dcrat | ed5657298546820ecdbb4f37edad2beb506256d71648d85b2effebb3dff5b077

Analysis

max time kernel
147s
max time network
145s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01-11-2022 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed5657298546820ecdbb4f37edad2beb506256d71648d85b2effebb3dff5b077.exe
Size

1.3MB
MD5

458277e9ab7a498d6b9307f1dc490a31
SHA1

c7bc6378b836acf622b06bb393a6895d5d20b8d9
SHA256

ed5657298546820ecdbb4f37edad2beb506256d71648d85b2effebb3dff5b077
SHA512

775ef92e5a80a91b86ef72b2169542695ad2c84141d87a49e6f83b2c9c2b6d5f1543884a11ceb66762aa0ecf814977d7a2fa6aa932026857de4b4c87e0bf1df8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	4312	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000b00000001ac0b-279.dat	dcrat
behavioral1/files/0x000b00000001ac0b-280.dat	dcrat
behavioral1/memory/2540-281-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac1b-540.dat	dcrat
behavioral1/files/0x000600000001ac1b-541.dat	dcrat
behavioral1/files/0x000600000001ac1b-579.dat	dcrat
behavioral1/files/0x000600000001ac1b-586.dat	dcrat
behavioral1/files/0x000600000001ac1b-592.dat	dcrat
behavioral1/files/0x000600000001ac1b-597.dat	dcrat
behavioral1/files/0x000600000001ac1b-603.dat	dcrat
behavioral1/files/0x000600000001ac1b-608.dat	dcrat
behavioral1/files/0x000600000001ac1b-613.dat	dcrat
behavioral1/files/0x000600000001ac1b-619.dat	dcrat
behavioral1/files/0x000600000001ac1b-625.dat	dcrat
behavioral1/files/0x000600000001ac1b-630.dat	dcrat
behavioral1/files/0x000600000001ac1b-635.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
2540	DllCommonsvc.exe
220	sihost.exe
4904	sihost.exe
1524	sihost.exe
588	sihost.exe
5076	sihost.exe
308	sihost.exe
1008	sihost.exe
1980	sihost.exe
352	sihost.exe
3592	sihost.exe
2092	sihost.exe
2836	sihost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\OfficeClickToRun.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3700	schtasks.exe
4800	schtasks.exe
4412	schtasks.exe
3988	schtasks.exe
4488	schtasks.exe
4448	schtasks.exe
4048	schtasks.exe
3896	schtasks.exe
4496	schtasks.exe
4888	schtasks.exe
4928	schtasks.exe
4380	schtasks.exe
4320	schtasks.exe
4756	schtasks.exe
696	schtasks.exe
4384	schtasks.exe
3044	schtasks.exe
4504	schtasks.exe
4512	schtasks.exe
4524	schtasks.exe
3784	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	ed5657298546820ecdbb4f37edad2beb506256d71648d85b2effebb3dff5b077.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sihost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2540	DllCommonsvc.exe
1076	powershell.exe
904	powershell.exe
520	powershell.exe
1848	powershell.exe
692	powershell.exe
908	powershell.exe
4540	powershell.exe
908	powershell.exe
1512	powershell.exe
1512	powershell.exe
692	powershell.exe
520	powershell.exe
904	powershell.exe
1076	powershell.exe
4540	powershell.exe
1848	powershell.exe
1512	powershell.exe
908	powershell.exe
692	powershell.exe
520	powershell.exe
904	powershell.exe
1076	powershell.exe
4540	powershell.exe
1848	powershell.exe
220	sihost.exe
4904	sihost.exe
1524	sihost.exe
588	sihost.exe
5076	sihost.exe
308	sihost.exe
1008	sihost.exe
1980	sihost.exe
352	sihost.exe
3592	sihost.exe
2092	sihost.exe
2836	sihost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	DllCommonsvc.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeIncreaseQuotaPrivilege	1512	powershell.exe
