Malware Analysis Report

2025-08-11 06:15

Sample ID 231118-hm885sde7v
Target NEAS.ee9c47c40454820e89d46e4b89068090.exe
SHA256 1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550

Threat Level: Known bad

The file NEAS.ee9c47c40454820e89d46e4b89068090.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

Dcrat family

Process spawned unexpected child process

UAC bypass

DCRat payload

DcRat

DCRat payload

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System policy modification

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-18 06:52

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-18 06:52

Reported

2023-11-18 06:55

Platform

win7-20231023-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXD876.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXDA79.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXDAF7.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Program Files\Uninstall Information\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File created C:\Program Files\Uninstall Information\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Program Files\Uninstall Information\RCXC822.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXD807.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dwm.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dwm.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Program Files\Uninstall Information\RCXC812.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File created C:\Program Files\Uninstall Information\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ja-JP\RCXE53C.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Windows\ja-JP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File created C:\Windows\tracing\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File created C:\Windows\tracing\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Windows\tracing\RCXDD1A.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Windows\tracing\RCXDD88.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Windows\tracing\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Windows\ja-JP\RCXE4BE.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File created C:\Windows\ja-JP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File created C:\Windows\ja-JP\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe
PID 3024 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe
PID 3024 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe
PID 1728 wrote to memory of 576 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe
PID 1728 wrote to memory of 576 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe
PID 1728 wrote to memory of 576 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe
PID 1728 wrote to memory of 1788 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe
PID 1728 wrote to memory of 1788 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe
PID 1728 wrote to memory of 1788 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe
PID 576 wrote to memory of 1876 N/A C:\Windows\System32\WScript.exe C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe
PID 576 wrote to memory of 1876 N/A C:\Windows\System32\WScript.exe C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe
PID 576 wrote to memory of 1876 N/A C:\Windows\System32\WScript.exe C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe
PID 1876 wrote to memory of 2352 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe
PID 1876 wrote to memory of 2352 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe
PID 1876 wrote to memory of 2352 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe
PID 1876 wrote to memory of 2348 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe
PID 1876 wrote to memory of 2348 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe
PID 1876 wrote to memory of 2348 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe
PID 2352 wrote to memory of 1500 N/A C:\Windows\System32\WScript.exe C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe
PID 2352 wrote to memory of 1500 N/A C:\Windows\System32\WScript.exe C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe
PID 2352 wrote to memory of 1500 N/A C:\Windows\System32\WScript.exe C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe
PID 1500 wrote to memory of 524 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe
PID 1500 wrote to memory of 524 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe
PID 1500 wrote to memory of 524 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe
PID 1500 wrote to memory of 1528 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe
PID 1500 wrote to memory of 1528 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe
PID 1500 wrote to memory of 1528 N/A C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Favorites\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\tracing\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Local Settings\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe

"C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a7c2218-d0d3-47c4-b53a-8dbf58b03715.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\237a0ea6-42f1-4691-8931-efbccd038c2b.vbs"

C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe

C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5d2ae5f-e3e6-4591-84ab-a4f1f7db9a38.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab51bf72-3c65-49e6-90b0-f56d9b348f92.vbs"

C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe

C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c527f23-670a-46cc-8a7b-3c47917b820e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2bb5d38-a37a-4abc-9eaf-2d6b0dd6c35b.vbs"

Network

Country Destination Domain Proto
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp

