 3268 schtasks.exe 932 schtasks.exe 4528 schtasks.exe 4372 schtasks.exe 1560 schtasks.exe 4056 schtasks.exe 2816 schtasks.exe 4428 schtasks.exe 1096 schtasks.exe 4496 schtasks.exe 4704 schtasks.exe 368 schtasks.exe 4940 schtasks.exe 1888 schtasks.exe 4712 schtasks.exe 2292 schtasks.exe 4336 schtasks.exe 4864 schtasks.exe 5044 schtasks.exe 1184 schtasks.exe 2596 schtasks.exe 1544 schtasks.exe 3720 schtasks.exe 3900 schtasks.exe 3200 schtasks.exe 1192 schtasks.exe 640 schtasks.exe 1484 schtasks.exe 3588 schtasks.exe 2480 schtasks.exe 1712 schtasks.exe 4164 schtasks.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings NEAS.837e95e2cf296e26712186c895f4c200.exe Key created \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings services.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe Token: SeDebugPrivilege 4604 powershell.exe Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeDebugPrivilege 3640 powershell.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeDebugPrivilege 3196 powershell.exe Token: SeDebugPrivilege 2632 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 688 powershell.exe Token: SeDebugPrivilege 1408 powershell.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeDebugPrivilege 4192 powershell.exe Token: SeDebugPrivilege 5348 services.exe Token: SeDebugPrivilege 3196 services.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2588 wrote to memory of 4192 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 161 PID 2588 wrote to memory of 4192 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 161 PID 2588 wrote to memory of 3196 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 162 PID 2588 wrote to memory of 3196 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 162 PID 2588 wrote to memory of 888 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 163 PID 2588 wrote to memory of 888 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 163 PID 2588 wrote to memory of 2460 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 164 PID 2588 wrote to memory of 2460 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 164 PID 2588 wrote to memory of 4604 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 165 PID 2588 wrote to memory of 4604 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 165 PID 2588 wrote to memory of 688 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 166 PID 2588 wrote to memory of 688 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 166 PID 2588 wrote to memory of 2632 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 167 PID 2588 wrote to memory of 2632 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 167 PID 2588 wrote to memory of 1972 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 183 PID 2588 wrote to memory of 1972 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 183 PID 2588 wrote to memory of 3640 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 182 PID 2588 wrote to memory of 3640 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 182 PID 2588 wrote to memory of 1544 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 168 PID 2588 wrote to memory of 1544 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 168 PID 2588 wrote to memory of 1408 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 180 PID 2588 wrote to memory of 1408 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 180 PID 2588 wrote to memory of 2256 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 179 PID 2588 wrote to memory of 2256 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 179 PID 2588 wrote to memory of 3780 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 184 PID 2588 wrote to memory of 3780 2588 NEAS.837e95e2cf296e26712186c895f4c200.exe 184 PID 3780 wrote to memory of 5828 3780 cmd.exe 189 PID 3780 wrote to memory of 5828 3780 cmd.exe 189 PID 3780 wrote to memory of 5348 3780 cmd.exe 190 PID 3780 wrote to memory of 5348 3780 cmd.exe 190 PID 5348 wrote to memory of 5644 5348 services.exe 191 PID 5348 wrote to memory of 5644 5348 services.exe 191 PID 5348 wrote to memory of 5732 5348 services.exe 192 PID 5348 wrote to memory of 5732 5348 services.exe 192 PID 5644 wrote to memory of 3196 5644 WScript.exe 196 PID 5644 wrote to memory of 3196 5644 WScript.exe 196 PID 3196 wrote to memory of 5288 3196 services.exe 197 PID 3196 wrote to memory of 5288 3196 services.exe 197 PID 3196 wrote to memory of 880 3196 services.exe 198 PID 3196 wrote to memory of 880 3196 services.exe 198 -
System policy modification 1 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.837e95e2cf296e26712186c895f4c200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.837e95e2cf296e26712186c895f4c200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.837e95e2cf296e26712186c895f4c200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2588 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c6GvLXFq3X.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:5828
-
-
C:\Users\Default User\services.exe"C:\Users\Default User\services.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5348 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ca8331e-03b2-421c-98af-87fef2c10169.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:5644 -
C:\Users\Default User\services.exe"C:\Users\Default User\services.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3196 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ee91de6-6e79-4802-86c4-3e84b3cb0b0e.vbs"6⤵PID:5288