Token: SeSecurityPrivilege	1512	powershell.exe
Token: SeTakeOwnershipPrivilege	1512	powershell.exe
Token: SeLoadDriverPrivilege	1512	powershell.exe
Token: SeSystemProfilePrivilege	1512	powershell.exe
Token: SeSystemtimePrivilege	1512	powershell.exe
Token: SeProfSingleProcessPrivilege	1512	powershell.exe
Token: SeIncBasePriorityPrivilege	1512	powershell.exe
Token: SeCreatePagefilePrivilege	1512	powershell.exe
Token: SeBackupPrivilege	1512	powershell.exe
Token: SeRestorePrivilege	1512	powershell.exe
Token: SeShutdownPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeSystemEnvironmentPrivilege	1512	powershell.exe
Token: SeRemoteShutdownPrivilege	1512	powershell.exe
Token: SeUndockPrivilege	1512	powershell.exe
Token: SeManageVolumePrivilege	1512	powershell.exe
Token: 33	1512	powershell.exe
Token: 34	1512	powershell.exe
Token: 35	1512	powershell.exe
Token: 36	1512	powershell.exe
Token: SeIncreaseQuotaPrivilege	908	powershell.exe
Token: SeSecurityPrivilege	908	powershell.exe
Token: SeTakeOwnershipPrivilege	908	powershell.exe
Token: SeLoadDriverPrivilege	908	powershell.exe
Token: SeSystemProfilePrivilege	908	powershell.exe
Token: SeSystemtimePrivilege	908	powershell.exe
Token: SeProfSingleProcessPrivilege	908	powershell.exe
Token: SeIncBasePriorityPrivilege	908	powershell.exe
Token: SeCreatePagefilePrivilege	908	powershell.exe
Token: SeBackupPrivilege	908	powershell.exe
Token: SeRestorePrivilege	908	powershell.exe
Token: SeShutdownPrivilege	908	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeSystemEnvironmentPrivilege	908	powershell.exe
Token: SeRemoteShutdownPrivilege	908	powershell.exe
Token: SeUndockPrivilege	908	powershell.exe
Token: SeManageVolumePrivilege	908	powershell.exe
Token: 33	908	powershell.exe
Token: 34	908	powershell.exe
Token: 35	908	powershell.exe
Token: 36	908	powershell.exe
Token: SeIncreaseQuotaPrivilege	520	powershell.exe
Token: SeSecurityPrivilege	520	powershell.exe
Token: SeTakeOwnershipPrivilege	520	powershell.exe
Token: SeLoadDriverPrivilege	520	powershell.exe
Token: SeSystemProfilePrivilege	520	powershell.exe
Token: SeSystemtimePrivilege	520	powershell.exe
Token: SeProfSingleProcessPrivilege	520	powershell.exe
Token: SeIncBasePriorityPrivilege	520	powershell.exe
Token: SeCreatePagefilePrivilege	520	powershell.exe
Token: SeBackupPrivilege	520	powershell.exe
Token: SeRestorePrivilege	520	powershell.exe
Token: SeShutdownPrivilege	520	powershell.exe
Token: SeDebugPrivilege	520	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 4716	388	ed5657298546820ecdbb4f37edad2beb506256d71648d85b2effebb3dff5b077.exe	66
PID 388 wrote to memory of 4716	388	ed5657298546820ecdbb4f37edad2beb506256d71648d85b2effebb3dff5b077.exe	66
PID 388 wrote to memory of 4716	388	ed5657298546820ecdbb4f37edad2beb506256d71648d85b2effebb3dff5b077.exe	66
PID 4716 wrote to memory of 3456	4716	WScript.exe	67
PID 4716 wrote to memory of 3456	4716	WScript.exe	67
PID 4716 wrote to memory of 3456	4716	WScript.exe	67
PID 3456 wrote to memory of 2540	3456	cmd.exe	69
PID 3456 wrote to memory of 2540	3456	cmd.exe	69
PID 2540 wrote to memory of 904	2540	DllCommonsvc.exe	92
PID 2540 wrote to memory of 904	2540	DllCommonsvc.exe	92
