Malware Analysis Report

2025-08-11 06:15

Sample ID 231118-h3jcnach95
Target NEAS.837e95e2cf296e26712186c895f4c200.exe
SHA256 29d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786

Threat Level: Known bad

The file NEAS.837e95e2cf296e26712186c895f4c200.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

DcRat

Process spawned unexpected child process

DCRat payload

Dcrat family

UAC bypass

DCRat payload

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-18 07:15

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-18 07:15

Reported

2023-11-18 07:18

Platform

win7-20231025-en

Max time kernel

160s

Max time network

178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppPatch\winlogon.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\AppPatch\winlogon.exe N/A
N/A N/A C:\Windows\AppPatch\winlogon.exe N/A
N/A N/A C:\Windows\AppPatch\winlogon.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppPatch\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppPatch\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppPatch\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\AppPatch\winlogon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows NT\Accessories\ja-JP\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\56085415360792 C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\ja-JP\RCXC2E5.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXE6D7.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\ja-JP\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\ja-JP\RCXC267.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\wininit.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXD8B8.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\RCXD132.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\RCXDAEC.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\wininit.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\RCXD1A0.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXD8B7.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\smss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files\Windows NT\Accessories\ja-JP\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXF559.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files (x86)\Windows NT\smss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files (x86)\Windows NT\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\RCXDADB.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PLA\System\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Windows\Speech\RCXC77B.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Windows\PLA\System\Idle.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Windows\AppPatch\RCXDD5D.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Windows\Speech\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Windows\Speech\RCXC76A.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Windows\Speech\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Windows\PLA\System\RCXC9EC.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Windows\PLA\System\RCXCAA8.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Windows\AppPatch\RCXDDCB.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Windows\AppPatch\winlogon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Windows\AppPatch\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Windows\AppPatch\winlogon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Windows\PLA\System\Idle.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Windows\Speech\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\AppPatch\winlogon.exe
PID 2580 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\AppPatch\winlogon.exe
PID 2580 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\AppPatch\winlogon.exe
PID 1724 wrote to memory of 2296 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe
PID 1724 wrote to memory of 2296 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe
PID 1724 wrote to memory of 2296 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe
PID 1724 wrote to memory of 1548 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe
PID 1724 wrote to memory of 1548 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe
PID 1724 wrote to memory of 1548 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe
PID 2296 wrote to memory of 892 N/A C:\Windows\System32\WScript.exe C:\Windows\AppPatch\winlogon.exe
PID 2296 wrote to memory of 892 N/A C:\Windows\System32\WScript.exe C:\Windows\AppPatch\winlogon.exe
PID 2296 wrote to memory of 892 N/A C:\Windows\System32\WScript.exe C:\Windows\AppPatch\winlogon.exe
PID 892 wrote to memory of 1568 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe
PID 892 wrote to memory of 1568 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe
PID 892 wrote to memory of 1568 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe
PID 892 wrote to memory of 2468 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe
PID 892 wrote to memory of 2468 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe
PID 892 wrote to memory of 2468 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe
PID 1568 wrote to memory of 1272 N/A C:\Windows\System32\WScript.exe C:\Windows\AppPatch\winlogon.exe
PID 1568 wrote to memory of 1272 N/A C:\Windows\System32\WScript.exe C:\Windows\AppPatch\winlogon.exe
PID 1568 wrote to memory of 1272 N/A C:\Windows\System32\WScript.exe C:\Windows\AppPatch\winlogon.exe
PID 1272 wrote to memory of 2760 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe
PID 1272 wrote to memory of 2760 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe
PID 1272 wrote to memory of 2760 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe
PID 1272 wrote to memory of 2212 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe
PID 1272 wrote to memory of 2212 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe
PID 1272 wrote to memory of 2212 N/A C:\Windows\AppPatch\winlogon.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppPatch\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Speech\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\System\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\AppPatch\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\AppPatch\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\73725a82-739a-11ee-b301-ca9cbbc363d2\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\73725a82-739a-11ee-b301-ca9cbbc363d2\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\73725a82-739a-11ee-b301-ca9cbbc363d2\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\AppPatch\winlogon.exe

"C:\Windows\AppPatch\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4eab582-ea61-495b-819c-ffb42036e025.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\057faeef-c58c-4ef0-830b-db04c3f0620d.vbs"

