dcrat | 7d14ed412e1ba2423be929b2d3ecdb03831d368e4944bf14a17f447e0f1b39d2

Analysis

max time kernel
149s
max time network
145s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d14ed412e1ba2423be929b2d3ecdb03831d368e4944bf14a17f447e0f1b39d2.exe
Size

1.3MB
MD5

c238d08b219605f431a61135652fa113
SHA1

4ceb34201af34282c8dd2285e5e4a497eea413fd
SHA256

7d14ed412e1ba2423be929b2d3ecdb03831d368e4944bf14a17f447e0f1b39d2
SHA512

20aa3b28e3566fbc6d9820d6897112c85b3c21ac6d989d0af2119d43ff8fba9630546c7ff372b4145f6138c99a2f61afbdc21d9d64b69f0cedafa1c81eeaa66e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	4968	schtasks.exe	70

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac32-284.dat	dcrat
behavioral1/files/0x000800000001ac32-285.dat	dcrat
behavioral1/memory/4232-286-0x0000000000840000-0x0000000000950000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac5b-322.dat	dcrat
behavioral1/files/0x000600000001ac5b-321.dat	dcrat
behavioral1/files/0x000600000001ac5b-584.dat	dcrat
behavioral1/files/0x000600000001ac5b-622.dat	dcrat
behavioral1/files/0x000600000001ac5b-628.dat	dcrat
behavioral1/files/0x000600000001ac5b-633.dat	dcrat
behavioral1/files/0x000600000001ac5b-639.dat	dcrat
behavioral1/files/0x000600000001ac5b-645.dat	dcrat
behavioral1/files/0x000600000001ac5b-650.dat	dcrat
behavioral1/files/0x000600000001ac5b-655.dat	dcrat
behavioral1/files/0x000600000001ac5b-660.dat	dcrat
behavioral1/files/0x000600000001ac5b-665.dat	dcrat
behavioral1/files/0x000600000001ac5b-670.dat	dcrat
behavioral1/files/0x000600000001ac5b-676.dat	dcrat