Files

memory/3024-0-0x0000000000B50000-0x0000000000CBC000-memory.dmp

memory/3024-1-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

memory/3024-2-0x000000001B1D0000-0x000000001B250000-memory.dmp

memory/3024-3-0x00000000002C0000-0x00000000002CE000-memory.dmp

memory/3024-6-0x0000000000300000-0x0000000000308000-memory.dmp

memory/3024-5-0x00000000002E0000-0x00000000002FC000-memory.dmp

memory/3024-7-0x0000000000310000-0x0000000000320000-memory.dmp

memory/3024-4-0x00000000002D0000-0x00000000002D8000-memory.dmp

memory/3024-8-0x00000000004A0000-0x00000000004B6000-memory.dmp

memory/3024-9-0x00000000004C0000-0x00000000004D0000-memory.dmp

memory/3024-10-0x00000000004E0000-0x00000000004EA000-memory.dmp

memory/3024-11-0x0000000000A90000-0x0000000000A9C000-memory.dmp

memory/3024-12-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

memory/3024-14-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

memory/3024-13-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

memory/3024-15-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

memory/3024-16-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

memory/3024-17-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

memory/3024-19-0x0000000000B10000-0x0000000000B1E000-memory.dmp

memory/3024-18-0x0000000000B00000-0x0000000000B08000-memory.dmp

memory/3024-20-0x000000001B1D0000-0x000000001B250000-memory.dmp

memory/3024-21-0x0000000000B20000-0x0000000000B2C000-memory.dmp

memory/3024-23-0x0000000000B40000-0x0000000000B4A000-memory.dmp

memory/3024-22-0x0000000000B30000-0x0000000000B38000-memory.dmp

memory/3024-24-0x00000000020C0000-0x00000000020CC000-memory.dmp

memory/3024-31-0x000000001B1D0000-0x000000001B250000-memory.dmp

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe

MD5 ee9c47c40454820e89d46e4b89068090
SHA1 74c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA256 1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA512 36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

memory/3024-34-0x000000001B1D0000-0x000000001B250000-memory.dmp

memory/3024-41-0x000000001B1D0000-0x000000001B250000-memory.dmp

memory/3024-82-0x000000001B1D0000-0x000000001B250000-memory.dmp

memory/3024-99-0x000000001B1D0000-0x000000001B250000-memory.dmp

memory/3024-112-0x000000001B1D0000-0x000000001B250000-memory.dmp

memory/3024-136-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

memory/3024-137-0x000000001B1D0000-0x000000001B250000-memory.dmp

C:\Users\Public\Recorded TV\System.exe

MD5 6af4c0ba7ef84caa27a724f6aa752436
SHA1 7a2012da026a802317003b066a72f3a6a3784607
SHA256 a3ba663cbf9f3350498d09ef7c56ee5f33be36e23a742841375f69e26d363fb6
SHA512 b955a62bb17529a389aeec8aeff5a14822c4a1c1605a79547b47d42f4ee77f0b9fdd5237b8f7baeb244be3a877011815e7ac2c774b7d58c4f29ff524d3111630

memory/3024-155-0x000000001B1D0000-0x000000001B250000-memory.dmp

memory/3024-161-0x000000001B1D0000-0x000000001B250000-memory.dmp

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dwm.exe

MD5 eb63ef2e8167b3c8b2b3999c45b60423
SHA1 5dc9c85329841bd17665439726f18f41964fb3f3
SHA256 869566da5d919bee007d20392ab82b902d314b7e31ca5e2ff47a46cf2b41c612
SHA512 9f02325926efa8eb06a9cb3a2c24dd06a34fcde12669c46e56eb9e3dc95211f987180b7d6f11f42ca03caf68e52f1c1ba1ea508a339dc4b8d6372897ede8ce61

C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe

MD5 b62c7e19d1135fed2763c053c69132b5
SHA1 555c39bcc4e18a86de6a1c72fc7720c294dfa5b7
SHA256 c90f7a73934eac791f377b1f99c70f3a48ac4e0754bb047078b349c6da062e34
SHA512 5ae68d545e50831733eeb64ecd74e00bb4793707f48a4a19a05ec71472994cb6ecaeee61344b58136d5ddac39b366864084522af86a256363775500ebf20ebc3

memory/3024-173-0x000000001B1D0000-0x000000001B250000-memory.dmp

memory/3024-174-0x000000001B1D0000-0x000000001B250000-memory.dmp

C:\Windows\tracing\spoolsv.exe

MD5 c5c3ac9c2aee3007cce715982c70c019
SHA1 c972147b0b88ac50518986447a2341897a765ea4
SHA256 9d00387fd6fa6704595b29db8dfea5876873055fb5998486b225007f01acad4d
SHA512 cb7313e30101778b16e7f18ead0e5d8db02f6243d31d3417d7336540d55cb17fe2609ba95c272b3e3e42e25662d17e5569740893bf778330bb3876264390f12b

