dcrat | 5b1a883fc342ab1654912c119190f04771ae47477f1a006b932150129675134c

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3925d50ec09cade5278e78250a503852.exe
Size

885KB
MD5

3925d50ec09cade5278e78250a503852
SHA1

2bc4c2fc3e2b24577b7e6901378fa378e6601dc9
SHA256

70095186bd0a9bdafdf96d48c8d17b1539b12fd80480259a5be27c3d5de188cb
SHA512

e93d68eed7a30d6dcbcc3d113b8c0dd80330753b8163f3ca7cfbe484391952e22649d2d33e652b0bf7ffc03afbbee5aaffd076b5dc1426ac802de95554426a3c
SSDEEP

12288:ElNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:ElNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5292	928	schtasks.exe	89

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral20/memory/2244-1-0x00000000004B0000-0x0000000000594000-memory.dmp	dcrat
behavioral20/files/0x000700000002425f-19.dat	dcrat
behavioral20/files/0x000700000002426a-40.dat	dcrat

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	3925d50ec09cade5278e78250a503852.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe

Executes dropped EXE 14 IoCs

pid	Process
4956	StartMenuExperienceHost.exe
3540	StartMenuExperienceHost.exe
3868	StartMenuExperienceHost.exe
3928	StartMenuExperienceHost.exe
4660	StartMenuExperienceHost.exe
5180	StartMenuExperienceHost.exe
968	StartMenuExperienceHost.exe
5136	StartMenuExperienceHost.exe
4464	StartMenuExperienceHost.exe
5760	StartMenuExperienceHost.exe
3100	StartMenuExperienceHost.exe
5116	StartMenuExperienceHost.exe
1716	StartMenuExperienceHost.exe
5920	StartMenuExperienceHost.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Icons\sihost.exe	3925d50ec09cade5278e78250a503852.exe
File created	C:\Program Files\7-Zip\Lang\fontdrvhost.exe	3925d50ec09cade5278e78250a503852.exe
File created	C:\Program Files\7-Zip\Lang\5b884080fd4f94	3925d50ec09cade5278e78250a503852.exe
File created	C:\Program Files\ModifiableWindowsApps\spoolsv.exe	3925d50ec09cade5278e78250a503852.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX73FF.tmp	3925d50ec09cade5278e78250a503852.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX7400.tmp	3925d50ec09cade5278e78250a503852.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5008	schtasks.exe
4216	schtasks.exe
3204	schtasks.exe
2980	schtasks.exe
3144	schtasks.exe
2208	schtasks.exe
2132	schtasks.exe
4504	schtasks.exe
3976	schtasks.exe
4624	schtasks.exe
4812	schtasks.exe
4608	schtasks.exe
592	schtasks.exe
5292	schtasks.exe
5100	schtasks.exe
1236	schtasks.exe
1612	schtasks.exe
4452	schtasks.exe
4580	schtasks.exe
4708	schtasks.exe
3180	schtasks.exe
4476	schtasks.exe
4460	schtasks.exe
4712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2244	3925d50ec09cade5278e78250a503852.exe
2244	3925d50ec09cade5278e78250a503852.exe
2244	3925d50ec09cade5278e78250a503852.exe
4956	StartMenuExperienceHost.exe
3540	StartMenuExperienceHost.exe
3868	StartMenuExperienceHost.exe
3928	StartMenuExperienceHost.exe
4660	StartMenuExperienceHost.exe
4660	StartMenuExperienceHost.exe
5180	StartMenuExperienceHost.exe
968	StartMenuExperienceHost.exe
5136	StartMenuExperienceHost.exe
4464	StartMenuExperienceHost.exe
5760	StartMenuExperienceHost.exe
3100	StartMenuExperienceHost.exe
5116	StartMenuExperienceHost.exe
1716	StartMenuExperienceHost.exe
5920	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	3925d50ec09cade5278e78250a503852.exe
Token: SeDebugPrivilege	4956	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3540	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3868	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3928	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4660	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5180	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	968	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5136	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4464	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5760	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3100	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5116	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1716	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5920	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 4956	2244	3925d50ec09cade5278e78250a503852.exe	114
