dcrat | a3d62a0119881ed4e9303b16becc7ad8dfe6763d6b872487d7fc830219f83c47

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2022 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3d62a0119881ed4e9303b16becc7ad8dfe6763d6b872487d7fc830219f83c47.exe
Size

1.3MB
MD5

bddc03b52e6e5efe1db952e967312c89
SHA1

86d9a85421107c80204622ce7ac370df33f34d82
SHA256

a3d62a0119881ed4e9303b16becc7ad8dfe6763d6b872487d7fc830219f83c47
SHA512

c14a23b212fdc987795fbe57d8549203b2faeefe780c9cabf1becd3af76395a1c9fc8a71acdcebcc65a8578fb079593fb53c602dbbfbf1fb3528614cd9c02a6f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4704	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	4704	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	4704	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	4704	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4704	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	4704	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	4704	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	4704	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	4704	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	4704	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	4704	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	4704	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	4704	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	4704	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	4704	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	4704	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	4704	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	4704	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0003000000000721-137.dat	dcrat
behavioral1/files/0x0003000000000721-138.dat	dcrat
behavioral1/memory/3124-139-0x0000000000CA0000-0x0000000000DB0000-memory.dmp	dcrat
behavioral1/files/0x0003000000000735-176.dat	dcrat
behavioral1/files/0x0003000000000735-175.dat	dcrat
behavioral1/files/0x0003000000000735-183.dat	dcrat
behavioral1/files/0x0003000000000735-191.dat	dcrat
behavioral1/files/0x0003000000000735-198.dat	dcrat
behavioral1/files/0x0003000000000735-205.dat	dcrat
behavioral1/files/0x0003000000000735-212.dat	dcrat
behavioral1/files/0x0003000000000735-219.dat	dcrat
behavioral1/files/0x0003000000000735-226.dat	dcrat
behavioral1/files/0x0003000000000735-233.dat	dcrat
behavioral1/files/0x0003000000000735-240.dat	dcrat
behavioral1/files/0x0003000000000735-247.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
3124	DllCommonsvc.exe
1700	SearchApp.exe
1324	SearchApp.exe
4076	SearchApp.exe
1376	SearchApp.exe
4284	SearchApp.exe
2236	SearchApp.exe
3504	SearchApp.exe
1672	SearchApp.exe
212	SearchApp.exe
2360	SearchApp.exe
2600	SearchApp.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a3d62a0119881ed4e9303b16becc7ad8dfe6763d6b872487d7fc830219f83c47.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sk-SK\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\sk-SK\24dbde2999530e	DllCommonsvc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\SppExtComObj.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\ebf1f9fa8afd6d	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\AppReadiness\SearchApp.exe	DllCommonsvc.exe
File created	C:\Windows\AppReadiness\38384e6a620884	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
32	schtasks.exe
5016	schtasks.exe
2668	schtasks.exe
4008	schtasks.exe
4372	schtasks.exe
3300	schtasks.exe
1444	schtasks.exe
2736	schtasks.exe
4856	schtasks.exe
4308	schtasks.exe
224	schtasks.exe
432	schtasks.exe
1324	schtasks.exe
1456	schtasks.exe
3108	schtasks.exe
3176	schtasks.exe
2360	schtasks.exe
2356	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	a3d62a0119881ed4e9303b16becc7ad8dfe6763d6b872487d7fc830219f83c47.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3124	DllCommonsvc.exe
3124	DllCommonsvc.exe
3124	DllCommonsvc.exe
816	powershell.exe
816	powershell.exe
2804	powershell.exe
2804	powershell.exe
3828	powershell.exe
3828	powershell.exe
4836	powershell.exe
4836	powershell.exe
4980	powershell.exe
4980	powershell.exe
728	powershell.exe
728	powershell.exe
2804	powershell.exe
4932	powershell.exe
4932	powershell.exe
4836	powershell.exe
816	powershell.exe
4980	powershell.exe
3828	powershell.exe
4932	powershell.exe
728	powershell.exe
1700	SearchApp.exe
1324	SearchApp.exe
