Analysis
-
max time kernel
153s -
max time network
174s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
18/11/2023, 06:47
Behavioral task
behavioral1
Sample
NEAS.98a305d83b5bcde92d88eb5f246240c0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.98a305d83b5bcde92d88eb5f246240c0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.98a305d83b5bcde92d88eb5f246240c0.exe
-
Size
1.4MB
-
MD5
98a305d83b5bcde92d88eb5f246240c0
-
SHA1
739903e2cb0bb1584fead08bcb41ada2db5bd85f
-
SHA256
d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300
-
SHA512
cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e
-
SSDEEP
24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1012 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 848 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2684 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2684 schtasks.exe 28 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" spoolsv.exe -
resource yara_rule behavioral1/memory/2264-0-0x0000000000D20000-0x0000000000E8C000-memory.dmp dcrat behavioral1/files/0x0008000000016ca2-34.dat dcrat behavioral1/files/0x0006000000016d1d-300.dat dcrat behavioral1/files/0x0006000000016d1d-301.dat dcrat behavioral1/files/0x0006000000016d1d-363.dat dcrat behavioral1/files/0x004400000000b1f4-372.dat dcrat behavioral1/files/0x0006000000016d1d-402.dat dcrat behavioral1/files/0x004400000000b1f4-410.dat dcrat -
Executes dropped EXE 3 IoCs
pid Process 2904 spoolsv.exe 2868 spoolsv.exe 848 spoolsv.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\dwm.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe -
Drops file in Program Files directory 20 IoCs
description ioc Process File created C:\Program Files (x86)\Uninstall Information\audiodg.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files (x86)\Adobe\RCXE5E4.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files (x86)\Adobe\RCXE5F5.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files (x86)\Uninstall Information\RCXE819.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\services.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Program Files (x86)\Adobe\27d1bcfc3c54e0 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\c5b4cb5e9653cc NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Program Files\Internet Explorer\en-US\dwm.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files\Internet Explorer\en-US\RCXF57D.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Program Files (x86)\Uninstall Information\42af1c969fbb7b NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\services.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXF368.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files\Internet Explorer\en-US\RCXF57C.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files\Internet Explorer\en-US\dwm.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Program Files (x86)\Adobe\System.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Program Files\Internet Explorer\en-US\6cb0b6c459d5d3 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files (x86)\Adobe\System.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files (x86)\Uninstall Information\RCXE808.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files (x86)\Uninstall Information\audiodg.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXF369.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File opened for modification C:\Windows\Vss\Writers\System\RCXF155.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Windows\AppPatch\fr-FR\lsass.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Windows\debug\WIA\RCXE3B1.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Windows\debug\WIA\RCXE3B2.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Windows\debug\WIA\dllhost.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Windows\AppPatch\fr-FR\RCXECEC.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Windows\AppPatch\fr-FR\RCXECED.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Windows\AppPatch\fr-FR\lsass.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Windows\Vss\Writers\System\RCXF144.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Windows\Vss\Writers\System\lsass.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Windows\debug\WIA\5940a34987c991 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Windows\AppPatch\fr-FR\6203df4a6bafc7 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Windows\Vss\Writers\System\6203df4a6bafc7 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Windows\Vss\Writers\System\lsass.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Windows\debug\WIA\dllhost.