dcrat | bb24b6142862f08aec4dc7e56931eae1fb63e25d133645173c7283a800f73113

Analysis

max time kernel
149s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 03:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bb24b6142862f08aec4dc7e56931eae1fb63e25d133645173c7283a800f73113.exe
Size

1.3MB
MD5

dd66a514389363397f7d180cfa6a055d
SHA1

cd28d43ecf837ceb39bef89eac9854413486f23f
SHA256

bb24b6142862f08aec4dc7e56931eae1fb63e25d133645173c7283a800f73113
SHA512

2ae040ceddd28020aba61b49c5542263707dba6ec9a5231c1d7b7ea5e9f0c037e8e4cf7981e96a7af959263ad06d7f0f155822536e4495461c92b945a0d2becc
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	3980	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	3980	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000a00000001abfb-284.dat	dcrat
behavioral1/files/0x000a00000001abfb-285.dat	dcrat
behavioral1/memory/5060-286-0x00000000009A0000-0x0000000000AB0000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac2b-545.dat	dcrat
behavioral1/files/0x000600000001ac2b-546.dat	dcrat
behavioral1/files/0x000600000001ac2b-582.dat	dcrat
behavioral1/files/0x000600000001ac2b-588.dat	dcrat
behavioral1/files/0x000600000001ac2b-593.dat	dcrat
behavioral1/files/0x000600000001ac2b-598.dat	dcrat
behavioral1/files/0x000600000001ac2b-603.dat	dcrat
behavioral1/files/0x000600000001ac2b-608.dat	dcrat
behavioral1/files/0x000600000001ac2b-614.dat	dcrat
behavioral1/files/0x000600000001ac2b-619.dat	dcrat
behavioral1/files/0x000600000001ac2b-624.dat	dcrat
behavioral1/files/0x000600000001ac2b-629.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
5060	DllCommonsvc.exe
4252	services.exe
4684	services.exe
396	services.exe
2208	services.exe
2524	services.exe
3284	services.exe
5108	services.exe
1920	services.exe
1968	services.exe
3168	services.exe
5052	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Multimedia Platform\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\smss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4384	schtasks.exe
4696	schtasks.exe
4684	schtasks.exe
4404	schtasks.exe
4412	schtasks.exe
4720	schtasks.exe
844	schtasks.exe
4652	schtasks.exe
4572	schtasks.exe
4424	schtasks.exe
4612	schtasks.exe
4728	schtasks.exe
3988	schtasks.exe
3128	schtasks.exe
1872	schtasks.exe
4488	schtasks.exe
4660	schtasks.exe
4692	schtasks.exe
392	schtasks.exe
4704	schtasks.exe
320	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	bb24b6142862f08aec4dc7e56931eae1fb63e25d133645173c7283a800f73113.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
5060	DllCommonsvc.exe
5060	DllCommonsvc.exe
5060	DllCommonsvc.exe
5060	DllCommonsvc.exe
5060	DllCommonsvc.exe
5060	DllCommonsvc.exe
5060	DllCommonsvc.exe
5060	DllCommonsvc.exe
5060	DllCommonsvc.exe
4668	powershell.exe
4740	powershell.exe
4744	powershell.exe
1180	powershell.exe
1628	powershell.exe
1512	powershell.exe
4744	powershell.exe
884	powershell.exe
1824	powershell.exe
4740	powershell.exe
1512	powershell.exe
884	powershell.exe
4744	powershell.exe
4668	powershell.exe
1512	powershell.exe
4740	powershell.exe
1180	powershell.exe
1628	powershell.exe
884	powershell.exe
1824	powershell.exe
4668	powershell.exe
1628	powershell.exe
1180	powershell.exe
1824	powershell.exe
4252	services.exe
4684	services.exe
396	services.exe
2208	services.exe
2524	services.exe
3284	services.exe
5108	services.exe
1920	services.exe
1968	services.exe
3168	services.exe
5052	services.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	DllCommonsvc.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeIncreaseQuotaPrivilege	4740	powershell.exe
Token: SeSecurityPrivilege	4740	powershell.exe
Token: SeTakeOwnershipPrivilege	4740	powershell.exe
Token: SeLoadDriverPrivilege	4740	powershell.exe
Token: SeSystemProfilePrivilege	4740	powershell.exe
Token: SeSystemtimePrivilege	4740	powershell.exe
Token: SeProfSingleProcessPrivilege	4740	powershell.exe
Token: SeIncBasePriorityPrivilege	4740	powershell.exe
Token: SeCreatePagefilePrivilege	4740	powershell.exe
Token: SeBackupPrivilege	4740	powershell.exe
Token: SeRestorePrivilege	4740	powershell.exe
Token: SeShutdownPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeSystemEnvironmentPrivilege	4740	powershell.exe
Token: SeRemoteShutdownPrivilege	4740	powershell.exe
Token: SeUndockPrivilege	4740	powershell.exe
Token: SeManageVolumePrivilege	4740	powershell.exe
Token: 33	4740	powershell.exe
Token: 34	4740	powershell.exe
Token: 35	4740	powershell.exe
Token: 36	4740	powershell.exe
Token: SeIncreaseQuotaPrivilege	1512	powershell.exe
Token: SeSecurityPrivilege	1512	powershell.exe
Token: SeTakeOwnershipPrivilege	1512	powershell.exe
Token: SeLoadDriverPrivilege	1512	powershell.exe
Token: SeSystemProfilePrivilege	1512	powershell.exe
Token: SeSystemtimePrivilege	1512	powershell.exe
Token: SeProfSingleProcessPrivilege	1512	powershell.exe
Token: SeIncBasePriorityPrivilege	1512	powershell.exe
Token: SeCreatePagefilePrivilege	1512	powershell.exe
Token: SeBackupPrivilege	1512	powershell.exe
