Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
18/11/2023, 06:52
Behavioral task
behavioral1
Sample
NEAS.ee9c47c40454820e89d46e4b89068090.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.ee9c47c40454820e89d46e4b89068090.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.ee9c47c40454820e89d46e4b89068090.exe
-
Size
1.4MB
-
MD5
ee9c47c40454820e89d46e4b89068090
-
SHA1
74c981d480a6997b8f6f3ffe6c5ba9b005070f3d
-
SHA256
1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
-
SHA512
36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399
-
SSDEEP
24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1172 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 792 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 3020 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 3020 schtasks.exe 28 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe -
resource yara_rule behavioral1/memory/3024-0-0x0000000000B50000-0x0000000000CBC000-memory.dmp dcrat behavioral1/files/0x0007000000015c9c-35.dat dcrat behavioral1/files/0x0007000000015caf-146.dat dcrat behavioral1/files/0x0008000000015cf0-158.dat dcrat behavioral1/files/0x0008000000015dca-168.dat dcrat behavioral1/files/0x0008000000015e78-183.dat dcrat behavioral1/files/0x00070000000161a5-205.dat dcrat behavioral1/files/0x00080000000165d3-216.dat dcrat behavioral1/files/0x0007000000018695-300.dat dcrat behavioral1/files/0x0007000000018695-301.dat dcrat behavioral1/memory/1728-302-0x00000000000A0000-0x000000000020C000-memory.dmp dcrat behavioral1/files/0x0007000000018695-381.dat dcrat behavioral1/files/0x000d000000018ba3-390.dat dcrat behavioral1/files/0x0007000000018695-426.dat dcrat behavioral1/files/0x000d000000018ba3-434.dat dcrat -
Executes dropped EXE 3 IoCs
pid Process 1728 Idle.exe 1876 Idle.exe 1500 Idle.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXD876.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXDA79.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXDAF7.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Program Files\Uninstall Information\csrss.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe File created C:\Program Files\Uninstall Information\886983d96e3d3e NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Program Files\Uninstall Information\RCXC822.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXD807.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dwm.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6cb0b6c459d5d3 NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dwm.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Program Files\Uninstall Information\RCXC812.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File created C:\Program Files\Uninstall Information\csrss.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\886983d96e3d3e NEAS.ee9c47c40454820e89d46e4b89068090.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\ja-JP\RCXE53C.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Windows\ja-JP\winlogon.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe File created C:\Windows\tracing\spoolsv.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe File created C:\Windows\tracing\f3b6ecef712a24 NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Windows\tracing\RCXDD1A.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Windows\tracing\RCXDD88.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Windows\tracing\spoolsv.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Windows\ja-JP\RCXE4BE.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File created C:\Windows\ja-JP\winlogon.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe File created C:\Windows\ja-JP\cc11b995f2a76d NEAS.ee9c47c40454820e89d46e4b89068090.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2424 schtasks.exe 3044 schtasks.exe 2736 schtasks.exe 2492 schtasks.exe 1076 schtasks.exe 1456 schtasks.exe 1616 schtasks.exe 2164 schtasks.exe 2648 schtasks.exe 1112 schtasks.exe 2496 schtasks.exe 2696 schtasks.exe 2260 schtasks.exe 2628 schtasks.exe 2960 schtasks.exe 2440 schtasks.exe 1172 schtasks.exe 2132 schtasks.exe 2476 schtasks.exe 1596 schtasks.exe 1536 schtasks.exe 2344 schtasks.exe 2196 schtasks.exe 1632 schtasks.exe 756 schtasks.exe 1412 schtasks.exe 1824 schtasks.exe 792 schtasks.exe 2376 schtasks.exe 776 schtasks.exe 1052 schtasks.exe 1144 schtasks.exe 2712 schtasks.exe 2512 schtasks.exe 2896 schtasks.exe 2000 schtasks.exe 2504 schtasks.exe 2600 schtasks.exe 2572 schtasks.exe 2352 schtasks.exe 2172 schtasks.exe 2536 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 1172 powershell.exe 2788 powershell.exe 2232 powershell.exe 2700 powershell.exe 1928 powershell.exe 2556 powershell.exe 2432 powershell.exe 2520 powershell.exe 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 1816 powershell.