C:\Windows\AppPatch\winlogon.exe

C:\Windows\AppPatch\winlogon.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e687f3cc-5078-4993-be01-c2902206c72a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4751d6a6-9cd5-4138-85a1-3383245d8c60.vbs"

C:\Windows\AppPatch\winlogon.exe

C:\Windows\AppPatch\winlogon.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\480746f3-ab36-402e-ad2f-ef83ab52e3a9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea6f1a0c-a453-4eaf-89a3-c6ab276a4eb5.vbs"

Network

Country Destination Domain Proto
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp

Files

memory/2580-0-0x00000000011E0000-0x000000000134C000-memory.dmp

memory/2580-1-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

memory/2580-2-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-3-0x0000000000260000-0x000000000026E000-memory.dmp

memory/2580-4-0x0000000000240000-0x0000000000248000-memory.dmp

memory/2580-5-0x0000000000270000-0x000000000028C000-memory.dmp

memory/2580-6-0x00000000002A0000-0x00000000002A8000-memory.dmp

memory/2580-7-0x00000000002B0000-0x00000000002C0000-memory.dmp

memory/2580-8-0x00000000002C0000-0x00000000002D6000-memory.dmp

memory/2580-9-0x00000000002E0000-0x00000000002F0000-memory.dmp

memory/2580-10-0x00000000002F0000-0x00000000002FA000-memory.dmp

memory/2580-11-0x0000000000B70000-0x0000000000B7C000-memory.dmp

memory/2580-12-0x0000000000B80000-0x0000000000B8C000-memory.dmp

memory/2580-13-0x0000000000B90000-0x0000000000B98000-memory.dmp

memory/2580-14-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

memory/2580-15-0x0000000000D50000-0x0000000000D58000-memory.dmp

memory/2580-16-0x0000000000D40000-0x0000000000D4A000-memory.dmp

memory/2580-17-0x0000000000D60000-0x0000000000D6E000-memory.dmp

memory/2580-19-0x0000000000E00000-0x0000000000E0E000-memory.dmp

memory/2580-18-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

memory/2580-20-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-21-0x0000000000E10000-0x0000000000E1C000-memory.dmp

memory/2580-22-0x0000000000E20000-0x0000000000E28000-memory.dmp

memory/2580-23-0x0000000000E30000-0x0000000000E3A000-memory.dmp

memory/2580-24-0x0000000000E40000-0x0000000000E4C000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe

MD5 837e95e2cf296e26712186c895f4c200
SHA1 8c5995383c0c59169577cddd1e201c117532a688
SHA256 29d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786
SHA512 70d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f

memory/2580-34-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-44-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-60-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-67-0x000000001B030000-0x000000001B0B0000-memory.dmp

C:\Program Files\Windows NT\Accessories\ja-JP\System.exe

MD5 256a12e0e46a0ce5466408e4cfa84496
SHA1 c64dd354bb19f5976aa7746cd5d9ac21451179e6
SHA256 a3c9754ca961b3df62e63cea38ff885327bfc2e3f803733b5269fee067583157
SHA512 4b0eab0fd48c2070408ea4ac9ac31a8f40a303e22ca7ee7c455c30c09d3ff2e733bf7dd47af204291e35c78cbeaa377b9e6a60c84b398bb4ff11390a649c6bba

memory/2580-78-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-79-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-86-0x000000001B030000-0x000000001B0B0000-memory.dmp

C:\ProgramData\Microsoft Help\winlogon.exe

MD5 dfe73fc48629bc87b3b4af881183172d
SHA1 e13e3922d4e233453bd14334c87702bada05f21d
SHA256 c57c21fcf140b3d8cb6ddc28e2920edbf61c90f8c6eff3e7604754dd94f5431f
SHA512 b532b666ceb40234e76691fa4140b41ef4b07b612cae3fc905080034a061da5389839523260cb2e13cdce01932ec725c35152a78ce3a19f5ad8d824f6930eb45

memory/2580-92-0x000000001B030000-0x000000001B0B0000-memory.dmp

C:\Windows\PLA\System\Idle.exe

MD5 cbc5784a6592d16781d7ce3382fc87e2
SHA1 00b41783ff10024de1bc59013e75875b97abff6c
SHA256 bf1aa3e90ca1f1712d8df6d7a648a067bb47dd1f3ed6b3f1a4cf11b104c2341c
SHA512 b4eb833321649489540a2c949a429c2b79468a435344a940d09902d293af03d986edae081e6c12c110ad8927332ff6240e0edb1ba00a5ed2521622d3be3b8e3f

memory/2580-115-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

memory/2580-116-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-129-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-130-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-138-0x000000001B030000-0x000000001B0B0000-memory.dmp

