dcrat | 7ddbec7fac00ec5624f45da5879ebfa97d95b21c7842cbaa1058daa46a47bd41

Analysis

max time kernel
145s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
Size

1.6MB
MD5

5355cb64d0008d7ed7267cebea8f9bc4
SHA1

4f8fc970efa45c2f547e8583b49eb543b778f001
SHA256

c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f
SHA512

cd662e6d9f215b18867056fe70d9b04b2eaf7090577546d038218dfe8716379654cb6e5f1c6ca3672e8bd1844d5e7810486164cf8fe99054305a89eb51b4bac6
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral25/memory/276-1-0x0000000000250000-0x00000000003F2000-memory.dmp	dcrat
behavioral25/files/0x000500000001a4d5-25.dat	dcrat
behavioral25/files/0x000700000001c85a-56.dat	dcrat
behavioral25/files/0x000600000001a4cd-78.dat	dcrat
behavioral25/files/0x000900000001a4cf-101.dat	dcrat
behavioral25/files/0x000700000001a4d9-112.dat	dcrat
behavioral25/memory/2500-127-0x0000000001390000-0x0000000001532000-memory.dmp	dcrat
behavioral25/memory/2112-187-0x0000000000030000-0x00000000001D2000-memory.dmp	dcrat
behavioral25/memory/1708-199-0x0000000000C00000-0x0000000000DA2000-memory.dmp	dcrat
behavioral25/memory/616-211-0x0000000001120000-0x00000000012C2000-memory.dmp	dcrat
behavioral25/memory/2856-223-0x00000000002A0000-0x0000000000442000-memory.dmp	dcrat
behavioral25/memory/2436-235-0x0000000000D70000-0x0000000000F12000-memory.dmp	dcrat
behavioral25/memory/2244-247-0x0000000000160000-0x0000000000302000-memory.dmp	dcrat
behavioral25/memory/2844-259-0x0000000000190000-0x0000000000332000-memory.dmp	dcrat
behavioral25/memory/2860-271-0x0000000000290000-0x0000000000432000-memory.dmp	dcrat
behavioral25/memory/1908-283-0x0000000001340000-0x00000000014E2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
904	powershell.exe
1664	powershell.exe
2376	powershell.exe
1744	powershell.exe
1488	powershell.exe
1864	powershell.exe
2580	powershell.exe
920	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2500	services.exe
892	services.exe
2112	services.exe
1708	services.exe
616	services.exe
2856	services.exe
2436	services.exe
2244	services.exe
2844	services.exe
2860	services.exe
1908	services.exe
1528	services.exe
1596	services.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\dllhost.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files (x86)\Microsoft Office\5940a34987c991	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\RCXEA33.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCXF872.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\dllhost.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files\Windows Sidebar\es-ES\sppsvc.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\sppsvc.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\RCXEA32.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCXF804.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files\Windows Sidebar\es-ES\0a1fd5f707cd16	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\Custom\Custom64\RCXF189.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Windows\Media\Characters\cc11b995f2a76d	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\explorer.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Windows\Media\Characters\winlogon.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Windows\Branding\Basebrd\en-US\explorer.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Windows\Branding\Basebrd\en-US\7a0fd90576e088	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Windows\AppPatch\Custom\Custom64\5940a34987c991	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Windows\Media\Characters\RCXECA5.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\RCXEEAA.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Windows\AppPatch\Custom\Custom64\RCXF11B.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Windows\AppPatch\Custom\Custom64\dllhost.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Windows\AppPatch\Custom\Custom64\dllhost.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Windows\Media\Characters\RCXEC37.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Windows\Media\Characters\winlogon.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\RCXEEA9.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2652	schtasks.exe
1936	schtasks.exe
1648	schtasks.exe
1516	schtasks.exe
1916	schtasks.exe
2208	schtasks.exe
2768	schtasks.exe
2700	schtasks.exe
2696	schtasks.exe
1964	schtasks.exe
2612	schtasks.exe
2556	schtasks.exe
912	schtasks.exe
1068	schtasks.exe
2996	schtasks.exe
2776	schtasks.exe
2752	schtasks.exe
2712	schtasks.exe
484	schtasks.exe
692	schtasks.exe
2568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
2376	powershell.exe
1864	powershell.exe
904	powershell.exe
1664	powershell.exe
1488	powershell.exe
1744	powershell.exe
2580	powershell.exe
920	powershell.exe
2500	services.exe
892	services.exe
2112	services.exe
1708	services.exe
616	services.exe
2856	services.exe
2436	services.exe
2244	services.exe
2844	services.exe
2860	services.exe
1908	services.exe
1528	services.exe
1596	services.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	2500	services.exe
Token: SeDebugPrivilege	892	services.exe
Token: SeDebugPrivilege	2112	services.exe
Token: SeDebugPrivilege	1708	services.exe
Token: SeDebugPrivilege	616	services.exe
Token: SeDebugPrivilege	2856	services.exe
Token: SeDebugPrivilege	2436	services.exe
Token: SeDebugPrivilege	2244	services.exe
Token: SeDebugPrivilege	2844	services.exe
Token: SeDebugPrivilege	2860	services.exe
Token: SeDebugPrivilege	1908	services.exe
Token: SeDebugPrivilege	1528	services.exe