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeDebugPrivilege 2788 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 1928 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeDebugPrivilege 1168 powershell.exe Token: SeDebugPrivilege 760 powershell.exe Token: SeDebugPrivilege 1728 Idle.exe Token: SeDebugPrivilege 1876 Idle.exe Token: SeDebugPrivilege 1500 Idle.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 3024 wrote to memory of 1928 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 72 PID 3024 wrote to memory of 1928 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 72 PID 3024 wrote to memory of 1928 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 72 PID 3024 wrote to memory of 2232 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 86 PID 3024 wrote to memory of 2232 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 86 PID 3024 wrote to memory of 2232 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 86 PID 3024 wrote to memory of 1172 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 73 PID 3024 wrote to memory of 1172 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 73 PID 3024 wrote to memory of 1172 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 73 PID 3024 wrote to memory of 2700 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 84 PID 3024 wrote to memory of 2700 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 84 PID 3024 wrote to memory of 2700 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 84 PID 3024 wrote to memory of 2788 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 74 PID 3024 wrote to memory of 2788 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 74 PID 3024 wrote to memory of 2788 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 74 PID 3024 wrote to memory of 2556 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 82 PID 3024 wrote to memory of 2556 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 82 PID 3024 wrote to memory of 2556 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 82 PID 3024 wrote to memory of 2520 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 76 PID 3024 wrote to memory of 2520 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 76 PID 3024 wrote to memory of 2520 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 76 PID 3024 wrote to memory of 768 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 77 PID 3024 wrote to memory of 768 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 77 PID 3024 wrote to memory of 768 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 77 PID 3024 wrote to memory of 1816 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 80 PID 3024 wrote to memory of 1816 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 80 PID 3024 wrote to memory of 1816 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 80 PID 3024 wrote to memory of 2432 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 79 PID 3024 wrote to memory of 2432 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 79 PID 3024 wrote to memory of 2432 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 79 PID 3024 wrote to memory of 760 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 78 PID 3024 wrote to memory of 760 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 78 PID 3024 wrote to memory of 760 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 78 PID 3024 wrote to memory of 1168 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 92 PID 3024 wrote to memory of 1168 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 92 PID 3024 wrote to memory of 1168 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 92 PID 3024 wrote to memory of 1728 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 97 PID 3024 wrote to memory of 1728 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 97 PID 3024 wrote to memory of 1728 3024 NEAS.ee9c47c40454820e89d46e4b89068090.exe 97 PID 1728 wrote to memory of 576 1728 Idle.exe 98 PID 1728 wrote to memory of 576 1728 Idle.exe 98 PID 1728 wrote to memory of 576 1728 Idle.exe 98 PID 1728 wrote to memory of 1788 1728 Idle.exe 99 PID 1728 wrote to memory of 1788 1728 Idle.exe 99 PID 1728 wrote to memory of 1788 1728 Idle.exe 99 PID 576 wrote to memory of 1876 576 WScript.exe 100 PID 576 wrote to memory of 1876 576 WScript.exe 100 PID 576 wrote to memory of 1876 576 WScript.exe 100 PID 1876 wrote to memory of 2352 1876 Idle.exe 102 PID 1876 wrote to memory of 2352 1876 Idle.exe 102 PID 1876 wrote to memory of 2352 1876 Idle.exe 102 PID 1876 wrote to memory of 2348 1876 Idle.exe 101 PID 1876 wrote