C:\Users\Default\AppData\Local\services.exe

MD5 4b7ac0ff8ad0e196bf4ed58c9ba620bd
SHA1 749ec6bf417bcb4ad29d1aae56072dbbf49b0ba0
SHA256 8d9e732992be8420fbadf43224ebea8a475cd8963a61cee0ed38cacb537f712e
SHA512 d961202eacf5754b51a8acac240cc6a09cab6d74174567a63f830f340f5f845cb1c62fca479fa60cd4af33791a746346bf820e384fa89cad86ba16f4ad807907

C:\Windows\ja-JP\winlogon.exe

MD5 1aa78d7a2657f2213463ea2c1ab7b7bd
SHA1 bdf9aff0bbbb73670a0c8072dad664fce3d4b000
SHA256 2dfcc2b279c0c5b9bdd5ada5ea14a189e53ba9cdc51e8294a3978c0f04df3c0b
SHA512 8ec1f3d65ea8e6cbc63f701740be0ae32e02251a0d388f089c9194ea0e08fe734f24d5fab9d6f5529ce63eb03bec201490a188fca9991955ec224ace3d5b42ca

memory/3024-219-0x000000001B1D0000-0x000000001B250000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b265468df30b46b1a23bb9b05e81d935
SHA1 321464e98813185ed4dacf158220d84036ef2be2
SHA256 4dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA512 5d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b265468df30b46b1a23bb9b05e81d935
SHA1 321464e98813185ed4dacf158220d84036ef2be2
SHA256 4dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA512 5d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b265468df30b46b1a23bb9b05e81d935
SHA1 321464e98813185ed4dacf158220d84036ef2be2
SHA256 4dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA512 5d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b265468df30b46b1a23bb9b05e81d935
SHA1 321464e98813185ed4dacf158220d84036ef2be2
SHA256 4dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA512 5d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b265468df30b46b1a23bb9b05e81d935
SHA1 321464e98813185ed4dacf158220d84036ef2be2
SHA256 4dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA512 5d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d

memory/1172-280-0x0000000002290000-0x0000000002298000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b265468df30b46b1a23bb9b05e81d935
SHA1 321464e98813185ed4dacf158220d84036ef2be2
SHA256 4dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA512 5d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b265468df30b46b1a23bb9b05e81d935
SHA1 321464e98813185ed4dacf158220d84036ef2be2
SHA256 4dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA512 5d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b265468df30b46b1a23bb9b05e81d935
SHA1 321464e98813185ed4dacf158220d84036ef2be2
SHA256 4dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA512 5d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b265468df30b46b1a23bb9b05e81d935
SHA1 321464e98813185ed4dacf158220d84036ef2be2
SHA256 4dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA512 5d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d

memory/1928-248-0x000000001B240000-0x000000001B522000-memory.dmp

memory/3024-247-0x000000001B1D0000-0x000000001B250000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3879LQQI3I9S5RJMQSBD.temp

MD5 b265468df30b46b1a23bb9b05e81d935
SHA1 321464e98813185ed4dacf158220d84036ef2be2
SHA256 4dc7b7aa33927b2ccd7f304ed29514cf8d6ff5e82c2ed5e159f18eaf62586ace
SHA512 5d25500f44d62cda973394f8526dbf7efcdcc837f379f3d82c1f397ef00a72c34a97b75310da760f35283ad2a8067bb824753a24b0072608ca5ce41b1a34e29d