PID 2244 wrote to memory of 4956	2244	3925d50ec09cade5278e78250a503852.exe	114
PID 4956 wrote to memory of 5624	4956	StartMenuExperienceHost.exe	115
PID 4956 wrote to memory of 5624	4956	StartMenuExperienceHost.exe	115
PID 4956 wrote to memory of 5280	4956	StartMenuExperienceHost.exe	116
PID 4956 wrote to memory of 5280	4956	StartMenuExperienceHost.exe	116
PID 5624 wrote to memory of 3540	5624	WScript.exe	120
PID 5624 wrote to memory of 3540	5624	WScript.exe	120
PID 3540 wrote to memory of 3912	3540	StartMenuExperienceHost.exe	122
PID 3540 wrote to memory of 3912	3540	StartMenuExperienceHost.exe	122
PID 3540 wrote to memory of 5516	3540	StartMenuExperienceHost.exe	123
PID 3540 wrote to memory of 5516	3540	StartMenuExperienceHost.exe	123
PID 3912 wrote to memory of 3868	3912	WScript.exe	127
PID 3912 wrote to memory of 3868	3912	WScript.exe	127
PID 3868 wrote to memory of 5096	3868	StartMenuExperienceHost.exe	128
PID 3868 wrote to memory of 5096	3868	StartMenuExperienceHost.exe	128
PID 3868 wrote to memory of 5656	3868	StartMenuExperienceHost.exe	129
PID 3868 wrote to memory of 5656	3868	StartMenuExperienceHost.exe	129
PID 5096 wrote to memory of 3928	5096	WScript.exe	130
PID 5096 wrote to memory of 3928	5096	WScript.exe	130
PID 3928 wrote to memory of 5700	3928	StartMenuExperienceHost.exe	131
PID 3928 wrote to memory of 5700	3928	StartMenuExperienceHost.exe	131
PID 3928 wrote to memory of 3248	3928	StartMenuExperienceHost.exe	132
PID 3928 wrote to memory of 3248	3928	StartMenuExperienceHost.exe	132
PID 5700 wrote to memory of 4660	5700	WScript.exe	136
PID 5700 wrote to memory of 4660	5700	WScript.exe	136
PID 4660 wrote to memory of 64	4660	StartMenuExperienceHost.exe	138
PID 4660 wrote to memory of 64	4660	StartMenuExperienceHost.exe	138
PID 4660 wrote to memory of 1828	4660	StartMenuExperienceHost.exe	139
PID 4660 wrote to memory of 1828	4660	StartMenuExperienceHost.exe	139
PID 64 wrote to memory of 5180	64	WScript.exe	143
PID 64 wrote to memory of 5180	64	WScript.exe	143
PID 5180 wrote to memory of 732	5180	StartMenuExperienceHost.exe	144
PID 5180 wrote to memory of 732	5180	StartMenuExperienceHost.exe	144
PID 5180 wrote to memory of 1768	5180	StartMenuExperienceHost.exe	145
PID 5180 wrote to memory of 1768	5180	StartMenuExperienceHost.exe	145
PID 732 wrote to memory of 968	732	WScript.exe	146
PID 732 wrote to memory of 968	732	WScript.exe	146
PID 968 wrote to memory of 2124	968	StartMenuExperienceHost.exe	147
PID 968 wrote to memory of 2124	968	StartMenuExperienceHost.exe	147
PID 968 wrote to memory of 3104	968	StartMenuExperienceHost.exe	148
PID 968 wrote to memory of 3104	968	StartMenuExperienceHost.exe	148
PID 2124 wrote to memory of 5136	2124	WScript.exe	150
PID 2124 wrote to memory of 5136	2124	WScript.exe	150
PID 5136 wrote to memory of 2676	5136	StartMenuExperienceHost.exe	151
PID 5136 wrote to memory of 2676	5136	StartMenuExperienceHost.exe	151
PID 5136 wrote to memory of 2016	5136	StartMenuExperienceHost.exe	152
PID 5136 wrote to memory of 2016	5136	StartMenuExperienceHost.exe	152
PID 2676 wrote to memory of 4464	2676	WScript.exe	153
PID 2676 wrote to memory of 4464	2676	WScript.exe	153
PID 4464 wrote to memory of 4424	4464	StartMenuExperienceHost.exe	154
PID 4464 wrote to memory of 4424	4464	StartMenuExperienceHost.exe	154
PID 4464 wrote to memory of 5680	4464	StartMenuExperienceHost.exe	155
PID 4464 wrote to memory of 5680	4464	StartMenuExperienceHost.exe	155
PID 4424 wrote to memory of 5760	4424	WScript.exe	156
PID 4424 wrote to memory of 5760	4424	WScript.exe	156
PID 5760 wrote to memory of 2204	5760	StartMenuExperienceHost.exe	157
PID 5760 wrote to memory of 2204	5760	StartMenuExperienceHost.exe	157
PID 5760 wrote to memory of 2592	5760	StartMenuExperienceHost.exe	158
PID 5760 wrote to memory of 2592	5760	StartMenuExperienceHost.exe	158
PID 2204 wrote to memory of 3100	2204	WScript.exe	159
PID 2204 wrote to memory of 3100	2204	WScript.exe	159
PID 3100 wrote to memory of 2616	3100	StartMenuExperienceHost.exe	160
PID 3100 wrote to memory of 2616	3100	StartMenuExperienceHost.exe	160