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe

MD5 d17a8b9a4531302c1a3fca0f65f4954f
SHA1 77da4a04a80058891335ed32500bcc060832ce0c
SHA256 20d396c92086507718557693c3455389c853cdf1dd740d66785f9760df5af97f
SHA512 4c22cf0e018181265fe34b8042f99c3860a59ec508b92e145b4ef0a0b9a95e4015afd773b8355c8c75e14b98b06bdc3a55967380bad82e78c9493193c9887805

memory/2580-143-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-190-0x000000001B030000-0x000000001B0B0000-memory.dmp

C:\Windows\AppPatch\winlogon.exe

MD5 e0b5d786ffd5d7c9c7cfec82f746b16f
SHA1 cc3c3a490e006968f05fe47057a9108a65da6d8e
SHA256 a5f1aa9e1475c9150924abb886f06462cb6573fb38b5af825a0bd8099db75156
SHA512 3e0b15151d9d76ded481f11a786275e2485b6f1ff84a602d13f1c779c1a98094dad55a090a33a490ecb0c508cc7411391df1477ce609cfd76fc8fcd376976b5b

memory/2580-237-0x000000001B030000-0x000000001B0B0000-memory.dmp

C:\Users\Default\RCXE3E8.tmp

MD5 fff3fcff9312852b284de98e1aab8242
SHA1 74257cd895d8dd0a31194040e36711e5f4e71d8c
SHA256 7b4f9c51671cd94987a17e9880fe9607cd1c138ca38ec95278cd3e3cd5a46005
SHA512 269d765819abebbdb05758e091444994d9b5168037dabd4d529998305822e69cafdf0cb1ae4d5b557e79899bf1f9299b1d8c6989314af9bc5d45dc7971f300a3

memory/2580-252-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-253-0x000000001B030000-0x000000001B0B0000-memory.dmp

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe

MD5 5edaae71145f757dbff8d3f46de2fd48
SHA1 497ca8f9b09e82ee7c37af0a6ca09afeef882f01
SHA256 221a6b2997c69ce7b01d1b70f50b8c157dee1ff829a8dc58c0bb0a76d476c0af
SHA512 e386a2c0d6f297b64c8df593107969cebfdc00d2d68834a5b61830fcaec0fb7be8800a2909aa80dc96cf6f83a8abe73848220953a85fc8f3ea70f11daf27ceee

memory/2580-263-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-264-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-265-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-266-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-267-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-268-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-269-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-270-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-271-0x000000001B030000-0x000000001B0B0000-memory.dmp

memory/2580-272-0x000000001B030000-0x000000001B0B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ae53334baabcb9afbdcc4f8005aab774
SHA1 fe2b04629a300ba8cabc751e84a495150d1b8088
SHA256 77148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA512 5957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ae53334baabcb9afbdcc4f8005aab774
SHA1 fe2b04629a300ba8cabc751e84a495150d1b8088
SHA256 77148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA512 5957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ae53334baabcb9afbdcc4f8005aab774
SHA1 fe2b04629a300ba8cabc751e84a495150d1b8088
SHA256 77148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA512 5957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ae53334baabcb9afbdcc4f8005aab774
SHA1 fe2b04629a300ba8cabc751e84a495150d1b8088
SHA256 77148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA512 5957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ae53334baabcb9afbdcc4f8005aab774
SHA1 fe2b04629a300ba8cabc751e84a495150d1b8088
SHA256 77148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA512 5957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ae53334baabcb9afbdcc4f8005aab774
SHA1 fe2b04629a300ba8cabc751e84a495150d1b8088
SHA256 77148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA512 5957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J5LXRM4BHHBKSFRH6FVH.temp