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2756 schtasks.exe 2688 schtasks.exe 1964 schtasks.exe 848 schtasks.exe 2928 schtasks.exe 2680 schtasks.exe 1236 schtasks.exe 2976 schtasks.exe 2320 schtasks.exe 324 schtasks.exe 1888 schtasks.exe 1140 schtasks.exe 1988 schtasks.exe 1704 schtasks.exe 2208 schtasks.exe 2200 schtasks.exe 1068 schtasks.exe 1292 schtasks.exe 3068 schtasks.exe 1640 schtasks.exe 2636 schtasks.exe 2884 schtasks.exe 1364 schtasks.exe 1196 schtasks.exe 2440 schtasks.exe 1012 schtasks.exe 1632 schtasks.exe 1896 schtasks.exe 2892 schtasks.exe 2328 schtasks.exe 2088 schtasks.exe 2596 schtasks.exe 2860 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 2348 powershell.exe 1720 powershell.exe 2644 powershell.exe 2584 powershell.exe 2468 powershell.exe 2300 powershell.exe 528 powershell.exe 2016 powershell.exe 652 powershell.exe 1816 powershell.exe 868 powershell.exe 2160 powershell.exe 2904 spoolsv.exe 2904 spoolsv.exe 2904 spoolsv.exe 2904 spoolsv.exe 2904 spoolsv.exe 2904 spoolsv.exe 2904 spoolsv.exe 2904 spoolsv.exe 2904 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 528 powershell.exe Token: SeDebugPrivilege 2016 powershell.exe Token: SeDebugPrivilege 652 powershell.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeDebugPrivilege 2904 spoolsv.exe Token: SeDebugPrivilege 2868 spoolsv.exe Token: SeDebugPrivilege 848 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2584 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 64 PID 2264 wrote to memory of 2584 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 64 PID 2264 wrote to memory of 2584 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 64 PID 2264 wrote to memory of 2644 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 78 PID 2264 wrote to memory of 2644 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 78 PID 2264 wrote to memory of 2644 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 78 PID 2264 wrote to memory of 2300 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 76 PID 2264 wrote to memory of 2300 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 76 PID 2264 wrote to memory of 2300 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 76 PID 2264 wrote to memory of 2348 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 75 PID 2264 wrote to memory of 2348 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 75 PID 2264 wrote to memory of 2348 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 75 PID 2264 wrote to memory of 2016 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 74 PID 2264 wrote to memory of 2016 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 74 PID 2264 wrote to memory of 2016 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 74 PID 2264 wrote to memory of 528 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 73 PID 2264 wrote to memory of 528 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 73 PID 2264 wrote to memory of 528 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 73 PID 2264 wrote to memory of 1720 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 69 PID 2264 wrote to memory of 1720 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 69 PID 2264 wrote to memory of 1720 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 69 PID 2264 wrote to memory of 868 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 67 PID 2264 wrote to memory of 868 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 67 PID 2264 wrote to memory of 868 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 67 PID 2264 wrote to memory of 652 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 65 PID 2264 wrote to memory of 652 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 65 PID 2264 wrote to memory of 652 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 65 PID 2264 wrote to memory of 2468 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 71 PID 2264 wrote to memory of 2468 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 71 PID 2264 wrote to memory of 2468 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 71 PID 2264 wrote to memory of 2160 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 79 PID 2264 wrote to memory of 2160 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 79 PID 2264 wrote to memory of 2160 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 79 PID 2264 wrote to memory of 1816 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 85 PID 2264 wrote to memory of 1816 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 85 PID 2264 wrote to memory of 1816 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 85 PID 2264 wrote to memory of 1980 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 