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3925d50ec09cade5278e78250a503852.exe
"C:\Users\Admin\AppData\Local\Temp\3925d50ec09cade5278e78250a503852.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
  "C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89ea7eb0-7188-4735-b06d-ef3bc982dc74.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5624
  - - C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
      C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3540
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed9ea832-416f-459f-9146-fda3af164ed3.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3912
      - C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d03636e-1e3a-46a7-ad55-f81629858e67.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c090029-87ef-469d-870b-632212b37c75.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5700
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ca2db36-abfb-40c3-9933-81702726a296.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9579118e-300f-4fb6-aa70-90735e044ead.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c58af6a0-fb91-41e5-8f59-147075e0457c.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af35b97b-0444-4e92-aa00-2d1336835a46.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8a88c08-b613-4149-a6cc-0fc53783920b.vbs"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e27d9ebc-2dd5-4579-b625-fb620837aa2a.vbs"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54c19292-daf9-4a7d-81be-405ce8dd4032.vbs"
        23⤵
        
        PID:2616
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c64b442b-9d73-420d-ac61-9a1b475dc9f9.vbs"
        25⤵
        
        PID:5836
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\933496e2-23e0-4ccf-b2cf-69063d259d35.vbs"
        27⤵
        
        PID:5664
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        
        C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\991b83fd-ee65-4d94-8a05-e42ba3fd4985.vbs"
        29⤵
        
        PID:3464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4f94117-5f32-42f8-9909-981e8764c145.vbs"
        29⤵
        
        PID:5684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f86f71e4-cf71-48c7-a6a2-04ac371d1b0f.vbs"
        27⤵
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9badcda2-6967-4e58-a2cb-a1275d8b00e8.vbs"
        25⤵
        
        PID:4884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54195c9c-ef6c-4fdf-a463-4698804f0bf6.vbs"
        23⤵
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04d77d90-34f9-4c5f-aafc-3d412f827e4f.vbs"
        21⤵
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d898f387-92d7-4e85-a950-b810c8ccff2a.vbs"
        19⤵
        
        PID:5680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d8ac8cd-7830-4236-bcd8-1b2e139af0c6.vbs"
        17⤵
        
        PID:2016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e8d95a0-9125-4222-a0a5-f9d9257e61da.vbs"
        15⤵
        
        PID:3104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\192204d0-24cb-4d64-9ee6-001e69bdf6fd.vbs"
        13⤵
        
        PID:1768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a7cc62d-f466-42c9-aa50-86ff9f22da67.vbs"
        11⤵
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bffd74f-be13-4ad5-91d8-e322c6e042b5.vbs"
        9⤵
        