to memory of 2348 1876 Idle.exe 101 PID 1876 wrote to memory of 2348 1876 Idle.exe 101 PID 2352 wrote to memory of 1500 2352 WScript.exe 103 PID 2352 wrote to memory of 1500 2352 WScript.exe 103 PID 2352 wrote to memory of 1500 2352 WScript.exe 103 PID 1500 wrote to memory of 524 1500 Idle.exe 104 PID 1500 wrote to memory of 524 1500 Idle.exe 104 PID 1500 wrote to memory of 524 1500 Idle.exe 104 PID 1500 wrote to memory of 1528 1500 Idle.exe 105 PID 1500 wrote to memory of 1528 1500 Idle.exe 105 PID 1500 wrote to memory of 1528 1500 Idle.exe 105 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3024 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe"C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1728 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a7c2218-d0d3-47c4-b53a-8dbf58b03715.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exeC:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1876 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5d2ae5f-e3e6-4591-84ab-a4f1f7db9a38.vbs"5⤵PID:2348
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab51bf72-3c65-49e6-90b0-f56d9b348f92.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exeC:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1500 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c527f23-670a-46cc-8a7b-3c47917b820e.vbs"7⤵PID:524
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2bb5d38-a37a-4abc-9eaf-2d6b0dd6c35b.vbs"7⤵PID:1528
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\237a0ea6-42f1-4691-8931-efbccd038c2b.vbs"3⤵PID:1788
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Favorites\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\tracing\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Local Settings\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5ee9c47c40454820e89d46e4b89068090
SHA174c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA2561b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA51236d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399
-
Filesize
1.4MB
MD5eb63ef2e8167b3c8b2b3999c45b60423
SHA15dc9c85329841bd17665439726f18f41964fb3f3
SHA256869566da5d919bee007d20392ab82b902d314b7e31ca5e2ff47a46cf2b41c612
SHA5129f02325926efa8eb06a9cb3a2c24dd06a34fcde12669c46e56eb9e3dc95211f987180b7d6f11f42ca03caf68e52f1c1ba1ea508a339dc4b8d6372897ede8ce61
-
Filesize
1.4MB
MD5b62c7e19d1135fed2763c053c69132b5
SHA1555c39bcc4e18a86de6a1c72fc7720c294dfa5b7
SHA256c90f7a73934eac791f377b1f99c70f3a48ac4e0754bb047078b349c6da062e34
SHA5125ae68d545e50831733eeb64ecd74e00bb4793707f48a4a19a05ec71472994cb6ecaeee61344b58136d5ddac39b366864084522af86a256363775500ebf20ebc3
-
Filesize
1.4MB
MD5ee9c47c40454820e89d46e4b89068090
SHA174c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA2561b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA51236d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399
-
Filesize
1.4MB
MD5ee9c47c40454820e89d46e4b89068090
SHA174c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA2561b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA51236d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399
-
Filesize
1.4MB
MD5ee9c47c40454820e89d46e4b89068090
SHA174c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA2561b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA51236d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399
-
Filesize
1.4MB
MD5ee9c47c40454820e89d46e4b89068090
SHA174c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA2561b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA51236d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399
-
Filesize
509B
MD5104fa7507efe24f94f45fa63c2c09569
SHA10263d504d6cb47d658385cd679771321e6e85774
SHA25622314453408133cd598a43c2666fe0889ebef04729dc9b31feebeb14ff4db871
SHA5120b73a6c2c477d7e56e986f3cf1729f48801e06b31d001db7a21120000ab8d5863fc0c9c8b4ca872438b10d5f68fff3807c93a62f6126cb98b2ca03021ecb71e0
-
Filesize
733B
MD5a51d29596fc7dc1472004d25554609eb
SHA135bf87da019654e06ffce21cb0523072ac2d1caa
SHA25619f876a56bde7adb3e643902149fbe7868a7f03fe062d66fb79e873ddc191045
SHA51214bb587d0e514cc7a82d9204a66479f0313ee7edfc2e4aa907b09008ae54551084612b1dc4e304b10c11af9f5d025bf122415ce7d36ba0da3bf5068e64c2d874
-
Filesize
733B
MD55eb7ad8f6b36dbf0dcfc2b14bb12013b
SHA1c3edbfc7f943c87e2d08909bfeb074e694ebd869
SHA2565ec0412313a473e9689550dff8d14b4261c17dc58c4c6045089f68681c4e2869
SHA5129bb02a6c28b4b054bd5b6dcb35797c9f15036d4d3bc93832dec845742c2cc6c6fe26e7df3670eb67cc7018402a159d93708cd2d1b601546747b17eb7852f00e9
-
Filesize
509B
MD5104fa7507efe24f94f45fa63c2c09569
SHA10263d504d6cb47d658385cd679771321e6e85774
SHA25622314453408133cd598a43c2666fe0889ebef04729dc9b31feebeb14ff4db871