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4a8fa7e-3c1f-4c1e-a06a-fec99a88df2f.vbs"6⤵PID:880
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e554e97-58e9-47cd-a639-c9bacdb5166a.vbs"4⤵PID:5732
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\odt\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\odt\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\pt-BR\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\System32\pt-BR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\pt-BR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\fr-FR\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\odt\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:468
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD59b0256da3bf9a5303141361b3da59823
SHA1d73f34951777136c444eb2c98394f62912ebcdac
SHA25696cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA5129f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164
-
Filesize
944B
MD528d4235aa2e6d782751f980ceb6e5021
SHA1f5d82d56acd642b9fc4b963f684fd6b78f25a140
SHA2568c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638
SHA512dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD528d4235aa2e6d782751f980ceb6e5021
SHA1f5d82d56acd642b9fc4b963f684fd6b78f25a140
SHA2568c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638
SHA512dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5293a5e452e148112857e22e746feff34
SHA17a5018bf98a3e38970809531288a7e3efb979532
SHA25605e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551
SHA5127332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5293a5e452e148112857e22e746feff34
SHA17a5018bf98a3e38970809531288a7e3efb979532
SHA25605e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551
SHA5127332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049
-
Filesize
944B
MD5293a5e452e148112857e22e746feff34
SHA17a5018bf98a3e38970809531288a7e3efb979532
SHA25605e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551
SHA5127332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049
-
Filesize
944B
MD5c2ce5f364d6f19da44a34ce23f13e28b
SHA1a7fc544cc9e62c759c0b0aeaecf324d7196a127e
SHA256443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb
SHA512fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6
-
Filesize
710B
MD5b666dac4337959f0c14b559c224f895d
SHA144e39e9ec7c9f917ffdcafb2cc0a9a104c1e5bb9
SHA2568d7884e2f734bb97cffaa32c687f4260e4421b60308f60601e3cc8efda8be38f
SHA51253fb33217401e1677b765e435eb668c1c193bf4954d50979ae8b1bd27eeaacd5f62a2f6271457286ccd0d74800f0fd50ed3f4cc8fb39beba5aa37b90d9b22998
-
Filesize
486B
MD5df544400d963d4be10608294946489f5
SHA1f18384e181d1a252e3d6a61e35797f0b19bd6283
SHA2566645711af536fb9a7a9ad3a4608dacb7be1e8cf951d0908f908e56add4b38b2a
SHA51298830c8b03c59c0b8be176aa4b7efb921c178c325d4545af7475be3d7a06ed3ad4af82a96011b54bd34115b17fddec5d32242deb8276f12a9cb35024fe8454aa
-
Filesize
1.4MB
MD5837e95e2cf296e26712186c895f4c200
SHA18c5995383c0c59169577cddd1e201c117532a688
SHA25629d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786
SHA51270d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f
-
Filesize
710B
MD501311552732a62c2cf15210f60c837ca
SHA1986f540ed14abaaa809f163a58aadd0ef2f9da38
SHA256614a223655e42be8a98c20c76f869c3d71452a2fa1e611b77410a19cc9c2d689
SHA5129c92e50bc10b0d09c4c498892297ff00e0f4bf0074fe09da8c8e44adf7c714f8ba87c1458f78124898500aa73370de566c33ac275a03e59f244621352c0e40ac
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
486B
MD5df544400d963d4be10608294946489f5
SHA1f18384e181d1a252e3d6a61e35797f0b19bd6283
SHA2566645711af536fb9a7a9ad3a4608dacb7be1e8cf951d0908f908e56add4b38b2a
SHA51298830c8b03c59c0b8be176aa4b7efb921c178c325d4545af7475be3d7a06ed3ad4af82a96011b54bd34115b17fddec5d32242deb8276f12a9cb35024fe8454aa
-
Filesize
486B
MD5df544400d963d4be10608294946489f5
SHA1f18384e181d1a252e3d6a61e35797f0b19bd6283
SHA2566645711af536fb9a7a9ad3a4608dacb7be1e8cf951d0908f908e56add4b38b2a
SHA51298830c8b03c59c0b8be176aa4b7efb921c178c325d4545af7475be3d7a06ed3ad4af82a96011b54bd34115b17fddec5d32242deb8276f12a9cb35024fe8454aa
-
Filesize
199B
MD5efd4342e3e8307318179cff164543da4
SHA1fb986fbd11d034468363fea48bb83187cf6cf455
SHA256441dba715555a009f5cb92a163454e60ecf28043dfe97a92e9353837f3f23bb6
SHA51251f54152f15a4348e160a75553fc70103e963105308b14eb769d0de5d4b95f28438afe4b45df8eb655d7a0e99be9936efda234576678064d9f69e6beec04972b
-
Filesize
1.4MB
MD5837e95e2cf296e26712186c895f4c200
SHA18c5995383c0c59169577cddd1e201c117532a688
SHA25629d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786
SHA51270d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f
-
Filesize
1.4MB
MD5837e95e2cf296e26712186c895f4c200
SHA18c5995383c0c59169577cddd1e201c117532a688
SHA25629d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786
SHA51270d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f
-
Filesize
1.4MB
MD5837e95e2cf296e26712186c895f4c200
SHA18c5995383c0c59169577cddd1e201c117532a688
SHA25629d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786
SHA51270d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f
-
Filesize
1.4MB
MD5837e95e2cf296e26712186c895f4c200
SHA18c5995383c0c59169577cddd1e201c117532a688
SHA25629d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786
SHA51270d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f