4076	SearchApp.exe
1376	SearchApp.exe
4284	SearchApp.exe
2236	SearchApp.exe
3504	SearchApp.exe
1672	SearchApp.exe
212	SearchApp.exe
2360	SearchApp.exe
2600	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3124	DllCommonsvc.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	1700	SearchApp.exe
Token: SeDebugPrivilege	1324	SearchApp.exe
Token: SeDebugPrivilege	4076	SearchApp.exe
Token: SeDebugPrivilege	1376	SearchApp.exe
Token: SeDebugPrivilege	4284	SearchApp.exe
Token: SeDebugPrivilege	2236	SearchApp.exe
Token: SeDebugPrivilege	3504	SearchApp.exe
Token: SeDebugPrivilege	1672	SearchApp.exe
Token: SeDebugPrivilege	212	SearchApp.exe
Token: SeDebugPrivilege	2360	SearchApp.exe
Token: SeDebugPrivilege	2600	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 3460	4632	a3d62a0119881ed4e9303b16becc7ad8dfe6763d6b872487d7fc830219f83c47.exe	83
PID 4632 wrote to memory of 3460	4632	a3d62a0119881ed4e9303b16becc7ad8dfe6763d6b872487d7fc830219f83c47.exe	83
PID 4632 wrote to memory of 3460	4632	a3d62a0119881ed4e9303b16becc7ad8dfe6763d6b872487d7fc830219f83c47.exe	83
PID 3460 wrote to memory of 1004	3460	WScript.exe	87
PID 3460 wrote to memory of 1004	3460	WScript.exe	87
PID 3460 wrote to memory of 1004	3460	WScript.exe	87
PID 1004 wrote to memory of 3124	1004	cmd.exe	89
PID 1004 wrote to memory of 3124	1004	cmd.exe	89
PID 3124 wrote to memory of 4932	3124	DllCommonsvc.exe	109
PID 3124 wrote to memory of 4932	3124	DllCommonsvc.exe	109
PID 3124 wrote to memory of 2804	3124	DllCommonsvc.exe	110
PID 3124 wrote to memory of 2804	3124	DllCommonsvc.exe	110
PID 3124 wrote to memory of 4836	3124	DllCommonsvc.exe	111
PID 3124 wrote to memory of 4836	3124	DllCommonsvc.exe	111
PID 3124 wrote to memory of 816	3124	DllCommonsvc.exe	112
PID 3124 wrote to memory of 816	3124	DllCommonsvc.exe	112
PID 3124 wrote to memory of 3828	3124	DllCommonsvc.exe	114
PID 3124 wrote to memory of 3828	3124	DllCommonsvc.exe	114
PID 3124 wrote to memory of 4980	3124	DllCommonsvc.exe	116
PID 3124 wrote to memory of 4980	3124	DllCommonsvc.exe	116
PID 3124 wrote to memory of 728	3124	DllCommonsvc.exe	117
PID 3124 wrote to memory of 728	3124	DllCommonsvc.exe	117
PID 3124 wrote to memory of 2928	3124	DllCommonsvc.exe	123
PID 3124 wrote to memory of 2928	3124	DllCommonsvc.exe	123
PID 2928 wrote to memory of 2796	2928	cmd.exe	125
PID 2928 wrote to memory of 2796	2928	cmd.exe	125
PID 2928 wrote to memory of 1700	2928	cmd.exe	128
PID 2928 wrote to memory of 1700	2928	cmd.exe	128
PID 1700 wrote to memory of 220	1700	SearchApp.exe	129
PID 1700 wrote to memory of 220	1700	SearchApp.exe	129
PID 220 wrote to memory of 3008	220	cmd.exe	131
PID 220 wrote to memory of 3008	220	cmd.exe	131
PID 220 wrote to memory of 1324	220	cmd.exe	133
PID 220 wrote to memory of 1324	220	cmd.exe	133
PID 1324 wrote to memory of 4444	1324	SearchApp.exe	134
PID 1324 wrote to memory of 4444	1324	SearchApp.exe	134
PID 4444 wrote to memory of 4652	4444	cmd.exe	136
PID 4444 wrote to memory of 4652	4444	cmd.exe	136
PID 4444 wrote to memory of 4076	4444	cmd.exe	137
PID 4444 wrote to memory of 4076	4444	cmd.exe	137
PID 4076 wrote to memory of 2696	4076	SearchApp.exe	138
PID 4076 wrote to memory of 2696	4076	SearchApp.exe	138
PID 2696 wrote to memory of 4656	2696	cmd.exe	140
PID 2696 wrote to memory of 4656	2696	cmd.exe	140
PID 2696 wrote to memory of 1376	2696	cmd.exe	141
PID 2696 wrote to memory of 1376	2696	cmd.exe	141
PID 1376 wrote to memory of 2232	1376	SearchApp.exe	143
PID 1376 wrote to memory of 2232	1376	SearchApp.exe	143
PID 2232 wrote to memory of 4948	2232	cmd.exe	144
PID 2232 wrote to memory of 4948	2232	cmd.exe	144
PID 2232 wrote to memory of 4284	2232	cmd.exe	145
PID 2232 wrote to memory of 4284	2232	cmd.exe	145
PID 4284 wrote to memory of 3964	4284	SearchApp.exe	146
PID 4284 wrote to memory of 3964	4284	SearchApp.exe	146
PID 3964 wrote to memory of 3488	3964	cmd.exe	148
PID 3964 wrote to memory of 3488	3964	cmd.exe	148
PID 3964 wrote to memory of 2236	3964	cmd.exe	149
PID 3964 wrote to memory of 2236	3964	cmd.exe	149
PID 2236 wrote to memory of 392	2236	SearchApp.exe	150
PID 2236 wrote to memory of 392	2236	SearchApp.exe	150
PID 392 wrote to memory of 3048	392	cmd.exe	152
PID 392 wrote to memory of 3048	392	cmd.exe	152
PID 392 wrote to memory of 3504	392	cmd.exe	153
PID 392 wrote to memory of 3504	392	cmd.exe	153