MD5 ae53334baabcb9afbdcc4f8005aab774
SHA1 fe2b04629a300ba8cabc751e84a495150d1b8088
SHA256 77148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA512 5957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ae53334baabcb9afbdcc4f8005aab774
SHA1 fe2b04629a300ba8cabc751e84a495150d1b8088
SHA256 77148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA512 5957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d

memory/2924-322-0x000000001B260000-0x000000001B542000-memory.dmp

memory/2924-324-0x0000000002420000-0x0000000002428000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ae53334baabcb9afbdcc4f8005aab774
SHA1 fe2b04629a300ba8cabc751e84a495150d1b8088
SHA256 77148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA512 5957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ae53334baabcb9afbdcc4f8005aab774
SHA1 fe2b04629a300ba8cabc751e84a495150d1b8088
SHA256 77148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA512 5957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ae53334baabcb9afbdcc4f8005aab774
SHA1 fe2b04629a300ba8cabc751e84a495150d1b8088
SHA256 77148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA512 5957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ae53334baabcb9afbdcc4f8005aab774
SHA1 fe2b04629a300ba8cabc751e84a495150d1b8088
SHA256 77148f51e88c716353ff890b3636f2f39ae24046c56a20852f1a5e589b70a518
SHA512 5957ec748c3944d8f53b34570f07fc40724f0d3e2701c96815338baa04ff97920f892c190112e92db5ced9c839eaf043319d49b4d9aab089ecaba5721bfd477d

C:\Windows\AppPatch\winlogon.exe

MD5 e0b5d786ffd5d7c9c7cfec82f746b16f
SHA1 cc3c3a490e006968f05fe47057a9108a65da6d8e
SHA256 a5f1aa9e1475c9150924abb886f06462cb6573fb38b5af825a0bd8099db75156
SHA512 3e0b15151d9d76ded481f11a786275e2485b6f1ff84a602d13f1c779c1a98094dad55a090a33a490ecb0c508cc7411391df1477ce609cfd76fc8fcd376976b5b

memory/2580-339-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

memory/2580-340-0x000000001B030000-0x000000001B0B0000-memory.dmp

C:\Windows\AppPatch\winlogon.exe

MD5 e0b5d786ffd5d7c9c7cfec82f746b16f
SHA1 cc3c3a490e006968f05fe47057a9108a65da6d8e
SHA256 a5f1aa9e1475c9150924abb886f06462cb6573fb38b5af825a0bd8099db75156
SHA512 3e0b15151d9d76ded481f11a786275e2485b6f1ff84a602d13f1c779c1a98094dad55a090a33a490ecb0c508cc7411391df1477ce609cfd76fc8fcd376976b5b

memory/1724-342-0x00000000000F0000-0x000000000025C000-memory.dmp

memory/1916-344-0x00000000029AB000-0x0000000002A12000-memory.dmp

memory/2924-343-0x00000000029EB000-0x0000000002A52000-memory.dmp

memory/2056-345-0x000000000274B000-0x00000000027B2000-memory.dmp

memory/3048-346-0x00000000023FB000-0x0000000002462000-memory.dmp

memory/2900-347-0x00000000028CB000-0x0000000002932000-memory.dmp

memory/844-348-0x000000000236B000-0x00000000023D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c4eab582-ea61-495b-819c-ffb42036e025.vbs

MD5 85c59c19532fee2ffa134482b5da6ea3
SHA1 acf015f064ff039d588757b4aa19028704b9046b
SHA256 7739f7553fa20a10a1982ba95017c504f4758378188a9bd5de36e7c84c0a8253
SHA512 d04989befb09a11936a4bb2388922a26e3c26c2d1fa62dc994252c4fb9efd86add7a1d8573327d8d614053427d5d1dada627a2de12dd9c5c53c83dfd942a5823

C:\Users\Admin\AppData\Local\Temp\057faeef-c58c-4ef0-830b-db04c3f0620d.vbs

MD5 9d7b5c4ccd553785a2459391f602de89
SHA1 8948f5c1ed84213ab2b5d2ee854ec4616459b148
SHA256 973b930d19ab14385cdeadae4c3be8c0a79cad045297a1c19e649fbc7c99cf6e
SHA512 b800af1accc41e3afe184271c38a56413a295975a38850e2b63c23357b154de79439e4eb56b192d58dec0babe735d0da155933d2e1869c0e7477383622f6a2f8

C:\Windows\AppPatch\winlogon.exe

MD5 e0b5d786ffd5d7c9c7cfec82f746b16f
SHA1 cc3c3a490e006968f05fe47057a9108a65da6d8e
SHA256 a5f1aa9e1475c9150924abb886f06462cb6573fb38b5af825a0bd8099db75156
SHA512 3e0b15151d9d76ded481f11a786275e2485b6f1ff84a602d13f1c779c1a98094dad55a090a33a490ecb0c508cc7411391df1477ce609cfd76fc8fcd376976b5b