PID 2540 wrote to memory of 520	2540	DllCommonsvc.exe	94
PID 2540 wrote to memory of 520	2540	DllCommonsvc.exe	94
PID 2540 wrote to memory of 908	2540	DllCommonsvc.exe	95
PID 2540 wrote to memory of 908	2540	DllCommonsvc.exe	95
PID 2540 wrote to memory of 4540	2540	DllCommonsvc.exe	96
PID 2540 wrote to memory of 4540	2540	DllCommonsvc.exe	96
PID 2540 wrote to memory of 1076	2540	DllCommonsvc.exe	98
PID 2540 wrote to memory of 1076	2540	DllCommonsvc.exe	98
PID 2540 wrote to memory of 1512	2540	DllCommonsvc.exe	100
PID 2540 wrote to memory of 1512	2540	DllCommonsvc.exe	100
PID 2540 wrote to memory of 692	2540	DllCommonsvc.exe	102
PID 2540 wrote to memory of 692	2540	DllCommonsvc.exe	102
PID 2540 wrote to memory of 1848	2540	DllCommonsvc.exe	105
PID 2540 wrote to memory of 1848	2540	DllCommonsvc.exe	105
PID 2540 wrote to memory of 2452	2540	DllCommonsvc.exe	108
PID 2540 wrote to memory of 2452	2540	DllCommonsvc.exe	108
PID 2452 wrote to memory of 5104	2452	cmd.exe	110
PID 2452 wrote to memory of 5104	2452	cmd.exe	110
PID 2452 wrote to memory of 220	2452	cmd.exe	112
PID 2452 wrote to memory of 220	2452	cmd.exe	112
PID 220 wrote to memory of 3968	220	sihost.exe	113
PID 220 wrote to memory of 3968	220	sihost.exe	113
PID 3968 wrote to memory of 4924	3968	cmd.exe	115
PID 3968 wrote to memory of 4924	3968	cmd.exe	115
PID 3968 wrote to memory of 4904	3968	cmd.exe	116
PID 3968 wrote to memory of 4904	3968	cmd.exe	116
PID 4904 wrote to memory of 3188	4904	sihost.exe	117
PID 4904 wrote to memory of 3188	4904	sihost.exe	117
PID 3188 wrote to memory of 1236	3188	cmd.exe	119
PID 3188 wrote to memory of 1236	3188	cmd.exe	119
PID 3188 wrote to memory of 1524	3188	cmd.exe	120
PID 3188 wrote to memory of 1524	3188	cmd.exe	120
PID 1524 wrote to memory of 4416	1524	sihost.exe	121
PID 1524 wrote to memory of 4416	1524	sihost.exe	121
PID 4416 wrote to memory of 764	4416	cmd.exe	123
PID 4416 wrote to memory of 764	4416	cmd.exe	123
PID 4416 wrote to memory of 588	4416	cmd.exe	124
PID 4416 wrote to memory of 588	4416	cmd.exe	124
PID 588 wrote to memory of 3520	588	sihost.exe	125
PID 588 wrote to memory of 3520	588	sihost.exe	125
PID 3520 wrote to memory of 5084	3520	cmd.exe	127
PID 3520 wrote to memory of 5084	3520	cmd.exe	127
PID 3520 wrote to memory of 5076	3520	cmd.exe	128
PID 3520 wrote to memory of 5076	3520	cmd.exe	128
PID 5076 wrote to memory of 2400	5076	sihost.exe	130
PID 5076 wrote to memory of 2400	5076	sihost.exe	130
PID 2400 wrote to memory of 4132	2400	cmd.exe	131
PID 2400 wrote to memory of 4132	2400	cmd.exe	131
PID 2400 wrote to memory of 308	2400	cmd.exe	132
PID 2400 wrote to memory of 308	2400	cmd.exe	132
PID 308 wrote to memory of 4688	308	sihost.exe	133
PID 308 wrote to memory of 4688	308	sihost.exe	133
PID 4688 wrote to memory of 692	4688	cmd.exe	135
PID 4688 wrote to memory of 692	4688	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\ed5657298546820ecdbb4f37edad2beb506256d71648d85b2effebb3dff5b077.exe
"C:\Users\Admin\AppData\Local\Temp\ed5657298546820ecdbb4f37edad2beb506256d71648d85b2effebb3dff5b077.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v3J9GGNGSg.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2452
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5104
      - C:\odt\sihost.exe
        