Executes dropped EXE 14 IoCs

pid	Process
4232	DllCommonsvc.exe
1148	smss.exe
3896	smss.exe
4304	smss.exe
2368	smss.exe
1460	smss.exe
4960	smss.exe
3084	smss.exe
5088	smss.exe
188	smss.exe
3952	smss.exe
4360	smss.exe
300	smss.exe
4624	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\OfficeClickToRun.exe	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\servicing\Sessions\ShellExperienceHost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3936	schtasks.exe
4380	schtasks.exe
2948	schtasks.exe
3896	schtasks.exe
4368	schtasks.exe
4416	schtasks.exe
3900	schtasks.exe
4816	schtasks.exe
3064	schtasks.exe
2200	schtasks.exe
4692	schtasks.exe
5004	schtasks.exe
4388	schtasks.exe
4512	schtasks.exe
4680	schtasks.exe
4412	schtasks.exe
3124	schtasks.exe
4940	schtasks.exe
4072	schtasks.exe
4688	schtasks.exe
4536	schtasks.exe
4996	schtasks.exe
3940	schtasks.exe
4464	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	7d14ed412e1ba2423be929b2d3ecdb03831d368e4944bf14a17f447e0f1b39d2.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	smss.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
4232	DllCommonsvc.exe
4232	DllCommonsvc.exe
4232	DllCommonsvc.exe
4232	DllCommonsvc.exe
4232	DllCommonsvc.exe
4232	DllCommonsvc.exe
4232	DllCommonsvc.exe
4584	powershell.exe
4592	powershell.exe
4632	powershell.exe
1820	powershell.exe
4524	powershell.exe
808	powershell.exe
3688	powershell.exe
852	powershell.exe
1148	smss.exe
4584	powershell.exe
4592	powershell.exe
852	powershell.exe
1820	powershell.exe
4632	powershell.exe
4524	powershell.exe
808	powershell.exe
3688	powershell.exe
4584	powershell.exe
852	powershell.exe
4592	powershell.exe
1820	powershell.exe
4632	powershell.exe
4524	powershell.exe
808	powershell.exe
3688	powershell.exe
3896	smss.exe
4336	powershell.exe
4336	powershell.exe
4336	powershell.exe
4304	smss.exe
2368	smss.exe
1460	smss.exe
4960	smss.exe
3084	smss.exe
5088	smss.exe
188	smss.exe
3952	smss.exe
4360	smss.exe
300	smss.exe
4624	smss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4232	DllCommonsvc.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	1148	smss.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeIncreaseQuotaPrivilege	4584	powershell.exe
Token: SeSecurityPrivilege	4584	powershell.exe
Token: SeTakeOwnershipPrivilege	4584	powershell.exe
Token: SeLoadDriverPrivilege	4584	powershell.exe
Token: SeSystemProfilePrivilege	4584	powershell.exe
Token: SeSystemtimePrivilege	4584	powershell.exe
Token: SeProfSingleProcessPrivilege	4584	powershell.exe
Token: SeIncBasePriorityPrivilege	4584	powershell.exe
Token: SeCreatePagefilePrivilege	4584	powershell.exe
Token: SeBackupPrivilege	4584	powershell.exe
Token: SeRestorePrivilege	4584	powershell.exe
Token: SeShutdownPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeSystemEnvironmentPrivilege	4584	powershell.exe
Token: SeRemoteShutdownPrivilege	4584	powershell.exe
Token: SeUndockPrivilege	4584	powershell.exe
Token: SeManageVolumePrivilege	4584	powershell.exe
Token: 33	4584	powershell.exe
Token: 34	4584	powershell.exe
Token: 35	4584	powershell.exe
Token: 36	4584	powershell.exe
Token: SeIncreaseQuotaPrivilege	4592	powershell.exe
Token: SeSecurityPrivilege	4592	powershell.exe
Token: SeTakeOwnershipPrivilege	4592	powershell.exe
Token: SeLoadDriverPrivilege	4592	powershell.exe
Token: SeSystemProfilePrivilege	4592	powershell.exe
Token: SeSystemtimePrivilege	4592	powershell.exe
Token: SeProfSingleProcessPrivilege	4592	powershell.exe
Token: SeIncBasePriorityPrivilege	4592	powershell.exe
Token: SeCreatePagefilePrivilege	4592	powershell.exe
Token: SeBackupPrivilege	4592	powershell.exe
Token: SeRestorePrivilege	4592	powershell.exe
Token: SeShutdownPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeSystemEnvironmentPrivilege	4592	powershell.exe
Token: SeRemoteShutdownPrivilege	4592	powershell.exe
Token: SeUndockPrivilege	4592	powershell.exe
Token: SeManageVolumePrivilege	4592	powershell.exe
Token: 33	4592	powershell.exe
Token: 34	4592	powershell.exe
Token: 35	4592	powershell.exe
Token: 36	4592	powershell.exe
Token: SeIncreaseQuotaPrivilege	852	powershell.exe