C:\Users\Admin\AppData\Local\Temp\d0b064419d4715d3a8942dde472a43bd928ae68c.exe

MD5 e0b5d786ffd5d7c9c7cfec82f746b16f
SHA1 cc3c3a490e006968f05fe47057a9108a65da6d8e
SHA256 a5f1aa9e1475c9150924abb886f06462cb6573fb38b5af825a0bd8099db75156
SHA512 3e0b15151d9d76ded481f11a786275e2485b6f1ff84a602d13f1c779c1a98094dad55a090a33a490ecb0c508cc7411391df1477ce609cfd76fc8fcd376976b5b

C:\Users\Admin\AppData\Local\Temp\4751d6a6-9cd5-4138-85a1-3383245d8c60.vbs

MD5 9d7b5c4ccd553785a2459391f602de89
SHA1 8948f5c1ed84213ab2b5d2ee854ec4616459b148
SHA256 973b930d19ab14385cdeadae4c3be8c0a79cad045297a1c19e649fbc7c99cf6e
SHA512 b800af1accc41e3afe184271c38a56413a295975a38850e2b63c23357b154de79439e4eb56b192d58dec0babe735d0da155933d2e1869c0e7477383622f6a2f8

C:\Users\Admin\AppData\Local\Temp\4751d6a6-9cd5-4138-85a1-3383245d8c60.vbs

MD5 9d7b5c4ccd553785a2459391f602de89
SHA1 8948f5c1ed84213ab2b5d2ee854ec4616459b148
SHA256 973b930d19ab14385cdeadae4c3be8c0a79cad045297a1c19e649fbc7c99cf6e
SHA512 b800af1accc41e3afe184271c38a56413a295975a38850e2b63c23357b154de79439e4eb56b192d58dec0babe735d0da155933d2e1869c0e7477383622f6a2f8

C:\Users\Admin\AppData\Local\Temp\e687f3cc-5078-4993-be01-c2902206c72a.vbs

MD5 4dbada9a2185a67e31774ab1440f249d
SHA1 df9cc813e28fcf76f6f65a19c87ad034b227acf3
SHA256 5f07a124e20b8fe22c016e9efc84a3b74ebdc33463f195593de952c85a3f9e9c
SHA512 8e7661eaef0bdd824ae361c5ad12287cf81b137477ef99d31824e9564e1401438ce7fd064108eaf970364d85ece065f034f65c271527f7f0b8cb59ee44b27f1e

C:\Windows\AppPatch\winlogon.exe

MD5 e0b5d786ffd5d7c9c7cfec82f746b16f
SHA1 cc3c3a490e006968f05fe47057a9108a65da6d8e
SHA256 a5f1aa9e1475c9150924abb886f06462cb6573fb38b5af825a0bd8099db75156
SHA512 3e0b15151d9d76ded481f11a786275e2485b6f1ff84a602d13f1c779c1a98094dad55a090a33a490ecb0c508cc7411391df1477ce609cfd76fc8fcd376976b5b

C:\Users\Admin\AppData\Local\Temp\d0b064419d4715d3a8942dde472a43bd928ae68c.exe

MD5 e0b5d786ffd5d7c9c7cfec82f746b16f
SHA1 cc3c3a490e006968f05fe47057a9108a65da6d8e
SHA256 a5f1aa9e1475c9150924abb886f06462cb6573fb38b5af825a0bd8099db75156
SHA512 3e0b15151d9d76ded481f11a786275e2485b6f1ff84a602d13f1c779c1a98094dad55a090a33a490ecb0c508cc7411391df1477ce609cfd76fc8fcd376976b5b

C:\Users\Admin\AppData\Local\Temp\480746f3-ab36-402e-ad2f-ef83ab52e3a9.vbs

MD5 f55af5637208c214073b9ea8c6cea4e9
SHA1 708b3607dec0b7fcdc5abf782055d2faab075220
SHA256 440029bc331acaabf3d3c856986e3e82ee654e86b4c12cab3e9e97dd65e4e248
SHA512 f62e954df8065e038f57e41b0252035f8258e73f847465677822e91388dacf92777026ec5e11deff281ee51f74aef7a65760b0efa82c9313d4337603fdf857bd

C:\Users\Admin\AppData\Local\Temp\ea6f1a0c-a453-4eaf-89a3-c6ab276a4eb5.vbs

MD5 9d7b5c4ccd553785a2459391f602de89
SHA1 8948f5c1ed84213ab2b5d2ee854ec4616459b148
SHA256 973b930d19ab14385cdeadae4c3be8c0a79cad045297a1c19e649fbc7c99cf6e
SHA512 b800af1accc41e3afe184271c38a56413a295975a38850e2b63c23357b154de79439e4eb56b192d58dec0babe735d0da155933d2e1869c0e7477383622f6a2f8

