Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2023, 06:47
Behavioral task
behavioral1
Sample
NEAS.98a305d83b5bcde92d88eb5f246240c0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.98a305d83b5bcde92d88eb5f246240c0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.98a305d83b5bcde92d88eb5f246240c0.exe
-
Size
1.4MB
-
MD5
98a305d83b5bcde92d88eb5f246240c0
-
SHA1
739903e2cb0bb1584fead08bcb41ada2db5bd85f
-
SHA256
d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300
-
SHA512
cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e
-
SSDEEP
24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4680 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3384 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4352 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3576 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3272 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3260 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 452 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4768 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4148 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3284 2940 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3508 2940 schtasks.exe 88 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe -
resource yara_rule behavioral2/memory/3892-0-0x0000000000090000-0x00000000001FC000-memory.dmp dcrat behavioral2/files/0x0006000000022e24-37.dat dcrat behavioral2/files/0x0007000000022e2f-377.dat dcrat behavioral2/files/0x0007000000022e2f-378.dat dcrat behavioral2/files/0x0007000000022e2f-394.dat dcrat behavioral2/files/0x0006000000022e50-400.dat dcrat behavioral2/files/0x0007000000022e2f-409.dat dcrat behavioral2/files/0x0006000000022e50-414.dat dcrat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 3 IoCs
pid Process 5604 RuntimeBroker.exe 1112 RuntimeBroker.exe 5052 RuntimeBroker.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe -
Drops file in Program Files directory 25 IoCs
description ioc Process File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\27d1bcfc3c54e0 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files\WindowsPowerShell\RCXA09F.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\RCXA2C4.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\RCXA809.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\Idle.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Program Files\WindowsPowerShell\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\System.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\sysmon.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Program Files (x86)\WindowsPowerShell\121e5b5079f7c0 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Program Files\WindowsPowerShell\fcabf9775b473e NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\6ccacd8608530f NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files\WindowsPowerShell\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files\7-Zip\Lang\RCXA556.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files\7-Zip\Lang\RCXA567.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\RCXAFEE.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\System.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Program Files\7-Zip\Lang\SearchApp.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Program Files\7-Zip\Lang\38384e6a620884 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\Idle.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files\WindowsPowerShell\RCXA0B0.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files\7-Zip\Lang\SearchApp.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\RCXAFCE.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Program Files (x86)\WindowsPowerShell\sysmon.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\RCXA313.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\RCXA78B.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\CSC\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\SearchApp.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\38384e6a620884 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RCX9BC9.