Token: SeRestorePrivilege	1512	powershell.exe
Token: SeShutdownPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeSystemEnvironmentPrivilege	1512	powershell.exe
Token: SeRemoteShutdownPrivilege	1512	powershell.exe
Token: SeUndockPrivilege	1512	powershell.exe
Token: SeManageVolumePrivilege	1512	powershell.exe
Token: 33	1512	powershell.exe
Token: 34	1512	powershell.exe
Token: 35	1512	powershell.exe
Token: 36	1512	powershell.exe
Token: SeIncreaseQuotaPrivilege	4744	powershell.exe
Token: SeSecurityPrivilege	4744	powershell.exe
Token: SeTakeOwnershipPrivilege	4744	powershell.exe
Token: SeLoadDriverPrivilege	4744	powershell.exe
Token: SeSystemProfilePrivilege	4744	powershell.exe
Token: SeSystemtimePrivilege	4744	powershell.exe
Token: SeProfSingleProcessPrivilege	4744	powershell.exe
Token: SeIncBasePriorityPrivilege	4744	powershell.exe
Token: SeCreatePagefilePrivilege	4744	powershell.exe
Token: SeBackupPrivilege	4744	powershell.exe
Token: SeRestorePrivilege	4744	powershell.exe
Token: SeShutdownPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 1292	2744	bb24b6142862f08aec4dc7e56931eae1fb63e25d133645173c7283a800f73113.exe	66
PID 2744 wrote to memory of 1292	2744	bb24b6142862f08aec4dc7e56931eae1fb63e25d133645173c7283a800f73113.exe	66
PID 2744 wrote to memory of 1292	2744	bb24b6142862f08aec4dc7e56931eae1fb63e25d133645173c7283a800f73113.exe	66
PID 1292 wrote to memory of 4316	1292	WScript.exe	67
PID 1292 wrote to memory of 4316	1292	WScript.exe	67
PID 1292 wrote to memory of 4316	1292	WScript.exe	67
PID 4316 wrote to memory of 5060	4316	cmd.exe	69
PID 4316 wrote to memory of 5060	4316	cmd.exe	69
PID 5060 wrote to memory of 4668	5060	DllCommonsvc.exe	92
PID 5060 wrote to memory of 4668	5060	DllCommonsvc.exe	92
PID 5060 wrote to memory of 4744	5060	DllCommonsvc.exe	93
PID 5060 wrote to memory of 4744	5060	DllCommonsvc.exe	93
PID 5060 wrote to memory of 4740	5060	DllCommonsvc.exe	94
PID 5060 wrote to memory of 4740	5060	DllCommonsvc.exe	94
PID 5060 wrote to memory of 1180	5060	DllCommonsvc.exe	96
PID 5060 wrote to memory of 1180	5060	DllCommonsvc.exe	96
PID 5060 wrote to memory of 1512	5060	DllCommonsvc.exe	98
PID 5060 wrote to memory of 1512	5060	DllCommonsvc.exe	98
PID 5060 wrote to memory of 1628	5060	DllCommonsvc.exe	100
PID 5060 wrote to memory of 1628	5060	DllCommonsvc.exe	100
PID 5060 wrote to memory of 884	5060	DllCommonsvc.exe	101
PID 5060 wrote to memory of 884	5060	DllCommonsvc.exe	101
PID 5060 wrote to memory of 1824	5060	DllCommonsvc.exe	102
PID 5060 wrote to memory of 1824	5060	DllCommonsvc.exe	102
PID 5060 wrote to memory of 2240	5060	DllCommonsvc.exe	108
PID 5060 wrote to memory of 2240	5060	DllCommonsvc.exe	108
PID 2240 wrote to memory of 4904	2240	cmd.exe	110
PID 2240 wrote to memory of 4904	2240	cmd.exe	110
PID 2240 wrote to memory of 4252	2240	cmd.exe	112
PID 2240 wrote to memory of 4252	2240	cmd.exe	112
PID 4252 wrote to memory of 1292	4252	services.exe	113
PID 4252 wrote to memory of 1292	4252	services.exe	113
PID 1292 wrote to memory of 4056	1292	cmd.exe	115
PID 1292 wrote to memory of 4056	1292	cmd.exe	115
PID 1292 wrote to memory of 4684	1292	cmd.exe	116
PID 1292 wrote to memory of 4684	1292	cmd.exe	116
PID 4684 wrote to memory of 3152	4684	services.exe	117
PID 4684 wrote to memory of 3152	4684	services.exe	117
PID 3152 wrote to memory of 4376	3152	cmd.exe	119
PID 3152 wrote to memory of 4376	3152	cmd.exe	119
PID 3152 wrote to memory of 396	3152	cmd.exe	120
PID 3152 wrote to memory of 396	3152	cmd.exe	120
PID 396 wrote to memory of 4676	396	services.exe	121
PID 396 wrote to memory of 4676	396	services.exe	121
PID 4676 wrote to memory of 688	4676	cmd.exe	123
PID 4676 wrote to memory of 688	4676	cmd.exe	123
PID 4676 wrote to memory of 2208	4676	cmd.exe	124
PID 4676 wrote to memory of 2208	4676	cmd.exe	124
PID 2208 wrote to memory of 4928	2208	services.exe	125
PID 2208 wrote to memory of 4928	2208	services.exe	125
PID 4928 wrote to memory of 3140	4928	cmd.exe	127
PID 4928 wrote to memory of 3140	4928	cmd.exe	127
PID 4928 wrote to memory of 2524	4928	cmd.exe	128
PID 4928 wrote to memory of 2524	4928	cmd.exe	128
PID 2524 wrote to memory of 840	2524	services.exe	129
PID 2524 wrote to memory of 840	2524	services.exe	129
PID 840 wrote to memory of 4352	840	cmd.exe	131
PID 840 wrote to memory of 4352	840	cmd.exe	131
PID 840 wrote to memory of 3284	840	cmd.exe	132
PID 840 wrote to memory of 3284	840	cmd.exe	132
PID 3284 wrote to memory of 3440	3284	services.exe	133
PID 3284 wrote to memory of 3440	3284	services.exe	133
PID 3440 wrote to memory of 1928	3440	cmd.exe	135
PID 3440 wrote to memory of 1928	3440	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\bb24b6142862f08aec4dc7e56931eae1fb63e25d133645173c7283a800f73113.exe
"C:\Users\Admin\AppData\Local\Temp\bb24b6142862f08aec4dc7e56931eae1fb63e25d133645173c7283a800f73113.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\laZb1erdG8.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4904
      - C:\odt\services.exe
        