        PID:3248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d282994-42e3-4a93-bf33-95860f819382.vbs"
        7⤵
        
        PID:5656
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cef4207d-d548-48ef-be31-739be4cfd2ef.vbs"
        5⤵
        
        PID:5516
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d5e2def-4f80-47ef-8a33-2c617fa251f7.vbs"
    3⤵
    PID:5280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\aff403968f1bfcc42131676322798b50\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\aff403968f1bfcc42131676322798b50\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\aff403968f1bfcc42131676322798b50\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\aff403968f1bfcc42131676322798b50\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d5e2def-4f80-47ef-8a33-2c617fa251f7.vbs

Filesize
503B

MD5
a49aa7c2eb8aaf39863bfe549d5342f5

SHA1
d18928b6af6065693d99e24edfedab578f5fa7f0

SHA256
01730aea9ef5204311b5d19b3ceb33b49d7a2e9c16935c1b30883f5c7861e2ad

SHA512
00fdf43e7c13676b3a6a9b830d42178457f05d773d3ba25c88ef6886de355413fdb5f2c128794f9bb81346f4dc45406fcb0e4e5fda24b83f961fa8b22acea0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c090029-87ef-469d-870b-632212b37c75.vbs

Filesize
727B

MD5
9a2d8171a3b581c3cebabcbfc0b5c723

SHA1
f1a321134dd61d1cb176373d62661fc2866cd561

SHA256
3f6bb8dc500762072a43a62b11b666388f13783f7cc8e4d927c072bbbbed4465

SHA512
ddeab984c7c9c6bee8b08ca663845b4cf91ec29f30b41794b5bf742aca31ab2b4c94403b54559fcea254e586fbe048d47594a2e9bc7c123ddd1a424dbdb1325b

Download Submit
C:\Users\Admin\AppData\Local\Temp\54c19292-daf9-4a7d-81be-405ce8dd4032.vbs

Filesize
727B

MD5
4ac5faafcc529321e7ef13a6ab7ab95f

SHA1
0321bccc88479d2f540755074b563664fd985e11

SHA256
c544b9276defc6810718368f8920320c020cfcdb7a5fe16690ce17afad1c5362

SHA512
8463324ee83997cbc599a4a2fddc8efeb8c399aeedccca154165f7532eadf028db6903bc39f37897ff6b4f65428e24bbcd55a4fc3ad2a77666e374cec9806c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d03636e-1e3a-46a7-ad55-f81629858e67.vbs

Filesize
727B

MD5
fe0299c82c29c495fb745faeea7ad609

SHA1
f1243d40d0036c02546c83ae65e74e0658906de6

SHA256
8aa94eda70452018b6ff7fbc956eb88382eba85a1d38437e508bf44329e2b73e

SHA512
f48001edfceee728e22e53bdb5c5044040d76a08169f2cebd01ec87f9217d2ff6da409e5183c310cff635f47c6baa62758b6ae779df45a8431c2c7c34845477a

Download Submit
C:\Users\Admin\AppData\Local\Temp\89ea7eb0-7188-4735-b06d-ef3bc982dc74.vbs

Filesize
727B

MD5
4832a8f7cb2d86e7075a8763bda74ef4

SHA1
b3087bf9aceec44ba7748dbe12204968990083ed

SHA256
c4b247f0bcff1c96e88cd1674ee7836c2168e3914b4cbebdc22c18f688088e9e

SHA512
9922acdc1b36f3f24b738e4ed607340a062347a28aeaa0004eb78364973348d1886b37cca2d373664bffeb2ef227ac99197cc4dbda3fd9b4033eac394aebef0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\933496e2-23e0-4ccf-b2cf-69063d259d35.vbs

Filesize
727B

MD5
c1bc8fb63689a3e0ac92f6c3779d7dc2

SHA1
898990d5754ee00e53757ef48bc5f1fcd1239f2c

SHA256
62e549224b480c1c1dcbb03105d64ffb742d956d07711353982ebc3dd64a15fc

SHA512
15a79234855d6696bd73dffcde6c3c788544c5999570883fe1b4605988c2ac0f4a6ad3a1a4318e35a69e12182f6d6bfdb08a62aaa5d8d1ea37b2eb284adf5bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9579118e-300f-4fb6-aa70-90735e044ead.vbs

