Analysis
-
max time kernel
135s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2023, 06:52
Behavioral task
behavioral1
Sample
NEAS.ee9c47c40454820e89d46e4b89068090.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.ee9c47c40454820e89d46e4b89068090.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.ee9c47c40454820e89d46e4b89068090.exe
-
Size
1.4MB
-
MD5
ee9c47c40454820e89d46e4b89068090
-
SHA1
74c981d480a6997b8f6f3ffe6c5ba9b005070f3d
-
SHA256
1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
-
SHA512
36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399
-
SSDEEP
24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3336 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4904 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4780 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3840 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3760 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3096 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4304 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4416 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3296 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3908 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 208 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4972 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4464 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 228 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3368 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 5056 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 5056 schtasks.exe 92 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe -
resource yara_rule behavioral2/memory/2140-0-0x0000000000FE0000-0x000000000114C000-memory.dmp dcrat behavioral2/files/0x0006000000022ce4-36.dat dcrat behavioral2/files/0x000c000000022ce7-190.dat dcrat behavioral2/files/0x0006000000022cf2-383.dat dcrat behavioral2/files/0x0006000000022cf2-382.dat dcrat behavioral2/files/0x0006000000022cf2-449.dat dcrat behavioral2/files/0x0009000000022bd2-457.dat dcrat behavioral2/files/0x0006000000022cf2-472.dat dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation NEAS.ee9c47c40454820e89d46e4b89068090.exe Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation NEAS.ee9c47c40454820e89d46e4b89068090.exe Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation NEAS.ee9c47c40454820e89d46e4b89068090.exe -
Executes dropped EXE 2 IoCs
pid Process 6032 NEAS.ee9c47c40454820e89d46e4b89068090.exe 5880 NEAS.ee9c47c40454820e89d46e4b89068090.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\CrashReports\StartMenuExperienceHost.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe File created C:\Program Files (x86)\Google\CrashReports\55b276f4edf653 NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Program Files\Windows Multimedia Platform\RCX664E.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Program Files\Windows Multimedia Platform\System.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCX5C14.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCX5C53.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Program Files\Windows Multimedia Platform\RCX65C0.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File created C:\Program Files (x86)\Google\CrashReports\StartMenuExperienceHost.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe File created C:\Program Files\Windows Multimedia Platform\System.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe File created C:\Program Files\Windows Multimedia Platform\27d1bcfc3c54e0 NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\RCX4D90.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\RCX4DB1.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File created C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe File created C:\Program Files (x86)\Windows Multimedia Platform\29c1c3cc0f7685 NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\DiagTrack\Settings\TextInputHost.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe File created C:\Windows\DiagTrack\Settings\22eafd247d37c3 NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Windows\DiagTrack\Settings\RCX573D.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Windows\DiagTrack\Settings\RCX575D.tmp NEAS.ee9c47c40454820e89d46e4b89068090.exe File opened for modification C:\Windows\DiagTrack\Settings\TextInputHost.exe NEAS.ee9c47c40454820e89d46e4b89068090.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1224 schtasks.exe 4904 schtasks.exe 2856 schtasks.exe 1560 schtasks.exe 5092 schtasks.exe 324 schtasks.exe 3336 schtasks.exe 3252 schtasks.exe 228 schtasks.exe 1488 schtasks.exe 892 schtasks.exe 4712 schtasks.exe 2724 schtasks.exe 4304 schtasks.exe 4972 schtasks.exe 3760 schtasks.exe 4176 schtasks.exe 1292 schtasks.exe 2068 schtasks.exe 208 schtasks.exe 1556 schtasks.exe 4416 schtasks.exe 2760 schtasks.exe 3372 schtasks.exe 1968 schtasks.exe 4464 schtasks.exe 936 schtasks.exe 2316 schtasks.exe 3840 schtasks.exe 3296 schtasks.exe 4724 schtasks.exe 2476 schtasks.exe 448 schtasks.exe 880 schtasks.exe 3368 schtasks.exe 4924 schtasks.exe 5104 schtasks.exe 4780 schtasks.exe 3096 schtasks.exe 3908 schtasks.exe 2872 schtasks.exe 4648 schtasks.