        "C:\odt\sihost.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4924
        
        C:\odt\sihost.exe
        
        "C:\odt\sihost.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1236
        
        C:\odt\sihost.exe
        
        "C:\odt\sihost.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:764
        
        C:\odt\sihost.exe
        
        "C:\odt\sihost.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:5084
        
        C:\odt\sihost.exe
        
        "C:\odt\sihost.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4132
        
        C:\odt\sihost.exe
        
        "C:\odt\sihost.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:692
        
        C:\odt\sihost.exe
        
        "C:\odt\sihost.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3jGxsc69Nm.bat"
        19⤵
        
        PID:188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1284
        
        C:\odt\sihost.exe
        
        "C:\odt\sihost.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat"
        21⤵
        
        PID:4764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2732
        
        C:\odt\sihost.exe
        
        "C:\odt\sihost.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
        23⤵
        
        PID:96
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3488
        
        C:\odt\sihost.exe
        
        "C:\odt\sihost.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
        25⤵
        
        PID:1216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4768
        
        C:\odt\sihost.exe
        
        "C:\odt\sihost.exe"
        26⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat"
        27⤵
        
        PID:4932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4912
        
        C:\odt\sihost.exe
        
        "C:\odt\sihost.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f9290a5c42c640028e211c5cb23a6bc

SHA1
f33602329379d33d1034081afdab7415e5b48b93

SHA256
aec6f00fc0a73ca6d37623fd78d605b5400cbdecd96ac34b24d8189d4b5dbd42

SHA512
9ed85a6a2c1440704ebc101a1869e75e8baf528e505dcdeac4228a448375c3c520cd60fb3fb4c1da8fd5b9b29903a28f8880e39912d316a30aa222913c968cf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f9290a5c42c640028e211c5cb23a6bc

SHA1
f33602329379d33d1034081afdab7415e5b48b93

SHA256
aec6f00fc0a73ca6d37623fd78d605b5400cbdecd96ac34b24d8189d4b5dbd42

SHA512
9ed85a6a2c1440704ebc101a1869e75e8baf528e505dcdeac4228a448375c3c520cd60fb3fb4c1da8fd5b9b29903a28f8880e39912d316a30aa222913c968cf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f9290a5c42c640028e211c5cb23a6bc

SHA1
f33602329379d33d1034081afdab7415e5b48b93

SHA256
aec6f00fc0a73ca6d37623fd78d605b5400cbdecd96ac34b24d8189d4b5dbd42

SHA512
9ed85a6a2c1440704ebc101a1869e75e8baf528e505dcdeac4228a448375c3c520cd60fb3fb4c1da8fd5b9b29903a28f8880e39912d316a30aa222913c968cf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
600576576f6b7d0d500bd321ac2fcdd2

SHA1
4ab55225e82dd00417c52d604fb094efb9ede803

SHA256
3550807c31fe25306577d2080da4a2c3a4ddb0241d93b4e00cd3552a31b83ea1

SHA512
6da5be25dffa0ad5804724003152ad09120e9e291059e8c3707a7be58b1c49cb5b44cf1c264340ac98f7153644290acacaafc90a6c0284e7b2d34e5ff8d172f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9ec0014bacda0c7c2e9beb2490cdc7cc

SHA1
0dfaf189b5e677b45e769dd685e66c5b517f53a8

SHA256
aaf4c186950e2da16b2acdaa1d4829ccca5c51cac091008cc31066ea5c87a31c

SHA512
ecce3bf18e7db8623deb961c7e68d99bb32ce32a0bdd4bf11f3ee45f69288e2f3de59fa77d8f4faaeefec79c4cfa18cf059664fd53f8a658a89e327c265ede1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9ec0014bacda0c7c2e9beb2490cdc7cc