C:\Users\Admin\AppData\Local\Temp\a3d62a0119881ed4e9303b16becc7ad8dfe6763d6b872487d7fc830219f83c47.exe
"C:\Users\Admin\AppData\Local\Temp\a3d62a0119881ed4e9303b16becc7ad8dfe6763d6b872487d7fc830219f83c47.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\SppExtComObj.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchApp.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\SearchApp.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\sk-SK\WmiPrvSE.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:728
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RWoAxKyxlF.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2928
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2796
      - C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3008
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4652
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4656
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4948
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3488
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3048
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat"
        19⤵
        
        PID:5096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2472
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
        21⤵
        
        PID:1552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3300
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pdW26R6SPG.bat"
        23⤵
        
        PID:3468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3904
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        24⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
        25⤵
        
        PID:1072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2136
        
        C:\odt\SearchApp.exe
        
        "C:\odt\SearchApp.exe"
        26⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat"
        27⤵
        
        PID:4708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\AppReadiness\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\AppReadiness\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\AppReadiness\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Desktop\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\sk-SK\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\SysWOW64\sk-SK\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\sk-SK\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat

Filesize
185B

MD5
d875acb2d55b4241e6dcd6e140c8392e

SHA1
eab635cc578382bb88fc51b01720b6964a17cd34

SHA256
ee261191f0e557ed9e6ec8df54642ca1216125c3489aab5c94778609a65332a5

SHA512
f499cdccd6472fa747b929183759e708ee76d2135e8fbc758fc42f87a0b612d0ff2ab60ce4eaf48121f2a60251a1bc18e2a1e2e6b3bce816494bcb2751d8cf14

Download Submit
C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat

Filesize
185B

MD5
95bec40b4a11d83efa1f78793f210317

SHA1
97c3e7f05f26814ea089d06d3126c4f82fe90ee3

SHA256
35a0956d4ac30447cc951840878d90d793007c77b5b3aa3b806af9d9e78ef7ca

SHA512
5390b813cb48bcbf23ec715561496eafef69246b9e2a2e0d248578ca4b0f35344096aa732406f0c94340ed245b3fab4c421009610d6fa0db4981a72295b468db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat

Filesize
185B

MD5
e5aea669b9db03b0b7218fcbdfd0d584

SHA1
dd5431e75b10b1e0c05e188e8174db2d3c02b2e3

SHA256
709b91a4e03003348b5c469b1224930f178c213817765544dca00c2bb780266e

SHA512
2acef9a986430a48dfd8e4576dc504a2e356532f995279c23912576af8083fa72690d6cf02274019f85d8dbeb5c19bc1ce062d7f2ceaec7b5f5f058e65cbd1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat

Filesize
185B

MD5
e043db76be86aac21be4487ccbc2547b

SHA1
17f24b104dc7e352d6d5671101375283a09d85ea

SHA256
fd890f7f38081929056667e4815a1ff473f4a77ffb6a9737f953d27b36f8a0f4

SHA512
3677ecc778b086eb8d90e90a914f6a493a495f2b1a7b17fcb8c9405f4bd44da730f101c103d8d8452c20fe19ab00d2742ee48dd5213381354c2edff8d8098579

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat

Filesize
185B

MD5
4ecbcee220b4dcf4598ea99007030928

SHA1
1c212d008d446547bfe0822c5b29c16fea6b350b

SHA256
6f61f2f2fecb59197dc2831608eb350b98497c5dcbea614081a153304c0e112c

SHA512
aab510f26ed9119404de64165bf2730f9d1aced0e47107928138a1169eb032ac01a918c612525dc26e5dcbbd95a9eee387a2a3de4d5cb15bf0373a7226cf91f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat

Filesize
185B

MD5
3fd2d761beb13ecebb72f3cd62491be5

SHA1
9dbfede379fe8e151ba89c2b15f9505ab8c77f90

SHA256
ef78fc68f2ed10a554dd3bead76f1ecea596d4f02ce8f7e43717763f9725ee04

SHA512
131eaf86feb4292d9b6816ca6f4e46f8fb0560452e2cf625cc7b17f45d23416d462d1bc14af0430a1ac12d3360e3a05175945804e2bf23f456b5d2e00d6e2645

Download Submit
C:\Users\Admin\AppData\Local\Temp\RWoAxKyxlF.bat

Filesize
185B

MD5
4130a04579a137a7b1ef1e69b3fff168

SHA1
0a4cbaf6200cff4d3e331d42ba7a56d41368e13f

SHA256
85155ce5d9ce338fa43876bbd2f6a82877071acfb047150928b40b25e34ed8b7

SHA512
1a9a3f7e1edcfb341912c5ccfd8a4aa903fbf013afa4674175287748b77ec3b6866e9a1186ef1ec7ef286dd9583afd168a31f7bf5ca490cd1e268d2e9018f89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat

Filesize
185B

MD5
d8fc13b5eda5fe77a9bf9ac62ab223fc

SHA1
fa5eb44909185ff6f1e682ea5f652fe6a821d342

SHA256
ee525c39eb50dbc7e97d48962c7651c6e069b2e616bfb01ea18d8c08afe2b623

SHA512
ceb565d3b81f35447f94151acc26d3e871b0ca8c4cedc59530a51e86cd032e5c342bfd8f00516be105fec366e7b19f0ea8294d112dd9d5b48509b4a389f8376f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat

Filesize
185B

MD5
a6335f40ca0d86f328fea2513761c420

SHA1
84c0b17b21d009a84588198fff1959f82d0ea800

SHA256
587d24e2023982ea68614b71995321d3789ff1d92a275d0f09a64dcbc3ea0716

SHA512
6f3d64b6dfb522fc9cf51ef020d0d41432cad09e5fbd7a3a395df4478a9abe004fb2dde5bdca66984a4ef7a599f49c8756c41a13b94424f63f9312f4778da780

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdW26R6SPG.bat

Filesize
185B

MD5
9535f96723ed65ea835fbc7e64a6857c

SHA1
af4a27bc5eb3f85778c379caa12e0bf7cf97c770

SHA256
bdec6f54ef8089eb3c2b9d3dc88844e704334df335985d907074262e18a722be

SHA512
94f4d6fccf28fb8b5ce137c84f61f08b101f6f1e297233e665d8c5560634a6b63ae5ebae2840f3dbf54343afa1b219f47474e260bfc303ffb4ec753a5d03c721