Token: SeSecurityPrivilege	852	powershell.exe
Token: SeTakeOwnershipPrivilege	852	powershell.exe
Token: SeLoadDriverPrivilege	852	powershell.exe
Token: SeSystemProfilePrivilege	852	powershell.exe
Token: SeSystemtimePrivilege	852	powershell.exe
Token: SeProfSingleProcessPrivilege	852	powershell.exe
Token: SeIncBasePriorityPrivilege	852	powershell.exe
Token: SeCreatePagefilePrivilege	852	powershell.exe
Token: SeBackupPrivilege	852	powershell.exe
Token: SeRestorePrivilege	852	powershell.exe
Token: SeShutdownPrivilege	852	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 4748	1748	7d14ed412e1ba2423be929b2d3ecdb03831d368e4944bf14a17f447e0f1b39d2.exe	66
PID 1748 wrote to memory of 4748	1748	7d14ed412e1ba2423be929b2d3ecdb03831d368e4944bf14a17f447e0f1b39d2.exe	66
PID 1748 wrote to memory of 4748	1748	7d14ed412e1ba2423be929b2d3ecdb03831d368e4944bf14a17f447e0f1b39d2.exe	66
PID 4748 wrote to memory of 4200	4748	WScript.exe	67
PID 4748 wrote to memory of 4200	4748	WScript.exe	67
PID 4748 wrote to memory of 4200	4748	WScript.exe	67
PID 4200 wrote to memory of 4232	4200	cmd.exe	69
PID 4200 wrote to memory of 4232	4200	cmd.exe	69
PID 4232 wrote to memory of 4584	4232	DllCommonsvc.exe	95
PID 4232 wrote to memory of 4584	4232	DllCommonsvc.exe	95
PID 4232 wrote to memory of 4592	4232	DllCommonsvc.exe	103
PID 4232 wrote to memory of 4592	4232	DllCommonsvc.exe	103
PID 4232 wrote to memory of 1820	4232	DllCommonsvc.exe	96
PID 4232 wrote to memory of 1820	4232	DllCommonsvc.exe	96
PID 4232 wrote to memory of 4632	4232	DllCommonsvc.exe	97
PID 4232 wrote to memory of 4632	4232	DllCommonsvc.exe	97
PID 4232 wrote to memory of 4336	4232	DllCommonsvc.exe	100
PID 4232 wrote to memory of 4336	4232	DllCommonsvc.exe	100
PID 4232 wrote to memory of 4524	4232	DllCommonsvc.exe	104
PID 4232 wrote to memory of 4524	4232	DllCommonsvc.exe	104
PID 4232 wrote to memory of 852	4232	DllCommonsvc.exe	105
PID 4232 wrote to memory of 852	4232	DllCommonsvc.exe	105
PID 4232 wrote to memory of 3688	4232	DllCommonsvc.exe	107
PID 4232 wrote to memory of 3688	4232	DllCommonsvc.exe	107
PID 4232 wrote to memory of 808	4232	DllCommonsvc.exe	109
PID 4232 wrote to memory of 808	4232	DllCommonsvc.exe	109
PID 4232 wrote to memory of 1148	4232	DllCommonsvc.exe	113
PID 4232 wrote to memory of 1148	4232	DllCommonsvc.exe	113
PID 1148 wrote to memory of 4776	1148	smss.exe	115
PID 1148 wrote to memory of 4776	1148	smss.exe	115
PID 4776 wrote to memory of 948	4776	cmd.exe	117
PID 4776 wrote to memory of 948	4776	cmd.exe	117
PID 4776 wrote to memory of 3896	4776	cmd.exe	118
PID 4776 wrote to memory of 3896	4776	cmd.exe	118
PID 3896 wrote to memory of 5004	3896	smss.exe	119
PID 3896 wrote to memory of 5004	3896	smss.exe	119
PID 5004 wrote to memory of 4624	5004	cmd.exe	121
PID 5004 wrote to memory of 4624	5004	cmd.exe	121
PID 5004 wrote to memory of 4304	5004	cmd.exe	122
PID 5004 wrote to memory of 4304	5004	cmd.exe	122
PID 4304 wrote to memory of 4208	4304	smss.exe	123
PID 4304 wrote to memory of 4208	4304	smss.exe	123
PID 4208 wrote to memory of 744	4208	cmd.exe	125
PID 4208 wrote to memory of 744	4208	cmd.exe	125
PID 4208 wrote to memory of 2368	4208	cmd.exe	126
PID 4208 wrote to memory of 2368	4208	cmd.exe	126
PID 2368 wrote to memory of 3744	2368	smss.exe	128
PID 2368 wrote to memory of 3744	2368	smss.exe	128
PID 3744 wrote to memory of 4256	3744	cmd.exe	129
PID 3744 wrote to memory of 4256	3744	cmd.exe	129
PID 3744 wrote to memory of 1460	3744	cmd.exe	130
PID 3744 wrote to memory of 1460	3744	cmd.exe	130
PID 1460 wrote to memory of 4344	1460	smss.exe	132
PID 1460 wrote to memory of 4344	1460	smss.exe	132
PID 4344 wrote to memory of 2152	4344	cmd.exe	133
PID 4344 wrote to memory of 2152	4344	cmd.exe	133
PID 4344 wrote to memory of 4960	4344	cmd.exe	134
PID 4344 wrote to memory of 4960	4344	cmd.exe	134
PID 4960 wrote to memory of 2552	4960	smss.exe	135
PID 4960 wrote to memory of 2552	4960	smss.exe	135
PID 2552 wrote to memory of 4848	2552	cmd.exe	137
PID 2552 wrote to memory of 4848	2552	cmd.exe	137
PID 2552 wrote to memory of 3084	2552	cmd.exe	138
PID 2552 wrote to memory of 3084	2552	cmd.exe	138