SHA1
0dfaf189b5e677b45e769dd685e66c5b517f53a8

SHA256
aaf4c186950e2da16b2acdaa1d4829ccca5c51cac091008cc31066ea5c87a31c

SHA512
ecce3bf18e7db8623deb961c7e68d99bb32ce32a0bdd4bf11f3ee45f69288e2f3de59fa77d8f4faaeefec79c4cfa18cf059664fd53f8a658a89e327c265ede1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
764520cf3955cacaf41b3ae895722a3b

SHA1
f4e3184d4dd31ee9cfdd4fc601211a123f1d56eb

SHA256
293c219f770dfaaeae310ca4271896edcbb0c557b4dd2dd7f95859a9a3fa2a01

SHA512
9315de9a25d64f455e796694867304833ede0416769b6734feb1b9d712469f2f1b0a7587c9b2d294e66dfe514cb6057e916fb5e175c4c927c812926fcaeafadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3jGxsc69Nm.bat

Filesize
182B

MD5
0d447750d46bae418545cd333b5913a5

SHA1
11e66e2d2770e759e478faf63bf6c4333cddbeed

SHA256
4eea9ac1378b950877b6fe3a5b2f15584a1df8584cd40cb7eff40f29340a934d

SHA512
a7cf25fc3e0cefac2caf9f576085f001ca764c6bb3e8b9826b86b03ca5501df6d6cd865366bc295427587f2459e261bd498dc61f06eb70c810e8cf2f90cd4935

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat

Filesize
182B

MD5
eaa96cb2913962f69fa87b406a342014

SHA1
2a62f18315b18833665ade9f00abedd04096558b

SHA256
40ac6ca58433be4cd89e7da313ff48c7ea3912c9aebf1afdcba1bfa6319240c0

SHA512
c2af1d7fd69b826960e99fe29f2abde6a713029ef2552e28608be56c2a9445b925ad146de33f59f9f2207fda08db37afefd06f14feb8156d0622d167920505b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat

Filesize
182B

MD5
bb4696cf15b9b5e2fe45ae06f9ffa70e

SHA1
05c4c6afc29f72812f873caee6d8d51723cdf6ae

SHA256
60182496b767ece9cf23112e6fd26547143ff38bf2f32df5a8bc5d966afe5f8c

SHA512
b79d5afbf71159300cc00a3ec9831367adeb3a10aba3dd14179e5975bf2ceff5354d411cde3d017cb3d86154dbdabee739746f700f94f09881807133e5a2b6ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

Filesize
182B

MD5
dadfb078737ed509410ab0bc778eccdc

SHA1
f321a4d833f972231a5075703f6e9b8e266a62ef

SHA256
25dd28db73d0cc4062658ec0acfbd59fd25a363572941cfd442e3da50c60ece3

SHA512
d6c95e723ef729e27999417061a6533cfb5ca7707ad77cb53e567271db7b109277ecc0e01b0a6c23add577527f5f8907abf35d9fba33c9b9a4a1b7120e3af73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat

Filesize
182B

MD5
97638571c903226a66f087b0723aeb85

SHA1
d958fdbe7a5622b1f08445c0925e4f689af34233

SHA256
15154d2ee17fb610b0c6eae0f4d87e6b9246b9db944f6c7f5545469e1784c9d2

SHA512
31bccaffa38af7cad22203baf1475d813f0bba4777e009eff3cd91e8e466a588abd842890565c330c13c2bf7586dbd64ab972239af167b1751985d0d0d430edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat

Filesize
182B

MD5
4cb6aa3ab099104fc7879a3133bc8eef

SHA1
b0fd35aecfaa674d5b6a84b3f1c35a3b2a247f01

SHA256
830be567e85f887b52c91dfd3aecbb2c8e7b1b9c5a69b3bef61b0b1395212659

SHA512
a6dbc6c56eb02063ca81e36bfba6e6902add4ec70ed503f3b1a6ba3ef8d695b2770f72d73f68c3fdbeb682e12382654dc153a03bf8ced733dc0ada0081b9b6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat

Filesize
182B

MD5
1fcd41dd9ae1dfb110bd50af952c1d44

SHA1
e194cefc24faf1464b6c30ff464c5d67d5ae84d0

SHA256
d1796c797537f8997f78b2683fb469a40be02fd01e8767815c009edf846cc74c

SHA512
02d415105fbd930ff5088566e78d9f4927aaf7c3fafa017460c947426428a1324e2c8eb1cd5631645d0af2fa6532aa978598feb3529122edc52a0f59f8f50539

Download Submit
C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat

Filesize
182B

MD5
f6a9c0b36072cc7af01947c198a41422

SHA1
4fc678a575b38d4acf7c8ff31efced27efb77174

SHA256
4b3d510d937f8d4b4b880de12b01a55434da9994de13f1583428572ae5164038

SHA512
b30bb8a5a22312da258cf12df530197a9f6731cea62ee31dd683e3f39c8660b5a75993729831ad0fdfbcd1285a1ed2a1864841db872b11386f0252f0feefa736

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat

Filesize
182B

MD5
aaec462f4a2bd1567fdd7187ea1a4fb4

SHA1
d731fcf377375c7bcc5d778e7ecef57ad32e3049

SHA256
9fbe1e93267ab40fd1e377e5b081a569ddefaac93e3c9013513d27c5b0ff0f2e

SHA512
1d18bde18170a69efea1af7dd9a70908cea8295da6e9748ad743084c8e17fed334033b080069a26e28de8a5760099f1bf3376acd4a824e74bd1e8d7e794a9890

Download Submit
C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat

Filesize
182B

MD5
97551f21393c40c7066401fe8fa05dfb

SHA1
d4677f413c7f79fbf26813560e15fbcd665d1ef5

SHA256
6f11a04bb8e2f7e52351aa19828330ddb871d325d0be6724e935cdf56b777aad

SHA512
edf55d915be03714d3be16e5501aa1ffd854e85910ab97b1b5278aea4419ea13408346c81aa0fd293c63586b957eb9118feee659cb3dee9e4249c549c8d38a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\v3J9GGNGSg.bat

Filesize
182B

MD5
751b301fd7af0d63426e165deea5a194

SHA1
d19ad35c0e5206ab47671efcf651cbeecf264b67

SHA256
4f32e71a0d36d28cc21e914166dabb4d05c2c76d61e2faf05188d5a61cf69520

SHA512
afb2f25310a7a17bbd6888a18d59f47131ee16728a9453f7994024bf2bd11d6a0671befee9b5618e207fdba163bce836674684008cca66642d8c7e020150577b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat

Filesize
182B

MD5
1676eafb03914dc1d8920cea19aeb1ff

SHA1
0fbc63f5eedf61bf30d0e1080d396c6f08f2ee37

SHA256
639770cf2a4fe0015da70217af24cfd2b58b8baa84340a9ba70d57ea76f101ba

SHA512
312da5d8d898d6ef5c1c87cc7a519dc129c784cab972924d2d24c2319f276a2960f39460c8ea1597741727747ce72792fd8f11987660bc56c4992f11d4e876f6

Download Submit
C:\odt\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/96-621-0x0000000000000000-mapping.dmp

Download
memory/188-609-0x0000000000000000-mapping.dmp

Download
memory/220-542-0x0000000001190000-0x00000000011A2000-memory.dmp

Filesize
72KB

Download
memory/220-539-0x0000000000000000-mapping.dmp

Download
memory/308-602-0x0000000000000000-mapping.dmp

Download
memory/352-620-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/352-618-0x0000000000000000-mapping.dmp

Download
memory/388-147-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-148-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-164-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-166-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-165-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-167-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-168-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-169-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-170-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-171-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-172-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-173-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-174-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-175-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-176-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-177-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-178-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-162-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-161-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-160-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-159-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-158-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-157-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-156-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-116-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-155-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-154-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-153-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-152-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-151-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-150-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-117-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-118-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-121-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-149-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-123-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-115-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-163-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-124-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-146-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-120-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-145-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-125-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-144-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-143-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-142-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-141-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-140-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-139-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-138-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-137-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-136-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-135-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-134-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-133-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-132-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-129-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-131-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-130-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-126-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-128-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-127-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/520-327-0x00000259EBE50000-0x00000259EBE72000-memory.dmp