Token: SeDebugPrivilege	1596	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 276 wrote to memory of 1488	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	53
PID 276 wrote to memory of 1488	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	53
PID 276 wrote to memory of 1488	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	53
PID 276 wrote to memory of 1744	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	54
PID 276 wrote to memory of 1744	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	54
PID 276 wrote to memory of 1744	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	54
PID 276 wrote to memory of 2376	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	55
PID 276 wrote to memory of 2376	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	55
PID 276 wrote to memory of 2376	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	55
PID 276 wrote to memory of 1664	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	58
PID 276 wrote to memory of 1664	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	58
PID 276 wrote to memory of 1664	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	58
PID 276 wrote to memory of 904	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	59
PID 276 wrote to memory of 904	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	59
PID 276 wrote to memory of 904	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	59
PID 276 wrote to memory of 920	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	60
PID 276 wrote to memory of 920	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	60
PID 276 wrote to memory of 920	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	60
PID 276 wrote to memory of 2580	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	61
PID 276 wrote to memory of 2580	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	61
PID 276 wrote to memory of 2580	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	61
PID 276 wrote to memory of 1864	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	62
PID 276 wrote to memory of 1864	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	62
PID 276 wrote to memory of 1864	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	62
PID 276 wrote to memory of 2500	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	69
PID 276 wrote to memory of 2500	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	69
PID 276 wrote to memory of 2500	276	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	69
PID 2500 wrote to memory of 2568	2500	services.exe	70
PID 2500 wrote to memory of 2568	2500	services.exe	70
PID 2500 wrote to memory of 2568	2500	services.exe	70
PID 2500 wrote to memory of 772	2500	services.exe	71
PID 2500 wrote to memory of 772	2500	services.exe	71
PID 2500 wrote to memory of 772	2500	services.exe	71
PID 2568 wrote to memory of 892	2568	WScript.exe	72
PID 2568 wrote to memory of 892	2568	WScript.exe	72
PID 2568 wrote to memory of 892	2568	WScript.exe	72
PID 892 wrote to memory of 2192	892	services.exe	73
PID 892 wrote to memory of 2192	892	services.exe	73
PID 892 wrote to memory of 2192	892	services.exe	73
PID 892 wrote to memory of 448	892	services.exe	74
PID 892 wrote to memory of 448	892	services.exe	74
PID 892 wrote to memory of 448	892	services.exe	74
PID 2192 wrote to memory of 2112	2192	WScript.exe	75
PID 2192 wrote to memory of 2112	2192	WScript.exe	75
PID 2192 wrote to memory of 2112	2192	WScript.exe	75
PID 2112 wrote to memory of 1872	2112	services.exe	76
PID 2112 wrote to memory of 1872	2112	services.exe	76
PID 2112 wrote to memory of 1872	2112	services.exe	76
PID 2112 wrote to memory of 2072	2112	services.exe	77
PID 2112 wrote to memory of 2072	2112	services.exe	77
PID 2112 wrote to memory of 2072	2112	services.exe	77
PID 1872 wrote to memory of 1708	1872	WScript.exe	78
PID 1872 wrote to memory of 1708	1872	WScript.exe	78
PID 1872 wrote to memory of 1708	1872	WScript.exe	78
PID 1708 wrote to memory of 2732	1708	services.exe	79
PID 1708 wrote to memory of 2732	1708	services.exe	79
PID 1708 wrote to memory of 2732	1708	services.exe	79
PID 1708 wrote to memory of 788	1708	services.exe	80
PID 1708 wrote to memory of 788	1708	services.exe	80
PID 1708 wrote to memory of 788	1708	services.exe	80
PID 2732 wrote to memory of 616	2732	WScript.exe	81
PID 2732 wrote to memory of 616	2732	WScript.exe	81
PID 2732 wrote to memory of 616	2732	WScript.exe	81
PID 616 wrote to memory of 2228	616	services.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
"C:\Users\Admin\AppData\Local\Temp\c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\es-ES\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Characters\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\Basebrd\en-US\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\Custom\Custom64\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Users\Public\services.exe
  "C:\Users\Public\services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28704fbf-acdf-41e6-8a41-ec1278018627.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Users\Public\services.exe
      C:\Users\Public\services.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:892
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6ee4327-b63a-4602-8268-8d12f28b1707.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc511bfb-8515-4f43-a07e-afbeda9941ed.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef294348-83a5-4ac0-b804-539dd08a40bd.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d604d61e-0b03-4fcb-aee0-c9d1c9a697be.vbs"
        11⤵
        