88 PID 2264 wrote to memory of 1980 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 88 PID 2264 wrote to memory of 1980 2264 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 88 PID 1980 wrote to memory of 848 1980 cmd.exe 90 PID 1980 wrote to memory of 848 1980 cmd.exe 90 PID 1980 wrote to memory of 848 1980 cmd.exe 90 PID 1980 wrote to memory of 2904 1980 cmd.exe 91 PID 1980 wrote to memory of 2904 1980 cmd.exe 91 PID 1980 wrote to memory of 2904 1980 cmd.exe 91 PID 2904 wrote to memory of 2136 2904 spoolsv.exe 92 PID 2904 wrote to memory of 2136 2904 spoolsv.exe 92 PID 2904 wrote to memory of 2136 2904 spoolsv.exe 92 PID 2904 wrote to memory of 2344 2904 spoolsv.exe 93 PID 2904 wrote to memory of 2344 2904 spoolsv.exe 93 PID 2904 wrote to memory of 2344 2904 spoolsv.exe 93 PID 2136 wrote to memory of 2868 2136 WScript.exe 94 PID 2136 wrote to memory of 2868 2136 WScript.exe 94 PID 2136 wrote to memory of 2868 2136 WScript.exe 94 PID 2868 wrote to memory of 2872 2868 spoolsv.exe 95 PID 2868 wrote to memory of 2872 2868 spoolsv.exe 95 PID 2868 wrote to memory of 2872 2868 spoolsv.exe 95 PID 2868 wrote to memory of 1084 2868 spoolsv.exe 96 PID 2868 wrote to memory of 1084 2868 spoolsv.exe 96 PID 2868 wrote to memory of 1084 2868 spoolsv.exe 96 PID 2872 wrote to memory of 848 2872 WScript.exe 97 PID 2872 wrote to memory of 848 2872 WScript.exe 97 PID 2872 wrote to memory of 848 2872 WScript.exe 97 PID 848 wrote to memory of 1176 848 spoolsv.exe 98 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" spoolsv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z0umrEhMBq.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:848
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2904 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7860a71e-2d6b-4df2-a91c-ba19937097f8.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2868 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e326810-9039-4469-93ea-3498edb60573.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:848 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aed9f3b-04dc-4541-b8db-52524691d17d.vbs"8⤵PID:1176
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63a2e3ee-5d39-402c-abe1-de13680f406d.vbs"8⤵PID:2364
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b56169be-2461-410c-b1a0-680a1499b4d5.vbs"6⤵PID:1084
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aafa2234-5139-432f-9f58-76ad4a340968.vbs"4⤵PID:2344
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\WIA\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\debug\WIA\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\WIA\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\fr-FR\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\AppPatch\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\System\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\System\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\en-US\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD598a305d83b5bcde92d88eb5f246240c0
SHA1739903e2cb0bb1584fead08bcb41ada2db5bd85f
SHA256d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300
SHA512cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e
-
Filesize
1.4MB
MD598a305d83b5bcde92d88eb5f246240c0
SHA1739903e2cb0bb1584fead08bcb41ada2db5bd85f
SHA256d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300
SHA512cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e
-
Filesize
1.4MB
MD598a305d83b5bcde92d88eb5f246240c0
SHA1739903e2cb0bb1584fead08bcb41ada2db5bd85f
SHA256d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300
SHA512cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e
-
Filesize
1.4MB
MD598a305d83b5bcde92d88eb5f246240c0
SHA1739903e2cb0bb1584fead08bcb41ada2db5bd85f
SHA256d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300
SHA512cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e
-
Filesize
1.4MB
MD598a305d83b5bcde92d88eb5f246240c0
SHA1739903e2cb0bb1584fead08bcb41ada2db5bd85f
SHA256d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300
SHA512cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e
-
Filesize
749B
MD583c3602434fd0273fe7d49f0559ed97b
SHA10f359f0a9d989b315d2a239bef17d3e8ed81eb73
SHA25681de3de914075cd958d89df9dbfc569e84b5439037a584c22561134258ae0e39
SHA512aa8c7e68fd797b11835973826d0887f7e3aa079f64d7cc725f06e3479c765d9d9dea537f13c9ed09a3e40fb22037413da8b62880b6cfb65e51b2e9c748fe5133
-
Filesize
526B
MD5a310f0e7988cd8c7a4ecad3bd0a30f3c
SHA1bc3a978c474b21c19851481946dcae4ff59c97ea
SHA25684dd5a2fa8fe69118db428d2dd9ace2a2e537a6c2dec9aaadaac819a4cb74a63
SHA512a6e313b2a96c7beb5857834c670b88cc56a134438e519a4110df10836dea9bf1341704a7b2cb9fdd88b4de1b262ceaab4f4582dced8d104055ffea9c6748aec4