Filesize
136KB

Download
memory/520-287-0x0000000000000000-mapping.dmp

Download
memory/588-591-0x0000000000000000-mapping.dmp

Download
memory/692-606-0x0000000000000000-mapping.dmp

Download
memory/692-292-0x0000000000000000-mapping.dmp

Download
memory/764-590-0x0000000000000000-mapping.dmp

Download
memory/904-286-0x0000000000000000-mapping.dmp

Download
memory/908-288-0x0000000000000000-mapping.dmp

Download
memory/1008-607-0x0000000000000000-mapping.dmp

Download
memory/1076-290-0x0000000000000000-mapping.dmp

Download
memory/1216-626-0x0000000000000000-mapping.dmp

Download
memory/1236-584-0x0000000000000000-mapping.dmp

Download
memory/1284-611-0x0000000000000000-mapping.dmp

Download
memory/1512-291-0x0000000000000000-mapping.dmp

Download
memory/1512-337-0x000001F261220000-0x000001F261296000-memory.dmp

Filesize
472KB

Download
memory/1524-587-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/1524-585-0x0000000000000000-mapping.dmp

Download
memory/1848-293-0x0000000000000000-mapping.dmp

Download
memory/1980-612-0x0000000000000000-mapping.dmp

Download
memory/1980-614-0x0000000001150000-0x0000000001162000-memory.dmp

Filesize
72KB

Download
memory/2092-629-0x0000000000000000-mapping.dmp

Download
memory/2400-599-0x0000000000000000-mapping.dmp

Download
memory/2452-326-0x0000000000000000-mapping.dmp

Download
memory/2540-281-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download
memory/2540-282-0x00000000018A0000-0x00000000018B2000-memory.dmp

Filesize
72KB

Download
memory/2540-283-0x0000000003210000-0x000000000321C000-memory.dmp

Filesize
48KB

Download
memory/2540-284-0x00000000031F0000-0x00000000031FC000-memory.dmp

Filesize
48KB

Download
memory/2540-285-0x0000000003220000-0x000000000322C000-memory.dmp

Filesize
48KB

Download
memory/2540-278-0x0000000000000000-mapping.dmp

Download
memory/2732-617-0x0000000000000000-mapping.dmp

Download
memory/2836-634-0x0000000000000000-mapping.dmp

Download
memory/2836-636-0x0000000000A60000-0x0000000000A72000-memory.dmp

Filesize
72KB

Download
memory/3188-582-0x0000000000000000-mapping.dmp

Download
memory/3456-255-0x0000000000000000-mapping.dmp

Download
memory/3488-623-0x0000000000000000-mapping.dmp

Download
memory/3520-593-0x0000000000000000-mapping.dmp

Download
memory/3592-624-0x0000000000000000-mapping.dmp

Download
memory/3968-575-0x0000000000000000-mapping.dmp

Download
memory/4132-601-0x0000000000000000-mapping.dmp

Download
memory/4416-588-0x0000000000000000-mapping.dmp

Download
memory/4540-289-0x0000000000000000-mapping.dmp

Download
memory/4688-604-0x0000000000000000-mapping.dmp

Download
memory/4716-179-0x0000000000000000-mapping.dmp

Download
memory/4716-180-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/4716-181-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/4764-615-0x0000000000000000-mapping.dmp

Download
memory/4768-628-0x0000000000000000-mapping.dmp

Download
memory/4904-578-0x0000000000000000-mapping.dmp

Download
memory/4904-581-0x0000000000EF0000-0x0000000000F02000-memory.dmp

Filesize
72KB

Download
memory/4912-633-0x0000000000000000-mapping.dmp

Download
memory/4924-577-0x0000000000000000-mapping.dmp

Download
memory/4932-631-0x0000000000000000-mapping.dmp

Download
memory/5076-598-0x00000000015D0000-0x00000000015E2000-memory.dmp

Filesize
72KB

Download
memory/5076-596-0x0000000000000000-mapping.dmp

Download
memory/5084-595-0x0000000000000000-mapping.dmp

Download
memory/5104-335-0x0000000000000000-mapping.dmp

Download