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RCX9BE9.tmp NEAS.98a305d83b5bcde92d88eb5f246240c0.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\SearchApp.exe NEAS.98a305d83b5bcde92d88eb5f246240c0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1112 schtasks.exe 4952 schtasks.exe 3384 schtasks.exe 3684 schtasks.exe 1868 schtasks.exe 216 schtasks.exe 4352 schtasks.exe 3284 schtasks.exe 2436 schtasks.exe 1196 schtasks.exe 404 schtasks.exe 3260 schtasks.exe 452 schtasks.exe 2300 schtasks.exe 4768 schtasks.exe 2864 schtasks.exe 2088 schtasks.exe 1840 schtasks.exe 560 schtasks.exe 3272 schtasks.exe 1136 schtasks.exe 1976 schtasks.exe 2996 schtasks.exe 3508 schtasks.exe 1648 schtasks.exe 1480 schtasks.exe 2896 schtasks.exe 4680 schtasks.exe 2560 schtasks.exe 4148 schtasks.exe 1132 schtasks.exe 3000 schtasks.exe 3576 schtasks.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings RuntimeBroker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 4940 powershell.exe 4940 powershell.exe 736 powershell.exe 736 powershell.exe 2896 powershell.exe 2524 powershell.exe 2896 powershell.exe 2524 powershell.exe 2300 powershell.exe 2300 powershell.exe 4808 powershell.exe 4808 powershell.exe 1412 powershell.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Token: SeDebugPrivilege 4940 powershell.exe Token: SeDebugPrivilege 736 powershell.exe Token: SeDebugPrivilege 4552 powershell.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 2524 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeDebugPrivilege 1412 powershell.exe Token: SeDebugPrivilege 4928 powershell.exe Token: SeDebugPrivilege 576 powershell.exe Token: SeDebugPrivilege 4452 powershell.exe Token: SeDebugPrivilege 1112 powershell.exe Token: SeDebugPrivilege 5604 RuntimeBroker.exe Token: SeDebugPrivilege 1112 RuntimeBroker.exe Token: SeDebugPrivilege 5052 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 3892 wrote to memory of 1412 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 126 PID 3892 wrote to memory of 1412 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 126 PID 3892 wrote to memory of 4808 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 127 PID 3892 wrote to memory of 4808 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 127 PID 3892 wrote to memory of 576 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 128 PID 3892 wrote to memory of 576 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 128 PID 3892 wrote to memory of 4940 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 129 PID 3892 wrote to memory of 4940 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 129 PID 3892 wrote to memory of 4928 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 149 PID 3892 wrote to memory of 4928 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 149 PID 3892 wrote to memory of 2524 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 148 PID 3892 wrote to memory of 2524 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 148 PID 3892 wrote to memory of 2896 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 147 PID 3892 wrote to memory of 2896 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 147 PID 3892 wrote to memory of 4552 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 146 PID 3892 wrote to memory of 4552 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 146 PID 3892 wrote to memory of 2300 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 145 PID 3892 wrote to memory of 2300 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 145 PID 3892 wrote to memory of 736 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 144 PID 3892 wrote to memory of 736 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 144 PID 3892 wrote to memory of 1112 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 143 PID 3892 wrote to memory of 1112 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 143 PID 3892 wrote to memory of 4452 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 142 PID 3892 wrote to memory of 4452 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 142 PID 3892 wrote to memory of 1560 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 