C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe

MD5 ee9c47c40454820e89d46e4b89068090
SHA1 74c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA256 1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA512 36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe

MD5 ee9c47c40454820e89d46e4b89068090
SHA1 74c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA256 1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA512 36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

memory/1728-302-0x00000000000A0000-0x000000000020C000-memory.dmp

memory/3024-303-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

memory/1928-304-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

memory/1928-305-0x0000000002400000-0x0000000002480000-memory.dmp

memory/1928-306-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

memory/1928-307-0x0000000002400000-0x0000000002480000-memory.dmp

memory/1928-308-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

memory/2700-309-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

memory/1816-310-0x00000000029B4000-0x00000000029B7000-memory.dmp

memory/768-312-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

memory/2432-316-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

memory/1172-318-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

memory/2520-322-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

memory/760-324-0x00000000025B4000-0x00000000025B7000-memory.dmp

memory/2556-323-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

memory/2788-321-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

memory/1928-320-0x000000000240B000-0x0000000002472000-memory.dmp

memory/2232-319-0x0000000002930000-0x00000000029B0000-memory.dmp

memory/1168-317-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

memory/760-315-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

memory/2700-314-0x000007FEEDF60000-0x000007FEEE8FD000-memory.dmp

memory/1928-313-0x0000000002404000-0x0000000002407000-memory.dmp

memory/2700-311-0x0000000002AD0000-0x0000000002B50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2a7c2218-d0d3-47c4-b53a-8dbf58b03715.vbs

MD5 a51d29596fc7dc1472004d25554609eb
SHA1 35bf87da019654e06ffce21cb0523072ac2d1caa
SHA256 19f876a56bde7adb3e643902149fbe7868a7f03fe062d66fb79e873ddc191045
SHA512 14bb587d0e514cc7a82d9204a66479f0313ee7edfc2e4aa907b09008ae54551084612b1dc4e304b10c11af9f5d025bf122415ce7d36ba0da3bf5068e64c2d874

C:\Users\Admin\AppData\Local\Temp\237a0ea6-42f1-4691-8931-efbccd038c2b.vbs

MD5 104fa7507efe24f94f45fa63c2c09569
SHA1 0263d504d6cb47d658385cd679771321e6e85774
SHA256 22314453408133cd598a43c2666fe0889ebef04729dc9b31feebeb14ff4db871
SHA512 0b73a6c2c477d7e56e986f3cf1729f48801e06b31d001db7a21120000ab8d5863fc0c9c8b4ca872438b10d5f68fff3807c93a62f6126cb98b2ca03021ecb71e0

C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe

MD5 ee9c47c40454820e89d46e4b89068090
SHA1 74c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA256 1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA512 36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

C:\Users\Admin\AppData\Local\Temp\f41ca93d8deb491c3651a25177edbfdec809d4f4.exe

MD5 ee9c47c40454820e89d46e4b89068090
SHA1 74c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA256 1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA512 36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

C:\Users\Admin\AppData\Local\Temp\ab51bf72-3c65-49e6-90b0-f56d9b348f92.vbs

MD5 247dfd5a0a50d5148719872d84de36f7
SHA1 938c8d67a135b65d7e356d83ceb1f83255d37e5d
SHA256 013482c461f170b1d41d97fdc1495960a018aec693d25e051335688bac45df4a
SHA512 f8d23dad17e67e1db9a23882f09ad03a91a9a3a1507d3215d1b2700fa25fff749453f8e0338a64b46caebfd0c19df6e4325584a828491a98580a481c88076270

C:\Users\Admin\AppData\Local\Temp\e5d2ae5f-e3e6-4591-84ab-a4f1f7db9a38.vbs

MD5 104fa7507efe24f94f45fa63c2c09569
SHA1 0263d504d6cb47d658385cd679771321e6e85774
SHA256 22314453408133cd598a43c2666fe0889ebef04729dc9b31feebeb14ff4db871
SHA512 0b73a6c2c477d7e56e986f3cf1729f48801e06b31d001db7a21120000ab8d5863fc0c9c8b4ca872438b10d5f68fff3807c93a62f6126cb98b2ca03021ecb71e0