Filesize
727B

MD5
d8bf2aaacdcc56250a9f8bcb138f4eda

SHA1
97c2ef3d5fc3208450cdee648e6fd8aa9541db1e

SHA256
6090c2323c9b1f290a73d90de8ae40b776ce1556e7e291321c27126a39d6b100

SHA512
904cad6a56159501308a4e51b3ae1b1ee7997fb4b3e80834598f5587f3a17f41ce3771d05409079a99e3efdf04a4411e1c71c3a91b02fbd35e2d1c6b673b7ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\991b83fd-ee65-4d94-8a05-e42ba3fd4985.vbs

Filesize
727B

MD5
606a49851ce60060ee97cc79e69908ce

SHA1
bb88d500f6fae0596e035c92940b24669f84fa01

SHA256
4d40e5935af64fc324d670d0e6d7657b61df3ffd4a54576235504ba5ec76d95b

SHA512
44a0aad25fd3fb62e9de169fa490b47146cc99d4f201b5e783bcd94e7bdfc2ff151e9fabc37f63239a7c812bd4782439146983ebf6f0aa78783b695101e5d34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ca2db36-abfb-40c3-9933-81702726a296.vbs

Filesize
727B

MD5
9fcf3873c822787a244e0a16b768d61f

SHA1
c228baaaaa3ad8b85caf49b83e6d36c1a7d9d41b

SHA256
421199fdbbe3003e9360f4fffc94219bd866fdef38887bd449636a36583be03e

SHA512
9e61d514ad7615ed30d43ec17c59880051d59e949f49afe979058df29534f6256d0966766382e2c13d8554b74ab770452411e3d274708825c3bd334a272ba838

Download Submit
C:\Users\Admin\AppData\Local\Temp\af35b97b-0444-4e92-aa00-2d1336835a46.vbs

Filesize
727B

MD5
7fc579c326a68ebb901c0e4ab3ab4e5f

SHA1
b68fa89136240a13e58d72218072d2b88c07d4d1

SHA256
cc5f3f2d10dbcc72559068878ec1d3e55a75528264b64fc7fc8737c33353c78e

SHA512
5e1d29318a588dc9be7cabef8937167b016eddd7ec0f68616082f6f7ef1ee126b7672d01dfac8b3a77dd97e17e6851470ade7ff6fda67a95ab23fa474b346602

Download Submit
C:\Users\Admin\AppData\Local\Temp\c58af6a0-fb91-41e5-8f59-147075e0457c.vbs

Filesize
726B

MD5
2c617a668d456954fa549ec2993e3093

SHA1
100d61a28cc08d65646eec74d62b67d6be5f4cb3

SHA256
f87272c911c24f6d1da067bc362dbd12a00f6bba7095f7e9876e073ad9e17f39

SHA512
07a4374b368a89c5ceb822363845ec5236bb177d424f309810d50997532c06e93d8e53f8534d4278ee5694ded1854bb568cf1ad4252f5714a1443474f2bfd883

Download Submit
C:\Users\Admin\AppData\Local\Temp\c64b442b-9d73-420d-ac61-9a1b475dc9f9.vbs

Filesize
727B

MD5
6674eefc4143952ba068b5ec7c4f3c19

SHA1
9e835ed3424befcaf4d77fe3696a0c6164a9a350

SHA256
582bfbce087818916141a02d6512e6c5666b11fb0a1d9cbca5c230695c76ddd5

SHA512
050635ff519b3bdfd8d850d2c0c497644922b075dc85aba63bdcd38db5d4ec704f3e5c261f7efb1974a091aad5a77b9fa197881974131394fac6bc9bb2a14ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8a88c08-b613-4149-a6cc-0fc53783920b.vbs