        "C:\odt\services.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4056
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4376
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:688
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3140
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4352
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1928
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"
        19⤵
        
        PID:4636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4744
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat"
        21⤵
        
        PID:3724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3320
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OVj8bjUD5N.bat"
        23⤵
        
        PID:4844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4348
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat"
        25⤵
        
        PID:4916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3708
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Libraries\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\odt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c1b807e34a2dd5d4776c2d9577805997

SHA1
e9edd5b11f25af5480977b67b0a5dfff1b79518c

SHA256
a32eb963d714b3df20a23839177e1d219c50b7c334cda5d0c51e1a070b1efd6f

SHA512
b856025f109457d9fb6abb2940d0ad9f078b5baf5225d98792e7c98f0e2d382bcea9b9f4e6428d1f360beea1a381909231d9870fc04b6067e96b77c34c94dc08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e0d836b34c1f66987218c567ba97a6cd

SHA1
d222415177ad8552075bee58e1b211b8caa1dce1

SHA256
895b8d3ad5362253751b706b1385ffc4498de7cfee5cac23590de8dc1e01c4ce

SHA512
5f32f05b740700ee5a475a23b0353008e7d76653a548b0eb743610627920656073cb8f2a2d925b0587a010428d85fb0420bf24865c3a45b5199b02f0e2466db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e0d836b34c1f66987218c567ba97a6cd