        PID:2228
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b560ba52-2b21-41eb-b6e4-50d27896867d.vbs"
        13⤵
        
        PID:2136
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c67930c-e336-4ab4-ae27-88e8729b85ab.vbs"
        15⤵
        
        PID:2460
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ce74127-f03a-4d14-bf81-688253a1e888.vbs"
        17⤵
        
        PID:548
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fefd026a-e005-4284-b2e2-13445897043c.vbs"
        19⤵
        
        PID:1608
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b1dbdf3-b7d0-45f3-97a6-b4b59137ff85.vbs"
        21⤵
        
        PID:960
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\642ed63e-d399-47d7-9c88-3d2771647fc1.vbs"
        23⤵
        
        PID:536
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65bf682f-a7eb-4cc8-91eb-910df5ba8854.vbs"
        25⤵
        
        PID:916
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52b91ffd-1e86-4dd4-b3f4-58367039a194.vbs"
        27⤵
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c888d934-059f-48a4-9d58-f3a38faaa71a.vbs"
        27⤵
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36e47180-4456-4b05-982d-5bca3db31f72.vbs"
        25⤵
        
        PID:936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e951d425-068c-4210-a3aa-8c105a8c0f93.vbs"
        23⤵
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8047c03-1eb5-4d80-b88a-82917fa23f39.vbs"
        21⤵
        
        PID:236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\202cba81-5e9b-475d-a5a7-b9fe7378c047.vbs"
        19⤵
        
        PID:1404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a73611e-fc81-4321-bf5c-97ca73b87e66.vbs"
        17⤵
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fbd4aaa-226f-4909-924d-fa6160a5eadc.vbs"
        15⤵
        
        PID:1652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31a3b0b8-e184-4533-a9de-71891c58871c.vbs"
        13⤵
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b6d63eb-542d-4c9d-8121-5d5b5373bf1b.vbs"
        11⤵
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe3ba5ea-c1bc-4182-910d-283368a69f57.vbs"
        9⤵
        
        PID:788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ca3b4b3-c04b-4ae0-b199-aaa2f861f00a.vbs"
        7⤵
        
        PID:2072
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a225213-0722-4729-af91-414c3af9b79d.vbs"
        5⤵
        
        PID:448
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0078271e-2e52-4c37-a9b2-ed24b96acd8a.vbs"
    3⤵
    PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\es-ES\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Characters\winlogon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Media\Characters\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Characters\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\Basebrd\en-US\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\Branding\Basebrd\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\Custom\Custom64\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\AppPatch\Custom\Custom64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\Custom\Custom64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Public\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\dllhost.exe

Filesize
1.6MB

MD5
e4480e29f35a6ba96131d493357831b0

SHA1
fbcce23b1ce8b88f49ee411958f7f6e511e69565

SHA256
728d9d9a77ceb3ad860d6197e2f9a11151adac9d660a17cc6817b89abadf2975

SHA512
2210338059f9ad9182aefa36bdf8cd4d8cde9b464de19b2094746bc3f502eb50a9b156a88adbd073e843c8ab1fdc36f628187a015c71f50a41cbd3aeb58a1655

Download Submit
C:\Users\Admin\AppData\Local\Temp\0078271e-2e52-4c37-a9b2-ed24b96acd8a.vbs