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-18 07:15

Reported

2023-11-18 07:18

Platform

win10v2004-20231023-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\services.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Default User\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Default User\services.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Default User\services.exe N/A
N/A N/A C:\Users\Default User\services.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\pt-BR\RCXE44F.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Windows\System32\pt-BR\RCXE4AE.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Windows\System32\pt-BR\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Windows\System32\pt-BR\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Windows\System32\pt-BR\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\RCXFED5.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\RCXCF3.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCXD410.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\RCXADE.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\sysmon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files (x86)\Windows Media Player\ja-JP\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\RCXAAE.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files (x86)\Windows Mail\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\RCXF116.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\sysmon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files (x86)\Windows Media Player\ja-JP\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\RCX58C.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\RCXEE46.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCXCE23.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\RCXCF2.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\fr-FR\RCX178A.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Windows\fr-FR\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Windows\fr-FR\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File created C:\Windows\fr-FR\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
File opened for modification C:\Windows\fr-FR\RCX176A.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
Key created \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings C:\Users\Default User\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings C:\Users\Default User\services.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2588 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\cmd.exe
PID 2588 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe C:\Windows\System32\cmd.exe
PID 3780 wrote to memory of 5828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3780 wrote to memory of 5828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3780 wrote to memory of 5348 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\services.exe
PID 3780 wrote to memory of 5348 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\services.exe
PID 5348 wrote to memory of 5644 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 5348 wrote to memory of 5644 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 5348 wrote to memory of 5732 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 5348 wrote to memory of 5732 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 5644 wrote to memory of 3196 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\services.exe
PID 5644 wrote to memory of 3196 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\services.exe
PID 3196 wrote to memory of 5288 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 3196 wrote to memory of 5288 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 3196 wrote to memory of 880 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 3196 wrote to memory of 880 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\services.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.837e95e2cf296e26712186c895f4c200.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\odt\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\odt\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\pt-BR\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\System32\pt-BR\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\pt-BR\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\fr-FR\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\odt\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c6GvLXFq3X.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\services.exe

"C:\Users\Default User\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ca8331e-03b2-421c-98af-87fef2c10169.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e554e97-58e9-47cd-a639-c9bacdb5166a.vbs"

C:\Users\Default User\services.exe

"C:\Users\Default User\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ee91de6-6e79-4802-86c4-3e84b3cb0b0e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4a8fa7e-3c1f-4c1e-a06a-fec99a88df2f.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 122.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 24.175.53.84.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 96.175.53.84.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/2588-0-0x0000000000900000-0x0000000000A6C000-memory.dmp

memory/2588-1-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

memory/2588-2-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

memory/2588-3-0x0000000001280000-0x000000000128E000-memory.dmp

memory/2588-5-0x0000000002BA0000-0x0000000002BBC000-memory.dmp

memory/2588-4-0x0000000001290000-0x0000000001298000-memory.dmp

memory/2588-6-0x000000001B640000-0x000000001B690000-memory.dmp

memory/2588-7-0x0000000002BC0000-0x0000000002BC8000-memory.dmp

memory/2588-8-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

memory/2588-9-0x0000000002BE0000-0x0000000002BF6000-memory.dmp

memory/2588-10-0x000000001B5F0000-0x000000001B600000-memory.dmp

memory/2588-11-0x000000001B600000-0x000000001B60A000-memory.dmp

memory/2588-12-0x000000001B610000-0x000000001B61C000-memory.dmp

memory/2588-13-0x000000001B620000-0x000000001B62C000-memory.dmp

memory/2588-14-0x000000001B630000-0x000000001B638000-memory.dmp

memory/2588-15-0x000000001B690000-0x000000001B69C000-memory.dmp

memory/2588-16-0x000000001BF10000-0x000000001BF18000-memory.dmp

memory/2588-17-0x000000001BF30000-0x000000001BF3A000-memory.dmp

memory/2588-18-0x000000001BF40000-0x000000001BF4E000-memory.dmp

memory/2588-20-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

memory/2588-22-0x000000001B6A0000-0x000000001B6AE000-memory.dmp

memory/2588-21-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

memory/2588-19-0x000000001BF50000-0x000000001BF58000-memory.dmp

memory/2588-23-0x0000000002B60000-0x0000000002B6C000-memory.dmp

memory/2588-24-0x0000000002B70000-0x0000000002B78000-memory.dmp

memory/2588-25-0x0000000002B80000-0x0000000002B8A000-memory.dmp

memory/2588-26-0x0000000002B90000-0x0000000002B9C000-memory.dmp

memory/2588-29-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

C:\Windows\System32\pt-BR\System.exe

MD5 837e95e2cf296e26712186c895f4c200
SHA1 8c5995383c0c59169577cddd1e201c117532a688
SHA256 29d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786
SHA512 70d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f