SHA5120b73a6c2c477d7e56e986f3cf1729f48801e06b31d001db7a21120000ab8d5863fc0c9c8b4ca872438b10d5f68fff3807c93a62f6126cb98b2ca03021ecb71e0
-
Filesize
733B
MD5247dfd5a0a50d5148719872d84de36f7
SHA1938c8d67a135b65d7e356d83ceb1f83255d37e5d
SHA256013482c461f170b1d41d97fdc1495960a018aec693d25e051335688bac45df4a
SHA512f8d23dad17e67e1db9a23882f09ad03a91a9a3a1507d3215d1b2700fa25fff749453f8e0338a64b46caebfd0c19df6e4325584a828491a98580a481c88076270
-
Filesize
509B
MD5104fa7507efe24f94f45fa63c2c09569
SHA10263d504d6cb47d658385cd679771321e6e85774
SHA25622314453408133cd598a43c2666fe0889ebef04729dc9b31feebeb14ff4db871
SHA5120b73a6c2c477d7e56e986f3cf1729f48801e06b31d001db7a21120000ab8d5863fc0c9c8b4ca872438b10d5f68fff3807c93a62f6126cb98b2ca03021ecb71e0
-
Filesize
509B
MD5104fa7507efe24f94f45fa63c2c09569
SHA10263d504d6cb47d658385cd679771321e6e85774
SHA25622314453408133cd598a43c2666fe0889ebef04729dc9b31feebeb14ff4db871
SHA5120b73a6c2c477d7e56e986f3cf1729f48801e06b31d001db7a21120000ab8d5863fc0c9c8b4ca872438b10d5f68fff3807c93a62f6126cb98b2ca03021ecb71e0
-
Filesize
1.4MB
MD5ee9c47c40454820e89d46e4b89068090
SHA174c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA2561b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA51236d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399
-
Filesize
1.4MB
MD5ee9c47c40454820e89d46e4b89068090
SHA174c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA2561b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA51236d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3879LQQI3I9S5RJMQSBD.temp
Filesize7KB
MD5b265468df30b46b1a23bb9b05e81d935
SHA1321464e98813185ed4dacf158220d84036ef2be2
SHA2564dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA5125d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b265468df30b46b1a23bb9b05e81d935
SHA1321464e98813185ed4dacf158220d84036ef2be2
SHA2564dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA5125d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b265468df30b46b1a23bb9b05e81d935
SHA1321464e98813185ed4dacf158220d84036ef2be2
SHA2564dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA5125d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b265468df30b46b1a23bb9b05e81d935
SHA1321464e98813185ed4dacf158220d84036ef2be2
SHA2564dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA5125d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b265468df30b46b1a23bb9b05e81d935
SHA1321464e98813185ed4dacf158220d84036ef2be2
SHA2564dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA5125d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b265468df30b46b1a23bb9b05e81d935
SHA1321464e98813185ed4dacf158220d84036ef2be2
SHA2564dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA5125d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b265468df30b46b1a23bb9b05e81d935
SHA1321464e98813185ed4dacf158220d84036ef2be2
SHA2564dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA5125d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b265468df30b46b1a23bb9b05e81d935
SHA1321464e98813185ed4dacf158220d84036ef2be2
SHA2564dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA5125d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b265468df30b46b1a23bb9b05e81d935
SHA1321464e98813185ed4dacf158220d84036ef2be2
SHA2564dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA5125d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b265468df30b46b1a23bb9b05e81d935
SHA1321464e98813185ed4dacf158220d84036ef2be2
SHA2564dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA5125d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d
-
Filesize
1.4MB
MD54b7ac0ff8ad0e196bf4ed58c9ba620bd
SHA1749ec6bf417bcb4ad29d1aae56072dbbf49b0ba0
SHA2568d9e732992be8420fbadf43224ebea8a475cd8963a61cee0ed38cacb537f712e
SHA512d961202eacf5754b51a8acac240cc6a09cab6d74174567a63f830f340f5f845cb1c62fca479fa60cd4af33791a746346bf820e384fa89cad86ba16f4ad807907
-
Filesize
1.4MB
MD56af4c0ba7ef84caa27a724f6aa752436
SHA17a2012da026a802317003b066a72f3a6a3784607
SHA256a3ba663cbf9f3350498d09ef7c56ee5f33be36e23a742841375f69e26d363fb6
SHA512b955a62bb17529a389aeec8aeff5a14822c4a1c1605a79547b47d42f4ee77f0b9fdd5237b8f7baeb244be3a877011815e7ac2c774b7d58c4f29ff524d3111630
-
Filesize
1.4MB
MD51aa78d7a2657f2213463ea2c1ab7b7bd
SHA1bdf9aff0bbbb73670a0c8072dad664fce3d4b000
SHA2562dfcc2b279c0c5b9bdd5ada5ea14a189e53ba9cdc51e8294a3978c0f04df3c0b
SHA5128ec1f3d65ea8e6cbc63f701740be0ae32e02251a0d388f089c9194ea0e08fe734f24d5fab9d6f5529ce63eb03bec201490a188fca9991955ec224ace3d5b42ca
-
Filesize
1.4MB
MD5c5c3ac9c2aee3007cce715982c70c019
SHA1c972147b0b88ac50518986447a2341897a765ea4
SHA2569d00387fd6fa6704595b29db8dfea5876873055fb5998486b225007f01acad4d
SHA512cb7313e30101778b16e7f18ead0e5d8db02f6243d31d3417d7336540d55cb17fe2609ba95c272b3e3e42e25662d17e5569740893bf778330bb3876264390f12b