Filesize
480B

MD5
71981a8e74e896eed10b39383f5a9014

SHA1
e7e1d5afb575f98c4c924bfc4159efed3db3bb51

SHA256
bb2c0b0d6f8975f585bb1f78f078cad1f8ec14a7eea474e0b882d6cb2b574d92

SHA512
0334badef114df10907d977a570db4ae9fdd1599d674a08142fe92bc958ec30a85cd2f33f29b33d1f5f9c95f46f9a0bfa04e86a9e1db64aa2671ee7d18f70fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ce74127-f03a-4d14-bf81-688253a1e888.vbs

Filesize
704B

MD5
dfcc793eaf064e124f00a1d4773d8e0c

SHA1
b1ca65c018b7ecbe0d3c8d86d855b865a13bc17d

SHA256
dd0e2a59b5b5a377e10f11959d5ae2187d83e19d8b69cadfa086d537f825bf22

SHA512
29508cff6bdb8ad28ab322885242bcb4c6af9a8442db43b767d2ebfe3651fa4647c3e0caf0316a21f38d9dcd4f0e57826f644f23ef31c0a15054b39b2452b51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\28704fbf-acdf-41e6-8a41-ec1278018627.vbs

Filesize
704B

MD5
133b44124de7fbf185dc6d61bc149be0

SHA1
a20ecd7958d6250c3ce95d21ac7144a8ea69680c

SHA256
b7ffe076fad520e9826ed5d3067aeafd920b69d1edab3edd212cbbd251993643

SHA512
f123b45f7fd553697b9a0f5bc95345c123c004c4f352f3906202b9a2172d6b1dfa7972ecfdcd5907272d6599342588ea44ace2678b6d657f556b29c102532f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\52b91ffd-1e86-4dd4-b3f4-58367039a194.vbs

Filesize
704B

MD5
595a93c42f039227c941d61b7c179ab9

SHA1
e19fdcac90aafd238de841758dc8fb1c4ec772df

SHA256
785667ae3ae9797316ab13439e878ae3010a7032bb7b7f07657f06262abb0b44

SHA512
0b003757439466fa7cd55b044345640bf5f89054091a9bc52425b6b2f3e73d9e89d1a9b662175f7e86fe8045bffe8fc4959efa68ad4e31266862628d8228a9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b1dbdf3-b7d0-45f3-97a6-b4b59137ff85.vbs

Filesize
704B

MD5
2bb225b74e678e86134dc96e52f7413c

SHA1
f9f5eecae5dbeb1c72637b091baa750e7c87a87f

SHA256
dad53cbc5974e6cba53313557c1828dc9f4d2f1f600ff69251f2ad0eaadd1ff3

SHA512
00d71436c94d73e3f8c78d14b535289fc3b307d3e955ba776a47f3b5b427a842da9a5114d95f7afc128e03d0840c96c07ffbb8e6f8b916b68b088fa4787972b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\642ed63e-d399-47d7-9c88-3d2771647fc1.vbs

Filesize
704B

MD5
6e14e93544677b0fbe4f9e6dc82d55ac

SHA1
e3c1aed88f4d42eb873e3cde34285186a76afcca

SHA256
455ce0558ff215b73254bff0f1eb32b33ad3f37021db4599302c20b002e912cd

SHA512
fdad26d360c5a1663ae5033cf64652d2325384d10dc9be56cd3ffede9f0e13e98f8b7dfc21cf40ebde92b285c394ec0a8d0b799658de2040867451d5ad4a9070

Download Submit
C:\Users\Admin\AppData\Local\Temp\65bf682f-a7eb-4cc8-91eb-910df5ba8854.vbs

Filesize
704B

MD5
fd9ed53206efd00a5c7fdc0602ce8740

SHA1
f51bf56858f196bd6e668ca656971f57e2b08c5e

SHA256
71aa5d5d23e0a85e68f0b3c9f25ebd7bed7970ba3fa6a8a858dcab0e80bf1608

SHA512
6a11c5c5f5811dab2648502dabaeb5cb5e85cec698f4831e0037f9d012a27d64cd2df197d3171c8449da2c71084ec70e3be1fefc000f61783797a90f5d75c808

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c67930c-e336-4ab4-ae27-88e8729b85ab.vbs