SHA1
d222415177ad8552075bee58e1b211b8caa1dce1

SHA256
895b8d3ad5362253751b706b1385ffc4498de7cfee5cac23590de8dc1e01c4ce

SHA512
5f32f05b740700ee5a475a23b0353008e7d76653a548b0eb743610627920656073cb8f2a2d925b0587a010428d85fb0420bf24865c3a45b5199b02f0e2466db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ed3f4b6df5d06750ce96ab21e76a077b

SHA1
70716014bd973a3963240947cf868b77841b0a6e

SHA256
138ff80fe28a2d7677cd1877e7f6ce6b2d94cdb7a716b377cea502eb1c75fcb6

SHA512
6b7d7711df15106c7eb059040f095a822c914dc624fe52439bedd0009739bcd535d5f691dda4c3356629effe91ed84f65f1b5530142c2d84549bde3388e4b53e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
76a13df0179cd40137e25fbbf5940c49

SHA1
6346209f8d57a7d2dee3d344499b9117f118dfd1

SHA256
671fe1e934cf18ae723a1503626746e7d1f876fbee0fde1f8102dde6e12688d1

SHA512
17226e9dd21ce7d58311144665816d5e57c2240fa6f86bd2df7eb2a51c6acfe70c2dd0211e1dc7bd79d3041d280408018707579bc1fca285811504a04db90faa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
76a13df0179cd40137e25fbbf5940c49

SHA1
6346209f8d57a7d2dee3d344499b9117f118dfd1

SHA256
671fe1e934cf18ae723a1503626746e7d1f876fbee0fde1f8102dde6e12688d1

SHA512
17226e9dd21ce7d58311144665816d5e57c2240fa6f86bd2df7eb2a51c6acfe70c2dd0211e1dc7bd79d3041d280408018707579bc1fca285811504a04db90faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat

Filesize
184B

MD5
214b64343f8e6dd3ac9d061fcc779fb3

SHA1
069c710048e9628eb6fba8a8cb6edb083a7ae57c

SHA256
d43486ed62ea4224cf82062e8d18f91a4688b3511bcc9936eeff28ec08c88d9a

SHA512
f4df49570f25495791388b6c42539790073a47941aa899c4a587133b9d50527a77643c3fc4494027b9920ef0671f10e0a4ba011cb1453a295ca21206c8e469e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat

Filesize
184B

MD5
6dc95ff2dc2d3f11662ce1fdf285fb4c

SHA1
357aa22d870cfee8b483a855ee5cb822271ec8a8

SHA256
a95cdb132adec16885b1180e14df39ce5383f3817ca28a03b4285b5b880b6459

SHA512
5e86d6699234f72ecd4639ab646933860b6cd4ad7ca0abefc407279f06c9051a6532a03d572cf5dc9ff2e25228474f15b15cac789fcafbbe4eacfdffd60ce1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat

Filesize
184B

MD5
6dc95ff2dc2d3f11662ce1fdf285fb4c

SHA1
357aa22d870cfee8b483a855ee5cb822271ec8a8

SHA256
a95cdb132adec16885b1180e14df39ce5383f3817ca28a03b4285b5b880b6459

SHA512
5e86d6699234f72ecd4639ab646933860b6cd4ad7ca0abefc407279f06c9051a6532a03d572cf5dc9ff2e25228474f15b15cac789fcafbbe4eacfdffd60ce1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat

Filesize
184B

MD5
cb1f41fd89201858fe4ef7573cd99ffa

SHA1
cc98e5b8f7d2ddf8672cce6a97a3d579c3c64e89

SHA256
ad97e11d0d2dcb33b1cb19e1bb54116bf688b99686bb86527d2287a8355a467f

SHA512
75b98a599cc9d19001ee9f81cfff46845e64850af88c2e6f9992d1b4a47c60ca709e3cb67e21b8f56cfa13346426a290f8f993e31872d4d4cfda279602a0b777

Download Submit
C:\Users\Admin\AppData\Local\Temp\OVj8bjUD5N.bat

Filesize
184B

MD5
c2e85ad29a381c7dde510713dba147fd

SHA1
e45062e45ac88e54a6d7af83c09958c61634afa4

SHA256
b9921027f3720895ee799aa4a5c9ee54dfbeb9b0c7e31607460da8a27b566305

SHA512
992e9aba0a171cb86c9d85280d2a8b880a95e5266bcf73e0f93422ac298e9cdc09de7679d2faba45c83964aeeb77fcc66f58f1716bf352db1a42edf0ad13840b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat

Filesize
184B

MD5
44b03011fa859abd80a0e0f3b22247d1

SHA1
9b811e520b217d632da92296932697c7147071e6

SHA256
cd8c71445975cb41f1a315f0304833cbe344284c0b6153bb976af3624fec9ff4

SHA512
f692cd1eb1a656def9480f752d58dc6a9b69f4436b282f099574f1f052a72af5e7fb0e04bd35f612cd5ab246739c073fb11c9772eefe35b504833507de1e63e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat

Filesize
184B

MD5
5084c215dbffd716cdddc4cdf8161ff7

SHA1
b78a77ce40aae61186cf925612249791306729d7

SHA256
a91f9b58b1d9cbe0f7c387298e718c9018c000354301724467b868c9d7ac67fc

SHA512
cd90dbca9eee412baf92e65afc3306fda2bd14c495af24c19f6fafb45379e3ee494bfcd04b519d7997fae197b4bc8b18b109f281c911f564de704b400f879d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\laZb1erdG8.bat

Filesize
184B

MD5
25343ef47aa94b8f5da8a28f55de82a4

SHA1
a1bafa55ab997831cb8bee2cc2fabb204d848ff5

SHA256
6a9f33729da2b7f243c49ffb22b2b6732cf3a1cb2589c630c5f97c72beb4be8c

SHA512
e6fafa80c647343bbe4058dc5ebd9d999fdd6ec339c7b7e32a841788b9bc98a208729528253c86eff2b81ee362296019a4ef58481749c2196578e5abd1b9a448

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat

Filesize
184B

MD5
7e7b89f7a7300bf294e9285e789f8cfd

SHA1
e33f81744e14b68ee60feaf833d562cace3e7197

SHA256
e16418b7eee637f2868672c5cb9b75281b14ce2ba0bb8a2cdea630442209dcd1

SHA512
0b7dd58c56d954fddf423392a6a96e2794e081e5cc310d5224b171c3ad7cdc3b6901d303fb495404886e5935333f1e2656df9e1dbff8d7fa6ed1fa73fb9475a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat

Filesize
184B

MD5
2274116740267812a55f20b21c110d9d

SHA1
472708e13222dd880c9db19a0ab4f37dc277f488

SHA256
d275d0144064b2ef2cd2f58e2c80038025e587ff106d5cb8c8230a79f24087ee

SHA512
5ba403906a15fa1affe9cdff98d5474489334878c74328db624488134bb210085f4afaf57984f2cea20a6ff0bad75e76123acd31227f9ea0a16bef9ecd8830ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat

Filesize
184B

MD5
484e822b67fde921a665097fc1cebfb9

SHA1
076e7fcaa93096cb57cd7c70cc1d436caeaf9f6a

SHA256
787090a75600718b4a7ea3b760b4e051c84e930940a38e0ee9e22db754fe70e9

SHA512
ccdea05bdccba5e4ab7d997591f9edcc3fba5e6bfe8db58a08cfb7eb074db7f0fff82cae053470e6edad6b47d4cfdb388bd2af85e32ae2e51bcd2f8f48a77eac

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1292-185-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1292-186-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-159-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-162-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-177-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-178-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-179-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-180-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-181-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-182-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-183-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-175-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-174-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-173-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-172-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-171-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-121-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-170-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-136-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-169-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-122-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-123-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-137-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-125-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-126-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-128-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-139-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-129-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-168-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-167-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-166-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-165-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-164-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-163-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-140-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-130-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-131-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-141-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-132-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-161-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-160-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-120-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-158-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-157-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-156-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-155-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-154-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-152-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-153-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-151-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-176-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-133-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-150-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-149-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-142-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-148-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-134-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-147-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-138-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-135-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-146-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-145-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-144-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-143-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/4668-332-0x000002D2A1B50000-0x000002D2A1B72000-memory.dmp

Filesize
136KB

Download
memory/4744-335-0x0000012726200000-0x0000012726276000-memory.dmp

Filesize
472KB

Download
memory/5060-289-0x000000001B500000-0x000000001B50C000-memory.dmp

Filesize
48KB

Download
memory/5060-288-0x00000000012F0000-0x00000000012FC000-memory.dmp

Filesize
48KB

Download
memory/5060-287-0x00000000012E0000-0x00000000012F2000-memory.dmp

Filesize
72KB

Download
memory/5060-290-0x000000001B510000-0x000000001B51C000-memory.dmp

Filesize
48KB

Download
memory/5060-286-0x00000000009A0000-0x0000000000AB0000-memory.dmp

Filesize
1.1MB

Download
memory/5108-609-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download