C:\Users\Admin\AppData\Local\Temp\7d14ed412e1ba2423be929b2d3ecdb03831d368e4944bf14a17f447e0f1b39d2.exe
"C:\Users\Admin\AppData\Local\Temp\7d14ed412e1ba2423be929b2d3ecdb03831d368e4944bf14a17f447e0f1b39d2.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
    - - C:\odt\smss.exe
        
        "C:\odt\smss.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:948
        
        C:\odt\smss.exe
        
        "C:\odt\smss.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4624
        
        C:\odt\smss.exe
        
        "C:\odt\smss.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:744
        
        C:\odt\smss.exe
        
        "C:\odt\smss.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4256
        
        C:\odt\smss.exe
        
        "C:\odt\smss.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2152
        
        C:\odt\smss.exe
        
        "C:\odt\smss.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4848
        
        C:\odt\smss.exe
        
        "C:\odt\smss.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"
        18⤵
        
        PID:1824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2784
        
        C:\odt\smss.exe
        
        "C:\odt\smss.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"
        20⤵
        
        PID:2140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3124
        
        C:\odt\smss.exe
        
        "C:\odt\smss.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat"
        22⤵
        
        PID:4452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3040
        
        C:\odt\smss.exe
        
        "C:\odt\smss.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"
        24⤵
        
        PID:3232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4820
        
        C:\odt\smss.exe
        
        "C:\odt\smss.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"
        26⤵
        
        PID:4964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3172
        
        C:\odt\smss.exe
        
        "C:\odt\smss.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat"
        28⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2040
        
        C:\odt\smss.exe
        
        "C:\odt\smss.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\odt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
36b430642214d110d1148b8c514fd5fe

SHA1
10456a35e69ad2a7d2dd0dbe61bf484be20ba513

SHA256
212cc55ff1814a42bab398592d1ab42b4cd3319cf7e69a7a7b3ba6bdddf3e9fb

SHA512
52d6a4979c8b7be50c66cff28f1f533686a6786eb8c0ee35f625b6187014cc947ec1e526df22bf955384b3a609acf0524670f562ba42be595164f89cfa0acddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4e049f15ea374a88c4508cc4272a9ea

SHA1
12cb8d9523fe884f47deea2d7cd3608a2a2a3081

SHA256
3104f6f22526403c27ac573a0245625203d0b2c47339c066c42ccbd113e92a25

SHA512
cd9a6b4663c3526064b05628724de69ff7bc841f204dc93b50f064642c49b007da21e8351b21f925251a5c16aa4ecb10cb7b2ef22dc588e3e227da00284a67c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b82ae64f057ce0b33c6fc2f57a79c49c

SHA1
2bae05a69bc2829253ef1dea67cf04ac2d4d273e

SHA256
424874d3401629eb03b3f80bb71bd950a1e8a7060fc3c2bbd26aca9a51d5b921

SHA512
05575ecd9c3dd1b7e079ac750db3b770eb5a34c18ca1982ad5e26d5f8165476741d5e53eed9dc41d755ded81cef341114b17c7cec8f8551c6fa723732f9101a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b82ae64f057ce0b33c6fc2f57a79c49c

SHA1
2bae05a69bc2829253ef1dea67cf04ac2d4d273e

SHA256
424874d3401629eb03b3f80bb71bd950a1e8a7060fc3c2bbd26aca9a51d5b921

SHA512
05575ecd9c3dd1b7e079ac750db3b770eb5a34c18ca1982ad5e26d5f8165476741d5e53eed9dc41d755ded81cef341114b17c7cec8f8551c6fa723732f9101a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2ae798de6d93848c517149c0d7f481ef

SHA1
363a44528482fa159bee3d854d3d9ef73be64522

SHA256
a22b9da3fd7e5382262d0a6e05ba0fca9f28cec8426f7aa40ea43964031073a5

SHA512
0df4ecfb501125509c5b4c9883593c14933d766e8807d3bf630c05784a24bbc8033b5a1da605a340e89d1d0797d1e7486a4dcfefff82deb0a263fe68606b7e65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
93133f7b2d7cf4d9b8b794d7d8a2d16b

SHA1
7db3d8761421c3a129dd7083a290367e04f7af60

SHA256
a90dc52d5fb57c3a174bc6ded4b271105b7e255eb44c1549c87adc1235ab281c

SHA512
5afe4b81c722c8e26eeec450465f40838e2ab5e62de7c2c5f6fd3931cadb94d44b358110dbdefe689ed3764cc7a42e3252c4c44c9d4a67ed35b2fb11214a4b46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
93133f7b2d7cf4d9b8b794d7d8a2d16b

SHA1
7db3d8761421c3a129dd7083a290367e04f7af60

SHA256
a90dc52d5fb57c3a174bc6ded4b271105b7e255eb44c1549c87adc1235ab281c

SHA512
5afe4b81c722c8e26eeec450465f40838e2ab5e62de7c2c5f6fd3931cadb94d44b358110dbdefe689ed3764cc7a42e3252c4c44c9d4a67ed35b2fb11214a4b46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
93133f7b2d7cf4d9b8b794d7d8a2d16b