C:\Users\Admin\AppData\Local\Temp\e5d2ae5f-e3e6-4591-84ab-a4f1f7db9a38.vbs

MD5 104fa7507efe24f94f45fa63c2c09569
SHA1 0263d504d6cb47d658385cd679771321e6e85774
SHA256 22314453408133cd598a43c2666fe0889ebef04729dc9b31feebeb14ff4db871
SHA512 0b73a6c2c477d7e56e986f3cf1729f48801e06b31d001db7a21120000ab8d5863fc0c9c8b4ca872438b10d5f68fff3807c93a62f6126cb98b2ca03021ecb71e0

C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe

MD5 ee9c47c40454820e89d46e4b89068090
SHA1 74c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA256 1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA512 36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

C:\Users\Admin\AppData\Local\Temp\f41ca93d8deb491c3651a25177edbfdec809d4f4.exe

MD5 ee9c47c40454820e89d46e4b89068090
SHA1 74c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA256 1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA512 36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

C:\Users\Admin\AppData\Local\Temp\4c527f23-670a-46cc-8a7b-3c47917b820e.vbs

MD5 5eb7ad8f6b36dbf0dcfc2b14bb12013b
SHA1 c3edbfc7f943c87e2d08909bfeb074e694ebd869
SHA256 5ec0412313a473e9689550dff8d14b4261c17dc58c4c6045089f68681c4e2869
SHA512 9bb02a6c28b4b054bd5b6dcb35797c9f15036d4d3bc93832dec845742c2cc6c6fe26e7df3670eb67cc7018402a159d93708cd2d1b601546747b17eb7852f00e9

C:\Users\Admin\AppData\Local\Temp\a2bb5d38-a37a-4abc-9eaf-2d6b0dd6c35b.vbs

MD5 104fa7507efe24f94f45fa63c2c09569
SHA1 0263d504d6cb47d658385cd679771321e6e85774
SHA256 22314453408133cd598a43c2666fe0889ebef04729dc9b31feebeb14ff4db871
SHA512 0b73a6c2c477d7e56e986f3cf1729f48801e06b31d001db7a21120000ab8d5863fc0c9c8b4ca872438b10d5f68fff3807c93a62f6126cb98b2ca03021ecb71e0

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-18 06:52

Reported

2023-11-18 06:55

Platform

win10v2004-20231023-en

Max time kernel

135s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Google\CrashReports\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RCX664E.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCX5C14.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCX5C53.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RCX65C0.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File created C:\Program Files\Windows Multimedia Platform\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File created C:\Program Files\Windows Multimedia Platform\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Program Files (x86)\Google\CrashReports\RCX4D90.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Program Files (x86)\Google\CrashReports\RCX4DB1.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\DiagTrack\Settings\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File created C:\Windows\DiagTrack\Settings\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Windows\DiagTrack\Settings\RCX573D.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Windows\DiagTrack\Settings\RCX575D.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
File opened for modification C:\Windows\DiagTrack\Settings\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\cmd.exe
PID 2140 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\cmd.exe
PID 1200 wrote to memory of 5628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1200 wrote to memory of 5628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1200 wrote to memory of 6032 N/A C:\Windows\System32\cmd.exe C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe
PID 1200 wrote to memory of 6032 N/A C:\Windows\System32\cmd.exe C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe
PID 6032 wrote to memory of 628 N/A C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WScript.exe
PID 6032 wrote to memory of 628 N/A C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WScript.exe
PID 6032 wrote to memory of 6140 N/A C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WScript.exe
PID 6032 wrote to memory of 6140 N/A C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WScript.exe
PID 628 wrote to memory of 5880 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe
PID 628 wrote to memory of 5880 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe
PID 5880 wrote to memory of 5072 N/A C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WScript.exe
PID 5880 wrote to memory of 5072 N/A C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WScript.exe
PID 5880 wrote to memory of 2496 N/A C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WScript.exe
PID 5880 wrote to memory of 2496 N/A C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\odt\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\DiagTrack\Settings\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Windows\DiagTrack\Settings\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\odt\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090N" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090" /sc ONLOGON /tr "'C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090N" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Local Settings\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090N" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090N" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RMrapfWgvs.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe

"C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\036e8838-67c6-452c-bc1d-dc507c53bc76.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e2b9e15-e5b0-432d-8a9c-04f04403eb6d.vbs"

C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe

C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7553c8b1-09da-49dd-81ab-26279e174160.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e24b7cd5-934f-488b-8620-d87958837994.vbs"

C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe

C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.111.227.11:443 tcp

Files

memory/2140-0-0x0000000000FE0000-0x000000000114C000-memory.dmp

memory/2140-2-0x0000000003560000-0x0000000003570000-memory.dmp

memory/2140-1-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

memory/2140-3-0x0000000003350000-0x000000000335E000-memory.dmp

memory/2140-4-0x0000000001A00000-0x0000000001A08000-memory.dmp

memory/2140-5-0x0000000001A10000-0x0000000001A2C000-memory.dmp

memory/2140-6-0x0000000003500000-0x0000000003550000-memory.dmp

memory/2140-7-0x0000000001A30000-0x0000000001A38000-memory.dmp

memory/2140-8-0x0000000003360000-0x0000000003370000-memory.dmp

memory/2140-9-0x0000000003370000-0x0000000003386000-memory.dmp

memory/2140-10-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/2140-11-0x00000000034C0000-0x00000000034CA000-memory.dmp

memory/2140-12-0x00000000034D0000-0x00000000034DC000-memory.dmp

memory/2140-13-0x00000000034E0000-0x00000000034EC000-memory.dmp

memory/2140-14-0x00000000034F0000-0x00000000034F8000-memory.dmp

memory/2140-15-0x0000000003550000-0x000000000355C000-memory.dmp

memory/2140-16-0x000000001BE40000-0x000000001BE48000-memory.dmp

memory/2140-17-0x000000001BE50000-0x000000001BE5A000-memory.dmp

memory/2140-18-0x000000001C570000-0x000000001C57E000-memory.dmp

memory/2140-20-0x000000001C5C0000-0x000000001C5C8000-memory.dmp

memory/2140-19-0x0000000003560000-0x0000000003570000-memory.dmp

memory/2140-21-0x000000001C5D0000-0x000000001C5DE000-memory.dmp

memory/2140-22-0x0000000003560000-0x0000000003570000-memory.dmp

memory/2140-23-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

memory/2140-24-0x000000001C5F0000-0x000000001C5F8000-memory.dmp

memory/2140-25-0x000000001C600000-0x000000001C60A000-memory.dmp

memory/2140-26-0x000000001C710000-0x000000001C71C000-memory.dmp

memory/2140-29-0x0000000003560000-0x0000000003570000-memory.dmp

C:\Windows\DiagTrack\Settings\TextInputHost.exe

MD5 ee9c47c40454820e89d46e4b89068090
SHA1 74c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA256 1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA512 36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

memory/2140-52-0x0000000003560000-0x0000000003570000-memory.dmp

memory/2140-133-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

C:\Program Files\Windows Multimedia Platform\System.exe

MD5 89eb384c3dce5b29fa79213c2833f408
SHA1 06462692aa4db106d989161a02d66b1788b953c8
SHA256 b2bf7bbcace0aa60bc5ee9038cacf7554609b4d25942e349753f0485bca95c33
SHA512 2d0f94039a7c00b6bd468cb106b269885c1b65005c17ff74bcabc1c3d4c145d240e1d483272706fdd3c4e846139a7a80236ebbe9a2ce529f5c09b0707ca6cde9