150 PID 3892 wrote to memory of 1560 3892 NEAS.98a305d83b5bcde92d88eb5f246240c0.exe 150 PID 1560 wrote to memory of 2968 1560 cmd.exe 154 PID 1560 wrote to memory of 2968 1560 cmd.exe 154 PID 1560 wrote to memory of 5604 1560 cmd.exe 155 PID 1560 wrote to memory of 5604 1560 cmd.exe 155 PID 5604 wrote to memory of 5872 5604 RuntimeBroker.exe 157 PID 5604 wrote to memory of 5872 5604 RuntimeBroker.exe 157 PID 5604 wrote to memory of 5920 5604 RuntimeBroker.exe 158 PID 5604 wrote to memory of 5920 5604 RuntimeBroker.exe 158 PID 5872 wrote to memory of 1112 5872 WScript.exe 167 PID 5872 wrote to memory of 1112 5872 WScript.exe 167 PID 1112 wrote to memory of 1236 1112 RuntimeBroker.exe 168 PID 1112 wrote to memory of 1236 1112 RuntimeBroker.exe 168 PID 1112 wrote to memory of 3764 1112 RuntimeBroker.exe 169 PID 1112 wrote to memory of 3764 1112 RuntimeBroker.exe 169 PID 1236 wrote to memory of 5052 1236 WScript.exe 170 PID 1236 wrote to memory of 5052 1236 WScript.exe 170 PID 5052 wrote to memory of 3260 5052 RuntimeBroker.exe 171 PID 5052 wrote to memory of 3260 5052 RuntimeBroker.exe 171 PID 5052 wrote to memory of 4584 5052 RuntimeBroker.exe 172 PID 5052 wrote to memory of 4584 5052 RuntimeBroker.exe 172 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.98a305d83b5bcde92d88eb5f246240c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3892 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wMDGCgjXWp.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2968
-
-
C:\odt\RuntimeBroker.exe"C:\odt\RuntimeBroker.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5604 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39c3734c-919f-467f-83b6-4dd07532cd75.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:5872 -
C:\odt\RuntimeBroker.exeC:\odt\RuntimeBroker.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1112 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6841ae9-9577-4b12-acc7-e4c5d442b2b2.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\odt\RuntimeBroker.exeC:\odt\RuntimeBroker.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5052 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d3a917f-cb18-441c-a623-952574bfe858.vbs"8⤵PID:3260
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f03dc43-bda4-4e43-b04a-ac51d98cf1f0.vbs"8⤵PID:4584
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e75cd97f-67fe-4efd-90c6-d056866d4fd9.vbs"6⤵PID:3764
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b287959-da34-418f-835c-f36457dc3e1a.vbs"4⤵PID:5920
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Favorites\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\Favorites\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\odt\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "NEAS.98a305d83b5bcde92d88eb5f246240c0N" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "NEAS.98a305d83b5bcde92d88eb5f246240c0" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "NEAS.98a305d83b5bcde92d88eb5f246240c0N" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\odt\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3508
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD598a305d83b5bcde92d88eb5f246240c0
SHA1739903e2cb0bb1584fead08bcb41ada2db5bd85f
SHA256d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300
SHA512cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e
-
Filesize
1KB
MD59b0256da3bf9a5303141361b3da59823
SHA1d73f34951777136c444eb2c98394f62912ebcdac
SHA25696cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA5129f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5aaaac7c68d2b7997ed502c26fd9f65c2
SHA17c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA2568724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD59c97a801bb5d6c21c265ab7f283ba83e
SHA17c0a4cb73d63702a2d454268d983e0dcb36a8bf8
SHA25669d9676a8c93686c904d9ce6193221476d6c72bc4d3250a232c03ccbeae380c7
SHA512d3abd8bfccd3a3fec55c13e85e755fbd589e6ea04321169c7c8cf5badf7b6ffe96c0c2ed449a0b4a99ecfd1e7bb7edc3311d335c8956cf344c9584fb0bda50d9
-
Filesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
Filesize
944B
MD59c97a801bb5d6c21c265ab7f283ba83e