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

Filesize
185B

MD5
2b5ea44d46c7a867f2839a5c88f3b5b9

SHA1
c0c9d0e3811d425c8cae70a01c0bd55b908afc9d

SHA256
ca669f00149d13e25116ea1669c1dd593ddbc5892d80e0552cbe19c01e32f93c

SHA512
d0decf3cd2acaf680a7ae69aa8e8634ef26279cac8a80a6814289535cd1b93755f08349ae958e9205caa3640e928cb250e8f616087411137a44e59604ced23f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat

Filesize
185B

MD5
3be8231cc3d3096a9b7c8d055822b01d

SHA1
a497a37dade002bf7f6fe2a81179adebd2e703e9

SHA256
03ecfa65726215974ab2f7092583894c516c8810b7a0c3fcabe627ff6fab4ed7

SHA512
d48056689ac6a0c4427b708813fe997b450eb2cb80aaa275f24003a48c8e2f2cb397c173d7a38405d2ec5652be0d89ced4dbb1f56d48dc2056e01177281848b9

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\SearchApp.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/212-238-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/212-234-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/728-173-0x00007FFAA2630000-0x00007FFAA30F1000-memory.dmp

Filesize
10.8MB

Download
memory/728-157-0x00007FFAA2630000-0x00007FFAA30F1000-memory.dmp

Filesize
10.8MB

Download
memory/816-170-0x00007FFAA2630000-0x00007FFAA30F1000-memory.dmp

Filesize
10.8MB

Download
memory/816-152-0x00007FFAA2630000-0x00007FFAA30F1000-memory.dmp

Filesize
10.8MB

Download
memory/816-149-0x0000019AFE4A0000-0x0000019AFE4C2000-memory.dmp

Filesize
136KB

Download
memory/1324-189-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/1324-185-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/1376-199-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/1376-203-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/1672-231-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/1672-227-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/1700-177-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/1700-181-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/2236-217-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/2236-213-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/2360-245-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/2360-241-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/2600-248-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/2600-252-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/2804-164-0x00007FFAA2630000-0x00007FFAA30F1000-memory.dmp

Filesize
10.8MB

Download
memory/2804-151-0x00007FFAA2630000-0x00007FFAA30F1000-memory.dmp

Filesize
10.8MB

Download
memory/3124-150-0x00007FFAA2630000-0x00007FFAA30F1000-memory.dmp

Filesize
10.8MB

Download
memory/3124-140-0x00007FFAA2630000-0x00007FFAA30F1000-memory.dmp

Filesize
10.8MB

Download
memory/3124-139-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

Filesize
1.1MB

Download
memory/3504-220-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/3504-224-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/3828-156-0x00007FFAA2630000-0x00007FFAA30F1000-memory.dmp

Filesize
10.8MB

Download
memory/3828-171-0x00007FFAA2630000-0x00007FFAA30F1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-196-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/4076-192-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/4284-206-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/4284-210-0x00007FFAA2750000-0x00007FFAA3211000-memory.dmp

Filesize
10.8MB

Download
memory/4836-154-0x00007FFAA2630000-0x00007FFAA30F1000-memory.dmp

Filesize
10.8MB

Download
memory/4836-166-0x00007FFAA2630000-0x00007FFAA30F1000-memory.dmp

Filesize
10.8MB

Download
memory/4932-167-0x00007FFAA2630000-0x00007FFAA30F1000-memory.dmp

Filesize
10.8MB

Download
memory/4932-159-0x00007FFAA2630000-0x00007FFAA30F1000-memory.dmp

Filesize
10.8MB

Download
memory/4980-155-0x00007FFAA2630000-0x00007FFAA30F1000-memory.dmp

Filesize
10.8MB

Download
memory/4980-168-0x00007FFAA2630000-0x00007FFAA30F1000-memory.dmp

Filesize
10.8MB

Download