memory/2588-40-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

memory/2588-67-0x000000001C500000-0x000000001C600000-memory.dmp

memory/2588-72-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

memory/2588-73-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

memory/2588-74-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

memory/2588-75-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

memory/2588-86-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

memory/2588-93-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

memory/2588-123-0x000000001C500000-0x000000001C600000-memory.dmp

memory/2588-124-0x000000001C500000-0x000000001C600000-memory.dmp

memory/4604-303-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

memory/3640-305-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

memory/2588-304-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

memory/4604-306-0x0000023ACB960000-0x0000023ACB970000-memory.dmp

memory/3640-307-0x0000026FB1260000-0x0000026FB1270000-memory.dmp

memory/4604-308-0x0000023ACB960000-0x0000023ACB970000-memory.dmp

memory/1544-318-0x000002BE73CE0000-0x000002BE73CF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u5jjbaxy.ypj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4604-319-0x0000023AE3D20000-0x0000023AE3D42000-memory.dmp

memory/1972-320-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

memory/1972-321-0x0000019BC84C0000-0x0000019BC84D0000-memory.dmp

memory/3196-322-0x000002743EFC0000-0x000002743EFD0000-memory.dmp

memory/888-396-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

memory/888-407-0x000001BA78270000-0x000001BA78280000-memory.dmp

memory/888-406-0x000001BA78270000-0x000001BA78280000-memory.dmp

memory/2632-425-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

memory/3640-427-0x0000026FB1260000-0x0000026FB1270000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c6GvLXFq3X.bat

MD5 efd4342e3e8307318179cff164543da4
SHA1 fb986fbd11d034468363fea48bb83187cf6cf455
SHA256 441dba715555a009f5cb92a163454e60ecf28043dfe97a92e9353837f3f23bb6
SHA512 51f54152f15a4348e160a75553fc70103e963105308b14eb769d0de5d4b95f28438afe4b45df8eb655d7a0e99be9936efda234576678064d9f69e6beec04972b

memory/2632-428-0x0000023E46FC0000-0x0000023E46FD0000-memory.dmp

memory/2460-429-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

memory/688-430-0x00007FF852C00000-0x00007FF8536C1000-memory.dmp

memory/688-431-0x000001A793170000-0x000001A793180000-memory.dmp

memory/688-432-0x000001A793170000-0x000001A793180000-memory.dmp

memory/4192-433-0x000001A499840000-0x000001A499850000-memory.dmp

memory/4192-434-0x000001A499840000-0x000001A499850000-memory.dmp

memory/888-435-0x000001BA78270000-0x000001BA78280000-memory.dmp

memory/1544-436-0x000002BE73CE0000-0x000002BE73CF0000-memory.dmp

memory/3196-437-0x000002743EFC0000-0x000002743EFD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 293a5e452e148112857e22e746feff34
SHA1 7a5018bf98a3e38970809531288a7e3efb979532
SHA256 05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551
SHA512 7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 293a5e452e148112857e22e746feff34
SHA1 7a5018bf98a3e38970809531288a7e3efb979532
SHA256 05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551
SHA512 7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c2ce5f364d6f19da44a34ce23f13e28b
SHA1 a7fc544cc9e62c759c0b0aeaecf324d7196a127e
SHA256 443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb
SHA512 fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 293a5e452e148112857e22e746feff34
SHA1 7a5018bf98a3e38970809531288a7e3efb979532
SHA256 05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551
SHA512 7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 28d4235aa2e6d782751f980ceb6e5021
SHA1 f5d82d56acd642b9fc4b963f684fd6b78f25a140
SHA256 8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638
SHA512 dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 28d4235aa2e6d782751f980ceb6e5021
SHA1 f5d82d56acd642b9fc4b963f684fd6b78f25a140
SHA256 8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638
SHA512 dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