SHA1
7db3d8761421c3a129dd7083a290367e04f7af60

SHA256
a90dc52d5fb57c3a174bc6ded4b271105b7e255eb44c1549c87adc1235ab281c

SHA512
5afe4b81c722c8e26eeec450465f40838e2ab5e62de7c2c5f6fd3931cadb94d44b358110dbdefe689ed3764cc7a42e3252c4c44c9d4a67ed35b2fb11214a4b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

Filesize
180B

MD5
fbdcabf05d190c3e25276726c37e4375

SHA1
6be3d3731aec91d4262342e6a8be932164484672

SHA256
944ed54afd0fc6b61a1d3a9282f38ca56e3693302553d55c44632ee838682582

SHA512
f9746a04899b5c13b91a03c05ed1069188052e428b9877d0864cf1e9620a6c0b9cacba3dd59ff2a3d5bcb9c5dd8be10ad24971b0f3d486b68992737692afc26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat

Filesize
180B

MD5
7005f29685ab75caaf343ce32b51e087

SHA1
b8128935a7d60c220833757ad4ba4ea14594c374

SHA256
082aabb4c076f053981c312d90e2012a0d4a29ca9071e510f0fd7f69aa14d300

SHA512
beaea0b8fcf76d681581d2fcb488892f0887656f355d116cdb169837b89fa4d7b31385abdb94f8893a7cb74b1d6529ae6be80ba880d7be6a65cc7fd007bf713a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat

Filesize
180B

MD5
d6ef58f76619be7267414b800d1d0a84

SHA1
794c04723cfb832685dff9624635659221210818

SHA256
087fa89acb96407f94956013c37d3255024f57f423a8f202fce3fa1af6ae9f63

SHA512
eab91f675fe9509c83d5f2d64a682a1f6b31f41566916c3123750a4a49777927e02e474276bc635d444eaf899e6e0b514a673cf056fcd331f4169b696196f28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat

Filesize
180B

MD5
7b9ca51afea488703d70eefa92da622c

SHA1
194c1b33194295ab014022af373cb4a7d28ce25e

SHA256
19df1034965547e42d67ca96902dd7b7adb64821531e8e15903de453758329df

SHA512
590707eb7fa0f3818c7c05be6487c81f67007970771a1f9f053268f3a8c7c00d93cb712a5d786b4321b2dfc8e10aa32f5ff151f76b027fb9016b0518f5598812

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat

Filesize
180B

MD5
3eada6c3ebe94fd2a94a71a8e5a17792

SHA1
1015ecfe6f58f1cc787158982506d1a7a5173154

SHA256
bc28ed29d468c28984e5f5017098ff902392bba8b337f8da5b3c19d078bead50

SHA512
3f06e1e042a514892bfaae6420e82030e785a09f73fe0ab4e4942ee74152317a75a4cc70576045e8bc204fffa6dc9088808a570c7f0b3d07b4244bfb5647966f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat

Filesize
180B

MD5
3eada6c3ebe94fd2a94a71a8e5a17792

SHA1
1015ecfe6f58f1cc787158982506d1a7a5173154

SHA256
bc28ed29d468c28984e5f5017098ff902392bba8b337f8da5b3c19d078bead50

SHA512
3f06e1e042a514892bfaae6420e82030e785a09f73fe0ab4e4942ee74152317a75a4cc70576045e8bc204fffa6dc9088808a570c7f0b3d07b4244bfb5647966f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat

Filesize
180B

MD5
899f07e846c10e4be806cf0835af9c54

SHA1
9a4efb8e6a3ee74f3665bc92bea740026bb119c8

SHA256
b7288ba17bfde6294d8cfa61b4e6e989b88595ca343b0a7e34bcadb243d8d651

SHA512
62fd98db2527fa921274e74bcd4d22fd4610382c753b0938802f149488e98b1906e67af59001d70b7a002976c31f47aebc33edf38ef3ec6dd3fbc244a3c5447a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat

Filesize
180B

MD5
f5424a51cd1e3f9d301b18a67c314de0

SHA1
48aedafd25e3e17b30705683da140d08fab73053

SHA256
429b48f52e3f29bf0ceca9b56d1954853fbd0a6989bc201b9cd0935fcd297263

SHA512
a7fdb0a2fe9c069c13276fd4bff428374e8beb5398642c15acc14b006898eceb0fcb77d3089eab2a6ca3bfed91c70de6800aaf767019c2377f5eb38387c9e574

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat

Filesize
180B

MD5
b5e33aeca29e30a07640bd96d9a78ebf

SHA1
5de7bdc610c20c857e3fbf5418da8fe793532c7e

SHA256
584b12e29c2180d5fc884f79dc15e92f13af21966bc1d1237af0c9a2c36ceeef

SHA512
98d0da1dee83421719f51f91785ecb7e7f6c0888f8e443c19587519c166a909cc8dc4cf19a1f16769c1fd4a7ffb7fc831a1e068a40ae7a682df716df950ccb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat

Filesize
180B

MD5
5351ffd77e5c74b0d058c2bf36b30d4c

SHA1
2506c42dd54816eba64434cabe286f071988c65b

SHA256
31f6180438736d657b506837634f30c86c757800990545995d465d8a4ac1e0de

SHA512
b575f23b11cb0cd5e712b6614d3f4821ee79357a62d424c0ffe1d44b5e35799d1b973252652daab1743afdfb35546415f8115e58661a9e7a7e6442191db68899

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat

Filesize
180B

MD5
675ad12e09545abd6e2f65f9344fe3ec

SHA1
aa6939bb24a8a818b13061321e3abddf5153c8e4

SHA256
863df1cf3a461a8ac5156bb85f39f73c9264072719f5562d9bc744b43d0f3de1

SHA512
962c4563c7a727760a0c894bd68d6f0a157d12aeed17be1c0d2f9c3527d50d306c42855281dd54b2712abf7ee25c944bf740e90a9f48df793631e89db14c8301

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat

Filesize
180B

MD5
75e24fb96b4bd5b25e658ed16ca2c031

SHA1
a2bc6f50ee3bfd9a7880eea5ff75a8c3e8b8cceb

SHA256
467b49a97349edfa6040915a32c294742733e23ebb99261db57dee758563f95f

SHA512
1dd63c97af72442bf94acae28abd89b5aa3bd97c8f545e5abe6b4dd61827c03fee074a7d9b0959339316b948c7d0383f8b96d3a4e7517aa6f1b5fd6553c0f14d

Download Submit
C:\odt\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/300-671-0x00000000011F0000-0x0000000001202000-memory.dmp

Filesize
72KB

Download
memory/1148-338-0x00000000015D0000-0x00000000015E2000-memory.dmp

Filesize
72KB

Download
memory/1460-634-0x0000000000860000-0x0000000000872000-memory.dmp

Filesize
72KB

Download
memory/1748-136-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-164-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-175-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-176-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-177-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-178-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-179-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-180-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-181-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-182-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-183-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-121-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-143-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-122-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-172-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-171-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-123-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-125-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-169-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-168-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-126-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-128-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-129-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-130-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-131-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-132-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-133-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-173-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-134-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-135-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-144-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-167-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-166-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-163-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-174-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-165-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-142-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-170-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-162-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-137-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-145-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-161-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-160-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-159-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-158-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-157-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-156-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-155-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-154-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-152-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-153-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-138-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-151-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-150-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-139-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-146-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-140-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-149-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-148-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-120-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-147-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-141-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3896-586-0x0000000001550000-0x0000000001562000-memory.dmp

Filesize
72KB

Download
memory/4232-289-0x0000000001100000-0x000000000110C000-memory.dmp

Filesize
48KB

Download
memory/4232-287-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download
memory/4232-288-0x0000000000FE0000-0x0000000000FEC000-memory.dmp

Filesize
48KB

Download
memory/4232-290-0x0000000001110000-0x000000000111C000-memory.dmp

Filesize
48KB

Download
memory/4232-286-0x0000000000840000-0x0000000000950000-memory.dmp

Filesize
1.1MB

Download
memory/4304-623-0x00000000007E0000-0x00000000007F2000-memory.dmp

Filesize
72KB

Download
memory/4584-337-0x000002DA79B70000-0x000002DA79B92000-memory.dmp

Filesize
136KB

Download
memory/4584-343-0x000002DA79D20000-0x000002DA79D96000-memory.dmp

Filesize
472KB

Download
memory/4748-185-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-186-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4960-640-0x0000000000F50000-0x0000000000F62000-memory.dmp

Filesize
72KB

Download