memory/2140-229-0x0000000003560000-0x0000000003570000-memory.dmp

memory/4228-235-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

memory/4228-237-0x000001A63A4E0000-0x000001A63A4F0000-memory.dmp

memory/4228-238-0x000001A63A4E0000-0x000001A63A4F0000-memory.dmp

memory/3476-241-0x000002696C990000-0x000002696C9A0000-memory.dmp

memory/2140-242-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

memory/436-240-0x000001D599FF0000-0x000001D59A000000-memory.dmp

memory/436-239-0x000001D599FF0000-0x000001D59A000000-memory.dmp

memory/3584-243-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

memory/3584-245-0x000001C26F420000-0x000001C26F430000-memory.dmp

memory/3584-244-0x000001C26F420000-0x000001C26F430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x0khvrfi.mjw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2560-255-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

memory/4228-256-0x000001A652D00000-0x000001A652D22000-memory.dmp

memory/2920-274-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

memory/2692-313-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

memory/2920-322-0x00000275F6290000-0x00000275F62A0000-memory.dmp

memory/2692-328-0x000001AD5E300000-0x000001AD5E310000-memory.dmp

memory/2920-342-0x00000275F6290000-0x00000275F62A0000-memory.dmp

memory/4744-343-0x000002497FFA0000-0x000002497FFB0000-memory.dmp

memory/1436-344-0x0000010ED53A0000-0x0000010ED53B0000-memory.dmp

memory/4744-354-0x000002497FFA0000-0x000002497FFB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RMrapfWgvs.bat

MD5 6729c7a9089e2b36c28c30f79b0bd119
SHA1 26de799fe2123f7c78402ebd1af7270b5fb4a656
SHA256 e91c482308d7f82e811f8903cf124a97da9fc89709607613e5c634ea498c99f0
SHA512 bba1135a4098971654de59a8137a7c06f549eb422fd6f65d72958ebf36038e0ac3cfa139d43c453e988b72ed033c305dd998807349d3d4aab5654c6427713d58

memory/3316-365-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

memory/3316-367-0x000002C7F6EB0000-0x000002C7F6EC0000-memory.dmp

memory/3316-366-0x000002C7F6EB0000-0x000002C7F6EC0000-memory.dmp

memory/436-368-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

memory/3476-369-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

memory/4744-370-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

memory/1652-371-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

memory/1436-372-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

memory/2580-373-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

memory/2580-374-0x000002970DCF0000-0x000002970DD00000-memory.dmp

memory/2560-375-0x0000023BE3D80000-0x0000023BE3D90000-memory.dmp

memory/3584-377-0x000001C26F420000-0x000001C26F430000-memory.dmp

memory/436-376-0x000001D599FF0000-0x000001D59A000000-memory.dmp

C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe

MD5 ee9c47c40454820e89d46e4b89068090
SHA1 74c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA256 1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA512 36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NEAS.ee9c47c40454820e89d46e4b89068090.exe.log

MD5 c6ecc3bc2cdd7883e4f2039a5a5cf884
SHA1 20c9dd2a200e4b0390d490a7a76fa184bfc78151
SHA256 b3d90663a46ee5333f8f99df4d43c0c76bf3902e3ba3ab36c0903027176d340d
SHA512 892a8f8e50ff350e790e1543032c64b3e1c050198b1810f89b6ce8a23de947a3e8299e880f0e79da7e4b5373a6b95e7dd7814cd5d7406a1553ef104ff2ff091e

C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe

MD5 ee9c47c40454820e89d46e4b89068090
SHA1 74c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA256 1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA512 36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 28d4235aa2e6d782751f980ceb6e5021
SHA1 f5d82d56acd642b9fc4b963f684fd6b78f25a140
SHA256 8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638
SHA512 dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