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings NEAS.ee9c47c40454820e89d46e4b89068090.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings NEAS.ee9c47c40454820e89d46e4b89068090.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings NEAS.ee9c47c40454820e89d46e4b89068090.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe Token: SeDebugPrivilege 4228 powershell.exe Token: SeDebugPrivilege 436 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 4744 powershell.exe Token: SeDebugPrivilege 3476 powershell.exe Token: SeDebugPrivilege 3584 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 2560 powershell.exe Token: SeDebugPrivilege 1436 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 3316 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 6032 NEAS.ee9c47c40454820e89d46e4b89068090.exe Token: SeDebugPrivilege 5880 NEAS.ee9c47c40454820e89d46e4b89068090.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2140 wrote to memory of 3316 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 139 PID 2140 wrote to memory of 3316 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 139 PID 2140 wrote to memory of 2580 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 140 PID 2140 wrote to memory of 2580 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 140 PID 2140 wrote to memory of 4228 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 141 PID 2140 wrote to memory of 4228 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 141 PID 2140 wrote to memory of 3476 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 142 PID 2140 wrote to memory of 3476 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 142 PID 2140 wrote to memory of 2560 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 154 PID 2140 wrote to memory of 2560 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 154 PID 2140 wrote to memory of 436 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 153 PID 2140 wrote to memory of 436 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 153 PID 2140 wrote to memory of 4744 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 152 PID 2140 wrote to memory of 4744 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 152 PID 2140 wrote to memory of 1436 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 151 PID 2140 wrote to memory of 1436 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 151 PID 2140 wrote to memory of 3584 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 150 PID 2140 wrote to memory of 3584 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 150 PID 2140 wrote to memory of 1652 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 149 PID 2140 wrote to memory of 1652 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 149 PID 2140 wrote to memory of 2920 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 148 PID 2140 wrote to memory of 2920 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 148 PID 2140 wrote to memory of 2692 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 147 PID 2140 wrote to memory of 2692 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 147 PID 2140 wrote to memory of 1200 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 162 PID 2140 wrote to memory of 1200 2140 NEAS.ee9c47c40454820e89d46e4b89068090.exe 162 PID 1200 wrote to memory of 5628 1200 cmd.exe 167 PID 1200 wrote to memory of 5628 1200 cmd.exe 167 PID 1200 wrote to memory of 6032 1200 cmd.exe 169 PID 1200 wrote to memory of 6032 1200 cmd.exe 169 PID 6032 wrote to memory of 628 6032 NEAS.ee9c47c40454820e89d46e4b89068090.exe 173 PID 6032 wrote to memory of 628 6032 NEAS.ee9c47c40454820e89d46e4b89068090.exe 173 PID 6032 wrote to memory of 6140 6032 NEAS.ee9c47c40454820e89d46e4b89068090.exe 174 PID 6032 wrote to memory of 6140 6032 NEAS.ee9c47c40454820e89d46e4b89068090.exe 174 PID 628 wrote to memory of 5880 628 WScript.exe 180 PID 628 wrote to memory of 5880 628 WScript.exe 180 PID 5880 wrote to memory of 5072 5880 NEAS.ee9c47c40454820e89d46e4b89068090.exe 181 PID 5880 wrote to memory of 5072 5880 NEAS.ee9c47c40454820e89d46e4b89068090.exe 181 PID 5880 wrote to memory of 2496 5880 NEAS.ee9c47c40454820e89d46e4b89068090.exe 182 PID 5880 wrote to memory of 2496 5880 NEAS.ee9c47c40454820e89d46e4b89068090.exe 182 -
System policy modification 1 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.ee9c47c40454820e89d46e4b89068090.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2140 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RMrapfWgvs.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:5628
-
-
C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe"C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6032 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\036e8838-67c6-452c-bc1d-dc507c53bc76.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exeC:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5880 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7553c8b1-09da-49dd-81ab-26279e174160.vbs"6⤵PID:5072
-
C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exeC:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe7⤵PID:4020
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e24b7cd5-934f-488b-8620-d87958837994.vbs"6⤵PID:2496