Filesize
704B

MD5
a91e6fcfc6f7b1796770ce6b50eac3bf

SHA1
66c5a80c19d8eb4b7b2e5b31f2db44876c8760cb

SHA256
b00db194e5ca2b0cebd3ffa61ed0927c9d810136cdb79f76fcf55c7b39c7dd56

SHA512
79b206959140b7f0ebdb45d210cc88439bd86c274272870a916eda21f8c67cac3ece6434e63c1d9abb0dbe6b7eda150f8d90a20171d966ecbab12d8c42ba8538

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6ee4327-b63a-4602-8268-8d12f28b1707.vbs

Filesize
703B

MD5
a5865da8bae7c7add72fa8305f238855

SHA1
82d83dd14d0dda3f0018543236ea2fb6406226ca

SHA256
ed2c1ee8f803d0aa93fb6b6ba5e09c9f6ace7fecf3504499122d1d306b4ff855

SHA512
00e30e68b1bda60f156d634107f9b1673937d1f4b1640efa3a063dc96a04cdf8b998b3a95e0bf643e6e65945956ed5a39a1c7b8c5e10ba6b9033a9b8b09c618e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b560ba52-2b21-41eb-b6e4-50d27896867d.vbs

Filesize
704B

MD5
190dc0d6289774057af4edf287a66398

SHA1
f2b776b1a800a17049d8cca39a09627ab338429e

SHA256
6fcd7d9c97099af7e47c85eb62558aebdba2771d3a69f82f353d7267e8335ba0

SHA512
25bd7cc029827efdbc23f30f9db2c3b28796667597e6c2388a57dd2f291b7cab908c1b10581ae5930aa35c1830849af16500b070e9a18986cffb204cee9d5d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc511bfb-8515-4f43-a07e-afbeda9941ed.vbs

Filesize
704B

MD5
a6666afe63b49a592f5eddc9d0c4da8f

SHA1
71d2c20960b59de15ca6962c5357c4ebb8002b9d

SHA256
4cef4b0a0237313c3b07e5d6daa9cad2bc8e8b6a5a92f947dd78768045e2f04d

SHA512
6dde49a109ed6a5cf9c033d78840a6a02ee5489158090879835a71b7673dbd12857592b3d0b8ba45b3688cc148b721a7c0cfcae9a4fcad670a3a006de728b505

Download Submit
C:\Users\Admin\AppData\Local\Temp\d604d61e-0b03-4fcb-aee0-c9d1c9a697be.vbs

Filesize
703B

MD5
969fce781a8a10e92b135ef331f9c9e9

SHA1
345f804ef176215284c3c630b878db89e6c23769

SHA256
44559b760c40938ea6446d6d61b89fd06f0cf9c492099f5da64340cd71dd0b12

SHA512
480f8f52ac3952045847800529b7d3acb1ca4471e27e43bffa890bd3a7df35852ea7bac86b0143af367750189bf5b0493583bc8957beec2fdbe33f5bd5146847

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef294348-83a5-4ac0-b804-539dd08a40bd.vbs

Filesize
704B

MD5
b4748c2ad394a593ae299569924affa5

SHA1
7f0d0060d21a9a9e10cea0c9086de6335ad00d65

SHA256
427f71b709be3fa537b89918d03fc9754bb67cb2ece4ad7d6e29eb8196aabbb0

SHA512
37b67d20564cbef7815e55deb3e6360a7afd58acf73a871494292ebecd6b93653a218e64711537e3dd712201dd5bf3d2ed5551d230fb2ea32bf66ea6bbff76e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefd026a-e005-4284-b2e2-13445897043c.vbs

Filesize
704B

MD5
62525d251a0cd7bc59440f09587b7716

SHA1
b5ac78cb796983fa28de766ce55da2c75bfd3efc

SHA256
34e34744d8b5e7f64a650d25c230a471299f22e1ce9943c6d1df3361bc77fa88

SHA512
6dd6ce003bf89a84f28433ebf4a1be3134b65b0ac0b3666319509a12d1919b3c9c502f2aba9ba65a914a93b96558a05559da74420c15553278c67ecb9110d42b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
07a14455429146b5ee568300af47fa78

SHA1
c6552d20ab007c96c3c33ce4f4ab089ea1b55ebd

SHA256
6871c67bda3920d02c1831393fb1ef6b8c6e700ae01745d7d6afabb34ceec247

SHA512
dc5c99cde3d338cf27cb82b22028bc78feb2979451a4dbcdae4b5e9eb9c28a295df6a8825ca4f13c1a65943c3fe1c3ecf2a8f615eec58eadbecc52b686074ab8