Filesize
727B

MD5
477268645d894abd2a1889a1e08429bb

SHA1
20f6b448e04dbe9b809268ef03895dc77fe426ab

SHA256
eef5aeaf55a2807f21fdf5298d832539de2c15631bf6200d951b30419ec1541b

SHA512
ce598a92de175ccadf8018208a6c794f64e0740dfe477ecb66fd9434fdae9fd4c5904ef7a674d2d4b451fe3f49ed200c253d87f001ac34e77ab10692a9fdf1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e27d9ebc-2dd5-4579-b625-fb620837aa2a.vbs

Filesize
727B

MD5
226bef745d6636ef1e38a85577191d12

SHA1
50a2e0a52b1b9dce8d8b7acd2696eb780c08dea7

SHA256
94b1eae1fd1c7ede3adeab518633be4bc9b1814ba4e8caf7aa0415143028b662

SHA512
d21bbce450620574ee3a38255220e0b945841e1cc371062422889bf6fc02fc106ff5b3db77ec66f1375e4eb4e658ca5f12ecc7c5a4ce90972e4d49bc4c261435

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed9ea832-416f-459f-9146-fda3af164ed3.vbs

Filesize
727B

MD5
bec6d521adcea3ef0889946a3bc5d727

SHA1
9ce21c4c6c650349d22d74545b3783f37cf674e1

SHA256
91fd6c3e2e00aac9d936b5c63102044f67a739bad0cbde9ad7621c5a906ecb21

SHA512
fad2c61584ca62aac2bd3cbbdd9d981f0d7eb0dbfe196c38c5b14df964b015699bd67d5ad6071598575b940e74e47c8ccc1002456fbab3d2b24e0eb9ad9786ae

Download Submit
C:\aff403968f1bfcc42131676322798b50\taskhostw.exe

Filesize
885KB

MD5
a133346834fbd4cea4893ef3836a894f

SHA1
5c97ee15bd4d43e3eea6fa702fbfc513e7befd6e

SHA256
c9107b562b192403ebb805f697494f51313a6ec733d395b6ad5828f4124eabfb

SHA512
dfd8eb9b8ca4dad897752eec43266e8663c77948fb027db8394ed236d56d60b0aa7073ef9be46dc0a8c7ad1162ef75586d48e396530cc549fb54f5ae0169ce9f

Download Submit
C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe

Filesize
885KB

MD5
3925d50ec09cade5278e78250a503852

SHA1
2bc4c2fc3e2b24577b7e6901378fa378e6601dc9

SHA256
70095186bd0a9bdafdf96d48c8d17b1539b12fd80480259a5be27c3d5de188cb

SHA512
e93d68eed7a30d6dcbcc3d113b8c0dd80330753b8163f3ca7cfbe484391952e22649d2d33e652b0bf7ffc03afbbee5aaffd076b5dc1426ac802de95554426a3c

Download Submit
memory/2244-130-0x00007FFC35160000-0x00007FFC35C21000-memory.dmp

Filesize
10.8MB

Download
memory/2244-3-0x00000000027D0000-0x00000000027EC000-memory.dmp

Filesize
112KB

Download
memory/2244-5-0x0000000000D90000-0x0000000000DA0000-memory.dmp

Filesize
64KB

Download
memory/2244-0-0x00007FFC35163000-0x00007FFC35165000-memory.dmp

Filesize
8KB

Download
memory/2244-4-0x0000000002840000-0x0000000002890000-memory.dmp

Filesize
320KB

Download
memory/2244-10-0x0000000002820000-0x000000000282C000-memory.dmp

Filesize
48KB

Download
memory/2244-9-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2244-8-0x0000000000F10000-0x0000000000F1E000-memory.dmp

Filesize
56KB

Download
memory/2244-2-0x00007FFC35160000-0x00007FFC35C21000-memory.dmp

Filesize
10.8MB

Download
memory/2244-6-0x00000000027F0000-0x0000000002806000-memory.dmp

Filesize
88KB

Download
memory/2244-1-0x00000000004B0000-0x0000000000594000-memory.dmp

Filesize
912KB

Download
memory/2244-7-0x0000000000DB0000-0x0000000000DBA000-memory.dmp

Filesize
40KB

Download