C:\Users\Admin\AppData\Local\Temp\0e2b9e15-e5b0-432d-8a9c-04f04403eb6d.vbs

MD5 4bc1e889ee0a8952ad2eeca1e8943b8c
SHA1 de90fa5118c7a16fc2778b541b14aae4b4048c3b
SHA256 7adceea606f356a75805058f4b1e3a3b5813548411cfef17fa21acc08cdffc7c
SHA512 d9c16611c4243357f9f906176fcd79452f6164af3ff47c87123269a62371545ba27edf41f3547a4d38fbd0d21faeea5fbaebe0c20c8ce7a5c827ea587f3788ad

C:\Users\Admin\AppData\Local\Temp\036e8838-67c6-452c-bc1d-dc507c53bc76.vbs

MD5 3a86baa623c907364d46468d16f82d73
SHA1 31bbc133d6272f93cebe253de9b10f71512ff78c
SHA256 246a22003b3b7f900a6d213775f510075655b71a23f38285172184d68854297c
SHA512 d654a6e85b23821c6439d44ab980d73ff673bb9aa693a35d4101bfdc29772799de41ac8b89f1bb5692092a7d7922296237fbe298a0757b2a5639eb22ef278764

C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe

MD5 ee9c47c40454820e89d46e4b89068090
SHA1 74c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA256 1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA512 36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

C:\Users\Admin\AppData\Local\Temp\e24b7cd5-934f-488b-8620-d87958837994.vbs

MD5 4bc1e889ee0a8952ad2eeca1e8943b8c
SHA1 de90fa5118c7a16fc2778b541b14aae4b4048c3b
SHA256 7adceea606f356a75805058f4b1e3a3b5813548411cfef17fa21acc08cdffc7c
SHA512 d9c16611c4243357f9f906176fcd79452f6164af3ff47c87123269a62371545ba27edf41f3547a4d38fbd0d21faeea5fbaebe0c20c8ce7a5c827ea587f3788ad

C:\Users\Admin\AppData\Local\Temp\7553c8b1-09da-49dd-81ab-26279e174160.vbs

MD5 e64100a6b3234da3614ee9941d8d6613
SHA1 91ca80a449b9221abff3ad2a694dfc615b15cca5
SHA256 b24686f84754d8ca1de4e29e41e160ec389b28ca84a8f0bad944074e58238d62
SHA512 dabf797ad949a428999a1fc13d40b865c7c80eb007e60354ae72316e611f23a421e66c33acd2dfbc7723906cfd28b7009f0d9322363643769fcf466e9a94e136

C:\Users\Admin\AppData\Local\Temp\e24b7cd5-934f-488b-8620-d87958837994.vbs

MD5 4bc1e889ee0a8952ad2eeca1e8943b8c
SHA1 de90fa5118c7a16fc2778b541b14aae4b4048c3b
SHA256 7adceea606f356a75805058f4b1e3a3b5813548411cfef17fa21acc08cdffc7c
SHA512 d9c16611c4243357f9f906176fcd79452f6164af3ff47c87123269a62371545ba27edf41f3547a4d38fbd0d21faeea5fbaebe0c20c8ce7a5c827ea587f3788ad

C:\Users\Admin\AppData\Local\Temp\20bd9834279b4b2d8393e47fd378a9316c46a09a.exe

MD5 ee9c47c40454820e89d46e4b89068090
SHA1 74c981d480a6997b8f6f3ffe6c5ba9b005070f3d
SHA256 1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550
SHA512 36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe

MD5 cdfe0369bf3b7aee8c060d4a29aabb8f
SHA1 7305b0f79f605e56f8b379ed92e30dca2eb350fc
SHA256 bb6944164b5629f184bc014ac0a4584d98353a81b3ddca53c3c3aa3b39b7f275
SHA512 74958e574011f30459d0f127c9758ab5d3da34396612dd46733bab7cf017d33bad85d089f19329d9a344bacfd5626b07578b3ac0ec61dff420f8f428a35a7f4e