-
Filesize
750B
MD5e2e573702ab62fbee69fd1a933ec31be
SHA14ea4ab50358a4317817947f2999378a4137d4bc0
SHA256ad227783a4cd8dbef6d7dcbef6e83ab65d176cf6865f2e7a08a0c553a2376cb1
SHA512ac11daf43de7f5e378ac306f216785bd502d72c77ce029dc10de2e4d3a2d3d34069895e49bfad3b17d0cef4cbc1967626e31b9fe5921f5b054f3d5791ed4f402
-
Filesize
750B
MD5a464a6c512448e148490f6cd92df58f6
SHA1aa3b8a406b14623c76dfeca3cae824a6bf79bc4e
SHA2568b564f3fe57c3040664e026261aa782cc776ae57dfa84b98c1edfa5c83cc63d1
SHA51246049ab71aa6f808eebcb0b42874a34af590fef45fecab342b58446cbdd666180ed3f68c8c4d8ebfbb66d2e2828342737e32ae8f221485ab6351750795b95a6b
-
Filesize
526B
MD5a310f0e7988cd8c7a4ecad3bd0a30f3c
SHA1bc3a978c474b21c19851481946dcae4ff59c97ea
SHA25684dd5a2fa8fe69118db428d2dd9ace2a2e537a6c2dec9aaadaac819a4cb74a63
SHA512a6e313b2a96c7beb5857834c670b88cc56a134438e519a4110df10836dea9bf1341704a7b2cb9fdd88b4de1b262ceaab4f4582dced8d104055ffea9c6748aec4
-
Filesize
526B
MD5a310f0e7988cd8c7a4ecad3bd0a30f3c
SHA1bc3a978c474b21c19851481946dcae4ff59c97ea
SHA25684dd5a2fa8fe69118db428d2dd9ace2a2e537a6c2dec9aaadaac819a4cb74a63
SHA512a6e313b2a96c7beb5857834c670b88cc56a134438e519a4110df10836dea9bf1341704a7b2cb9fdd88b4de1b262ceaab4f4582dced8d104055ffea9c6748aec4
-
Filesize
526B
MD5a310f0e7988cd8c7a4ecad3bd0a30f3c
SHA1bc3a978c474b21c19851481946dcae4ff59c97ea
SHA25684dd5a2fa8fe69118db428d2dd9ace2a2e537a6c2dec9aaadaac819a4cb74a63
SHA512a6e313b2a96c7beb5857834c670b88cc56a134438e519a4110df10836dea9bf1341704a7b2cb9fdd88b4de1b262ceaab4f4582dced8d104055ffea9c6748aec4
-
Filesize
1.4MB
MD598a305d83b5bcde92d88eb5f246240c0
SHA1739903e2cb0bb1584fead08bcb41ada2db5bd85f
SHA256d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300
SHA512cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e
-
Filesize
1.4MB
MD598a305d83b5bcde92d88eb5f246240c0
SHA1739903e2cb0bb1584fead08bcb41ada2db5bd85f
SHA256d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300
SHA512cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e
-
Filesize
239B
MD51dc3e13bc9b4b4d2c0c91c633d0cf964
SHA1b985c1370d958339bb040987b8fa9fda97a2edc9
SHA25653627f5a90e90a913621b9964dfb10d8a294235a9d4ad71d382b0e57e788289a
SHA512a46f3be5bcd840a6adf026c09d9dc9e86610ef71e1b7deaf90b051698260a802b11233b789ca31d17036a1c1e16d569e8cc5ea74019e04ce6c916bdb7763d65a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c2b142655c2607eed6587ad985674f8e
SHA1b69d903163fb9eaec73228d734422d225c935ddd
SHA25662c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a
SHA512aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c2b142655c2607eed6587ad985674f8e
SHA1b69d903163fb9eaec73228d734422d225c935ddd
SHA25662c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a
SHA512aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c2b142655c2607eed6587ad985674f8e
SHA1b69d903163fb9eaec73228d734422d225c935ddd
SHA25662c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a
SHA512aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c2b142655c2607eed6587ad985674f8e
SHA1b69d903163fb9eaec73228d734422d225c935ddd
SHA25662c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a
SHA512aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c2b142655c2607eed6587ad985674f8e
SHA1b69d903163fb9eaec73228d734422d225c935ddd
SHA25662c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a
SHA512aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c2b142655c2607eed6587ad985674f8e
SHA1b69d903163fb9eaec73228d734422d225c935ddd
SHA25662c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a
SHA512aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c2b142655c2607eed6587ad985674f8e
SHA1b69d903163fb9eaec73228d734422d225c935ddd
SHA25662c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a
SHA512aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c2b142655c2607eed6587ad985674f8e
SHA1b69d903163fb9eaec73228d734422d225c935ddd
SHA25662c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a
SHA512aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c2b142655c2607eed6587ad985674f8e
SHA1b69d903163fb9eaec73228d734422d225c935ddd
SHA25662c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a
SHA512aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c2b142655c2607eed6587ad985674f8e
SHA1b69d903163fb9eaec73228d734422d225c935ddd
SHA25662c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a
SHA512aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J92BH18EH3PAUOYHWNGD.temp
Filesize7KB
MD5c2b142655c2607eed6587ad985674f8e
SHA1b69d903163fb9eaec73228d734422d225c935ddd
SHA25662c691bdc6975842e23fdeff570a471440ede47f4316d23ec63fbaf2fc48a02a
SHA512aa24abb8090d3eebc4634805fae899a612ed132f29e94002f4004c46c18a934c2bc7637bd92e9aba5a4ee1a501aeb1b29a1e07b9e4fbcf2ae8aa5237bd3769c1