Download Submit
C:\Users\Public\Favorites\taskhost.exe

Filesize
1.6MB

MD5
5b6a322e6cd25cc88a405c8ab45a6195

SHA1
a4af0e43ba1222ad96c413f4c0db19e5623e77ec

SHA256
ef4d150854cfbeca5c4d143e4192415e8c303ad125def54932c1084e591f2fa7

SHA512
c298b59fbef321d182a333389fb948058fe3f6bea07cbda54ca2774972c66cd993347439d42deb16b4ca6e57c1cb17361e8d2a0924edf779b65c55a1843a76d7

Download Submit
C:\Users\Public\services.exe

Filesize
1.6MB

MD5
5355cb64d0008d7ed7267cebea8f9bc4

SHA1
4f8fc970efa45c2f547e8583b49eb543b778f001

SHA256
c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f

SHA512
cd662e6d9f215b18867056fe70d9b04b2eaf7090577546d038218dfe8716379654cb6e5f1c6ca3672e8bd1844d5e7810486164cf8fe99054305a89eb51b4bac6

Download Submit
C:\Windows\AppPatch\Custom\Custom64\dllhost.exe

Filesize
1.6MB

MD5
bad3ae958db132b6354957bca4e19651

SHA1
27a61ad416ce05a97c3d81db24820a17a8c590be

SHA256
08be6138ed6de5b65d39839de8c8e80e05a882fad69724d8449ca1b2df09e930

SHA512
7bed8841be715723910ce5689a2314b20ff6f0200c16bea9ea33192a85cfc77ee25f7dd596e119fab035e290cc1a6046349f6fe3f10cd127dfac54c48250620e

Download Submit
C:\Windows\Media\Characters\winlogon.exe

Filesize
1.6MB

MD5
59972d22fcacdcbb3a22fc567bb9a42f

SHA1
bb4872ef546a98a1a6212923d1791cef7f002ea5

SHA256
f21ac2723fc6e6eaa9c2062b4627a0c76c71633ec866fd72eb733e8eca97f2cc

SHA512
c9aebb08905e2123a4fcf737332693af67c4cd69f873f6052d01c6f9671880903124f122119f3e6706ee4b31abdc6ad2a50781d68a1f8c6906fdedf049acfd9b

Download Submit
memory/276-10-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/276-13-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/276-3-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/276-147-0x000007FEF63F0000-0x000007FEF6DDC000-memory.dmp

Filesize
9.9MB

Download
memory/276-5-0x0000000000420000-0x0000000000436000-memory.dmp

Filesize
88KB

Download
memory/276-1-0x0000000000250000-0x00000000003F2000-memory.dmp

Filesize
1.6MB

Download
memory/276-2-0x000007FEF63F0000-0x000007FEF6DDC000-memory.dmp

Filesize
9.9MB

Download
memory/276-6-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/276-8-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/276-9-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/276-4-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/276-0-0x000007FEF63F3000-0x000007FEF63F4000-memory.dmp

Filesize
4KB

Download
memory/276-7-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/276-11-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/276-12-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/276-16-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/276-15-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download
memory/276-14-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/616-211-0x0000000001120000-0x00000000012C2000-memory.dmp

Filesize
1.6MB

Download
memory/1708-199-0x0000000000C00000-0x0000000000DA2000-memory.dmp

Filesize
1.6MB

Download
memory/1908-283-0x0000000001340000-0x00000000014E2000-memory.dmp

Filesize
1.6MB

Download
memory/2112-187-0x0000000000030000-0x00000000001D2000-memory.dmp

Filesize
1.6MB

Download
memory/2244-247-0x0000000000160000-0x0000000000302000-memory.dmp

Filesize
1.6MB

Download
memory/2376-137-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2376-125-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2436-235-0x0000000000D70000-0x0000000000F12000-memory.dmp

Filesize
1.6MB

Download
memory/2500-127-0x0000000001390000-0x0000000001532000-memory.dmp

Filesize
1.6MB

Download
memory/2844-259-0x0000000000190000-0x0000000000332000-memory.dmp

Filesize
1.6MB

Download
memory/2856-223-0x00000000002A0000-0x0000000000442000-memory.dmp

Filesize
1.6MB

Download
memory/2860-271-0x0000000000290000-0x0000000000432000-memory.dmp

Filesize
1.6MB

Download