C:\Users\Default\services.exe

MD5 837e95e2cf296e26712186c895f4c200
SHA1 8c5995383c0c59169577cddd1e201c117532a688
SHA256 29d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786
SHA512 70d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f

C:\Users\Default User\services.exe

MD5 837e95e2cf296e26712186c895f4c200
SHA1 8c5995383c0c59169577cddd1e201c117532a688
SHA256 29d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786
SHA512 70d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f

C:\Users\Admin\AppData\Local\Temp\5ca8331e-03b2-421c-98af-87fef2c10169.vbs

MD5 01311552732a62c2cf15210f60c837ca
SHA1 986f540ed14abaaa809f163a58aadd0ef2f9da38
SHA256 614a223655e42be8a98c20c76f869c3d71452a2fa1e611b77410a19cc9c2d689
SHA512 9c92e50bc10b0d09c4c498892297ff00e0f4bf0074fe09da8c8e44adf7c714f8ba87c1458f78124898500aa73370de566c33ac275a03e59f244621352c0e40ac

C:\Users\Admin\AppData\Local\Temp\1e554e97-58e9-47cd-a639-c9bacdb5166a.vbs

MD5 df544400d963d4be10608294946489f5
SHA1 f18384e181d1a252e3d6a61e35797f0b19bd6283
SHA256 6645711af536fb9a7a9ad3a4608dacb7be1e8cf951d0908f908e56add4b38b2a
SHA512 98830c8b03c59c0b8be176aa4b7efb921c178c325d4545af7475be3d7a06ed3ad4af82a96011b54bd34115b17fddec5d32242deb8276f12a9cb35024fe8454aa

C:\Users\Default\services.exe

MD5 837e95e2cf296e26712186c895f4c200
SHA1 8c5995383c0c59169577cddd1e201c117532a688
SHA256 29d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786
SHA512 70d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

MD5 9b0256da3bf9a5303141361b3da59823
SHA1 d73f34951777136c444eb2c98394f62912ebcdac
SHA256 96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA512 9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

C:\Users\Admin\AppData\Local\Temp\1fbc89d4907331aa0cd5a67264a034a9053406b2.exe

MD5 837e95e2cf296e26712186c895f4c200
SHA1 8c5995383c0c59169577cddd1e201c117532a688
SHA256 29d808de2c6de8f03c2ecaf96987180da0ea3fe0b585d86412f9d47636d78786
SHA512 70d966086573916e2cbaeb66682b14803ffcbb4b4533bcc9006ac811b666362f018940de51f2e25372132c08563e62f355bb28868f86593b992e8639129bee2f

C:\Users\Admin\AppData\Local\Temp\a4a8fa7e-3c1f-4c1e-a06a-fec99a88df2f.vbs

MD5 df544400d963d4be10608294946489f5
SHA1 f18384e181d1a252e3d6a61e35797f0b19bd6283
SHA256 6645711af536fb9a7a9ad3a4608dacb7be1e8cf951d0908f908e56add4b38b2a
SHA512 98830c8b03c59c0b8be176aa4b7efb921c178c325d4545af7475be3d7a06ed3ad4af82a96011b54bd34115b17fddec5d32242deb8276f12a9cb35024fe8454aa

C:\Users\Admin\AppData\Local\Temp\0ee91de6-6e79-4802-86c4-3e84b3cb0b0e.vbs

MD5 b666dac4337959f0c14b559c224f895d
SHA1 44e39e9ec7c9f917ffdcafb2cc0a9a104c1e5bb9
SHA256 8d7884e2f734bb97cffaa32c687f4260e4421b60308f60601e3cc8efda8be38f
SHA512 53fb33217401e1677b765e435eb668c1c193bf4954d50979ae8b1bd27eeaacd5f62a2f6271457286ccd0d74800f0fd50ed3f4cc8fb39beba5aa37b90d9b22998

C:\Users\Admin\AppData\Local\Temp\a4a8fa7e-3c1f-4c1e-a06a-fec99a88df2f.vbs

MD5 df544400d963d4be10608294946489f5
SHA1 f18384e181d1a252e3d6a61e35797f0b19bd6283
SHA256 6645711af536fb9a7a9ad3a4608dacb7be1e8cf951d0908f908e56add4b38b2a
SHA512 98830c8b03c59c0b8be176aa4b7efb921c178c325d4545af7475be3d7a06ed3ad4af82a96011b54bd34115b17fddec5d32242deb8276f12a9cb35024fe8454aa