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e2b9e15-e5b0-432d-8a9c-04f04403eb6d.vbs"4⤵PID:6140
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\odt\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\DiagTrack\Settings\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Windows\DiagTrack\Settings\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\odt\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090N" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090" /sc ONLOGON /tr "'C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090N" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Local Settings\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090N" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090N" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD589eb384c3dce5b29fa79213c2833f408
SHA106462692aa4db106d989161a02d66b1788b953c8
SHA256b2bf7bbcace0aa60bc5ee9038cacf7554609b4d25942e349753f0485bca95c33
SHA5122d0f94039a7c00b6bd468cb106b269885c1b65005c17ff74bcabc1c3d4c145d240e1d483272706fdd3c4e846139a7a80236ebbe9a2ce529f5c09b0707ca6cde9
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NEAS.ee9c47c40454820e89d46e4b89068090.exe.log
Filesize1KB
MD5c6ecc3bc2cdd7883e4f2039a5a5cf884
SHA120c9dd2a200e4b0390d490a7a76fa184bfc78151
SHA256b3d90663a46ee5333f8f99df4d43c0c76bf3902e3ba3ab36c0903027176d340d
SHA512892a8f8e50ff350e790e1543032c64b3e1c050198b1810f89b6ce8a23de947a3e8299e880f0e79da7e4b5373a6b95e7dd7814cd5d7406a1553ef104ff2ff091e
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD528d4235aa2e6d782751f980ceb6e5021
SHA1f5d82d56acd642b9fc4b963f684fd6b78f25a140
SHA2568c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638
SHA512dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD522fbec4acba323d04079a263526cef3c
SHA1eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e
-
Filesize
944B
MD522fbec4acba323d04079a263526cef3c
SHA1eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e
-
Filesize
743B
MD53a86baa623c907364d46468d16f82d73
SHA131bbc133d6272f93cebe253de9b10f71512ff78c
SHA256246a22003b3b7f900a6d213775f510075655b71a23f38285172184d68854297c
SHA512d654a6e85b23821c6439d44ab980d73ff673bb9aa693a35d4101bfdc29772799de41ac8b89f1bb5692092a7d7922296237fbe298a0757b2a5639eb22ef278764
-
Filesize
519B
MD54bc1e889ee0a8952ad2eeca1e8943b8c
SHA1de90fa5118c7a16fc2778b541b14aae4b4048c3b
SHA2567adceea606f356a75805058f4b1e3a3b5813548411cfef17fa21acc08cdffc7c
SHA512d9c16611c4243357f9f906176fcd79452f6164af3ff47c87123269a62371545ba27edf41f3547a4d38fbd0d21faeea5fbaebe0c20c8ce7a5c827ea587f3788ad
-
Filesize
1.4MB
MD5ee9c47c40454820e89d46e4b89068090
SHA174c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA2561b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA51236d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399
-
Filesize
743B
MD5e64100a6b3234da3614ee9941d8d6613
SHA191ca80a449b9221abff3ad2a694dfc615b15cca5
SHA256b24686f84754d8ca1de4e29e41e160ec389b28ca84a8f0bad944074e58238d62
SHA512dabf797ad949a428999a1fc13d40b865c7c80eb007e60354ae72316e611f23a421e66c33acd2dfbc7723906cfd28b7009f0d9322363643769fcf466e9a94e136
-
Filesize
232B
MD56729c7a9089e2b36c28c30f79b0bd119
SHA126de799fe2123f7c78402ebd1af7270b5fb4a656
SHA256e91c482308d7f82e811f8903cf124a97da9fc89709607613e5c634ea498c99f0
SHA512bba1135a4098971654de59a8137a7c06f549eb422fd6f65d72958ebf36038e0ac3cfa139d43c453e988b72ed033c305dd998807349d3d4aab5654c6427713d58
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
519B
MD54bc1e889ee0a8952ad2eeca1e8943b8c
SHA1de90fa5118c7a16fc2778b541b14aae4b4048c3b
SHA2567adceea606f356a75805058f4b1e3a3b5813548411cfef17fa21acc08cdffc7c
SHA512d9c16611c4243357f9f906176fcd79452f6164af3ff47c87123269a62371545ba27edf41f3547a4d38fbd0d21faeea5fbaebe0c20c8ce7a5c827ea587f3788ad
-
Filesize
519B
MD54bc1e889ee0a8952ad2eeca1e8943b8c
SHA1de90fa5118c7a16fc2778b541b14aae4b4048c3b
SHA2567adceea606f356a75805058f4b1e3a3b5813548411cfef17fa21acc08cdffc7c
SHA512d9c16611c4243357f9f906176fcd79452f6164af3ff47c87123269a62371545ba27edf41f3547a4d38fbd0d21faeea5fbaebe0c20c8ce7a5c827ea587f3788ad
-
Filesize
1.4MB
MD5ee9c47c40454820e89d46e4b89068090
SHA174c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA2561b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA51236d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399
-
Filesize
1.4MB
MD5ee9c47c40454820e89d46e4b89068090
SHA174c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA2561b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA51236d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399
-
Filesize
1.4MB
MD5ee9c47c40454820e89d46e4b89068090
SHA174c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA2561b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA51236d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399
-
Filesize
894KB
MD5cdfe0369bf3b7aee8c060d4a29aabb8f
SHA17305b0f79f605e56f8b379ed92e30dca2eb350fc
SHA256bb6944164b5629f184bc014ac0a4584d98353a81b3ddca53c3c3aa3b39b7f275
SHA51274958e574011f30459d0f127c9758ab5d3da34396612dd46733bab7cf017d33bad85d089f19329d9a344bacfd5626b07578b3ac0ec61dff420f8f428a35a7f4e
-
Filesize
1.4MB
MD5ee9c47c40454820e89d46e4b89068090
SHA174c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA2561b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA51236d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399