SHA17c0a4cb73d63702a2d454268d983e0dcb36a8bf8
SHA25669d9676a8c93686c904d9ce6193221476d6c72bc4d3250a232c03ccbeae380c7
SHA512d3abd8bfccd3a3fec55c13e85e755fbd589e6ea04321169c7c8cf5badf7b6ffe96c0c2ed449a0b4a99ecfd1e7bb7edc3311d335c8956cf344c9584fb0bda50d9
-
Filesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
Filesize
700B
MD5c467ff65b187b1eeeb68471b1c175189
SHA1dcc16520c068f9564f0aa06a0881d1b7a14c9057
SHA2569dc90f3d5cbaea4e90416af70d69acf783ffe09500ea36d7a8a37ced9046ea76
SHA5120651d63c0af029f270f93010079e5f642328f94aff292a1400fa6c35808a9df7fe9bab677e9d711a5960088944109461d29e507c5bd6756e8b1ed0e528acd340
-
Filesize
476B
MD522f5348b6ea434796666f39301c55d3a
SHA1598f002e948d94de366fd33be64b1e04273e94ac
SHA2568aefba68bbbf5b455026bc25301887fe4333b6cef83a7d422dbe35f686678196
SHA51262ba5cc99317fcc387cedbc057408d6f2c7b9ce17fff06abd591cce6520def3afe845fce982626f5590c67313584f4fc1c8a960fa52a1cbc806d173c290d108a
-
Filesize
1.4MB
MD598a305d83b5bcde92d88eb5f246240c0
SHA1739903e2cb0bb1584fead08bcb41ada2db5bd85f
SHA256d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300
SHA512cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e
-
Filesize
1.4MB
MD598a305d83b5bcde92d88eb5f246240c0
SHA1739903e2cb0bb1584fead08bcb41ada2db5bd85f
SHA256d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300
SHA512cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e
-
Filesize
476B
MD522f5348b6ea434796666f39301c55d3a
SHA1598f002e948d94de366fd33be64b1e04273e94ac
SHA2568aefba68bbbf5b455026bc25301887fe4333b6cef83a7d422dbe35f686678196
SHA51262ba5cc99317fcc387cedbc057408d6f2c7b9ce17fff06abd591cce6520def3afe845fce982626f5590c67313584f4fc1c8a960fa52a1cbc806d173c290d108a
-
Filesize
700B
MD58f7e10ae22e86c76a761bfb118a7a950
SHA132067ecc873803e6f9b5ed2aec24dfdd25032727
SHA256df5846f665c668a5a81c975c846f07f9957c85c6498cb2f44923563e2380a2cb
SHA512180b386caf723bbb08ef2530c8700f574468bbf3c8763f173ac994a8bde2e6de014e29b786d77b6ad151edda8a5897d861a9333aa6d40e2c12cbe2a78d31792f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
700B
MD59b326998535447de043175bb78c2f4c2
SHA1004e1bff2db8a761d374a0637e92fa746f6e20f1
SHA25655e78b1224cb859da1a97daae15566e317985fc224fdf9a09de491a2d1d48ed6
SHA5125c05bef7c6e5132d5d417b71f05768938caf9974324c75573888f0c1e682abb1a8c92e223294def3d76fa7ee0012f818a16dbd603294552e36660e9c4fd9f066
-
Filesize
476B
MD522f5348b6ea434796666f39301c55d3a
SHA1598f002e948d94de366fd33be64b1e04273e94ac
SHA2568aefba68bbbf5b455026bc25301887fe4333b6cef83a7d422dbe35f686678196
SHA51262ba5cc99317fcc387cedbc057408d6f2c7b9ce17fff06abd591cce6520def3afe845fce982626f5590c67313584f4fc1c8a960fa52a1cbc806d173c290d108a
-
Filesize
476B
MD522f5348b6ea434796666f39301c55d3a
SHA1598f002e948d94de366fd33be64b1e04273e94ac
SHA2568aefba68bbbf5b455026bc25301887fe4333b6cef83a7d422dbe35f686678196
SHA51262ba5cc99317fcc387cedbc057408d6f2c7b9ce17fff06abd591cce6520def3afe845fce982626f5590c67313584f4fc1c8a960fa52a1cbc806d173c290d108a
-
Filesize
189B
MD5a21f17d02b1def5d55ac6adcd882cd7f
SHA10fb81d02696237f0fa603bbb2ca8390e6c680477
SHA2568607fb3334b59f1529aa369674faacacf8b00150d71680eecc1151bd1b9c9856
SHA512733e65b193fd522da74c688d239ac4aa06d32cede82e2a0220f89858975b9681d3d31251dedd1c01e245b7644ac547e9da0803e82c07c4e928b5809cdf6c230f
-
Filesize
1.4MB
MD598a305d83b5bcde92d88eb5f246240c0
SHA1739903e2cb0bb1584fead08bcb41ada2db5bd85f
SHA256d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300
SHA512cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e
-
Filesize
1.4MB
MD598a305d83b5bcde92d88eb5f246240c0
SHA1739903e2cb0bb1584fead08bcb41ada2db5bd85f
SHA256d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300
SHA512cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e
-
Filesize
1.4MB
MD598a305d83b5bcde92d88eb5f246240c0
SHA1739903e2cb0bb1584fead08bcb41ada2db5bd85f
SHA256d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300
SHA512cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e
-
Filesize
1.4MB
MD598a305d83b5bcde92d88eb5f246240c0
SHA1739903e2cb0bb1584fead08bcb41ada2db5bd85f
SHA256d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300
SHA512cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e