dcrat | 86be3fb32de9f4b948dc170257a957e958162f9703e4c54c0017af9d64940608

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86be3fb32de9f4b948dc170257a957e958162f9703e4c54c0017af9d64940608.exe
Size

1.3MB
MD5

97f3617eda0ed2e5380fbe5e47f6af12
SHA1

af18d00cf1d821e99c1f13c2889c9d2397074b49
SHA256

86be3fb32de9f4b948dc170257a957e958162f9703e4c54c0017af9d64940608
SHA512

8e473ed587c05724e23d2176565c8535673be94b0383a2517f326bf76ec1a96d2e1157d40f322e0525ac434954d5710176b197a7decf0e82f3b0018110cc689c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	1232	schtasks.exe

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/784-139-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
C:\odt\winlogon.exe	dcrat
C:\odt\winlogon.exe	dcrat
C:\odt\winlogon.exe	dcrat
C:\odt\winlogon.exe	dcrat
C:\odt\winlogon.exe	dcrat
C:\odt\winlogon.exe	dcrat
C:\odt\winlogon.exe	dcrat
C:\odt\winlogon.exe	dcrat
C:\odt\winlogon.exe	dcrat
C:\odt\winlogon.exe	dcrat
C:\odt\winlogon.exe	dcrat
C:\odt\winlogon.exe	dcrat

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winlogon.exe86be3fb32de9f4b948dc170257a957e958162f9703e4c54c0017af9d64940608.exewinlogon.exeWScript.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exeDllCommonsvc.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	86be3fb32de9f4b948dc170257a957e958162f9703e4c54c0017af9d64940608.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	winlogon.exe

Executes dropped EXE 12 IoCs

Processes:

DllCommonsvc.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid	process
784	DllCommonsvc.exe
4708	winlogon.exe
1912	winlogon.exe
704	winlogon.exe
2300	winlogon.exe
4392	winlogon.exe
3668	winlogon.exe
5096	winlogon.exe
1816	winlogon.exe
4484	winlogon.exe
392	winlogon.exe
4588	winlogon.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 3 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\ModifiableWindowsApps\DllCommonsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\debug\lsass.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\debug\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\debug\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\fr-FR\smss.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1552	schtasks.exe
3036	schtasks.exe
4928	schtasks.exe
3044	schtasks.exe
1052	schtasks.exe
4080	schtasks.exe
812	schtasks.exe
3284	schtasks.exe
212	schtasks.exe
4820	schtasks.exe
4800	schtasks.exe
3396	schtasks.exe
1752	schtasks.exe
4992	schtasks.exe
32	schtasks.exe

Modifies registry class 13 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exe86be3fb32de9f4b948dc170257a957e958162f9703e4c54c0017af9d64940608.exeDllCommonsvc.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	86be3fb32de9f4b948dc170257a957e958162f9703e4c54c0017af9d64940608.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	winlogon.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid	process
784	DllCommonsvc.exe
784	DllCommonsvc.exe
784	DllCommonsvc.exe
784	DllCommonsvc.exe
784	DllCommonsvc.exe
760	powershell.exe
1892	powershell.exe
2736	powershell.exe
976	powershell.exe
2916	powershell.exe
3664	powershell.exe
760	powershell.exe
2736	powershell.exe
1892	powershell.exe
976	powershell.exe
3664	powershell.exe
2916	powershell.exe
4708	winlogon.exe
1912	winlogon.exe
704	winlogon.exe
2300	winlogon.exe
4392	winlogon.exe
3668	winlogon.exe
5096	winlogon.exe
1816	winlogon.exe
4484	winlogon.exe
392	winlogon.exe
4588	winlogon.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	784	DllCommonsvc.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	4708	winlogon.exe
Token: SeDebugPrivilege	1912	winlogon.exe
Token: SeDebugPrivilege	704	winlogon.exe
Token: SeDebugPrivilege	2300	winlogon.exe
Token: SeDebugPrivilege	4392	winlogon.exe
Token: SeDebugPrivilege	3668	winlogon.exe
Token: SeDebugPrivilege	5096	winlogon.exe
Token: SeDebugPrivilege	1816	winlogon.exe
Token: SeDebugPrivilege	4484	winlogon.exe
Token: SeDebugPrivilege	392	winlogon.exe
Token: SeDebugPrivilege	4588	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

86be3fb32de9f4b948dc170257a957e958162f9703e4c54c0017af9d64940608.exeWScript.execmd.exeDllCommonsvc.execmd.exewinlogon.execmd.exewinlogon.execmd.exewinlogon.execmd.exewinlogon.execmd.exewinlogon.execmd.exewinlogon.execmd.exewinlogon.exe

description	pid	process	target process
PID 4556 wrote to memory of 4164	4556	86be3fb32de9f4b948dc170257a957e958162f9703e4c54c0017af9d64940608.exe	WScript.exe
PID 4556 wrote to memory of 4164	4556	86be3fb32de9f4b948dc170257a957e958162f9703e4c54c0017af9d64940608.exe	WScript.exe
PID 4556 wrote to memory of 4164	4556	86be3fb32de9f4b948dc170257a957e958162f9703e4c54c0017af9d64940608.exe	WScript.exe
PID 4164 wrote to memory of 3124	4164	WScript.exe	cmd.exe
PID 4164 wrote to memory of 3124	4164	WScript.exe	cmd.exe
PID 4164 wrote to memory of 3124	4164	WScript.exe	cmd.exe
PID 3124 wrote to memory of 784	3124	cmd.exe	DllCommonsvc.exe
PID 3124 wrote to memory of 784	3124	cmd.exe	DllCommonsvc.exe
PID 784 wrote to memory of 976	784	DllCommonsvc.exe	powershell.exe
PID 784 wrote to memory of 976	784	DllCommonsvc.exe	powershell.exe
PID 784 wrote to memory of 1892	784	DllCommonsvc.exe	powershell.exe
PID 784 wrote to memory of 1892	784	DllCommonsvc.exe	powershell.exe
PID 784 wrote to memory of 760	784	DllCommonsvc.exe	powershell.exe
PID 784 wrote to memory of 760	784	DllCommonsvc.exe	powershell.exe
PID 784 wrote to memory of 2736	784	DllCommonsvc.exe	powershell.exe
PID 784 wrote to memory of 2736	784	DllCommonsvc.exe	powershell.exe
PID 784 wrote to memory of 2916	784	DllCommonsvc.exe	powershell.exe
PID 784 wrote to memory of 2916	784	DllCommonsvc.exe	powershell.exe
PID 784 wrote to memory of 3664	784	DllCommonsvc.exe	powershell.exe
PID 784 wrote to memory of 3664	784	DllCommonsvc.exe	powershell.exe
PID 784 wrote to memory of 3136	784	DllCommonsvc.exe	cmd.exe
PID 784 wrote to memory of 3136	784	DllCommonsvc.exe	cmd.exe
PID 3136 wrote to memory of 4544	3136	cmd.exe	w32tm.exe
PID 3136 wrote to memory of 4544	3136	cmd.exe	w32tm.exe
PID 3136 wrote to memory of 4708	3136	cmd.exe	winlogon.exe
PID 3136 wrote to memory of 4708	3136	cmd.exe	winlogon.exe
PID 4708 wrote to memory of 4744	4708	winlogon.exe	cmd.exe
PID 4708 wrote to memory of 4744	4708	winlogon.exe	cmd.exe
PID 4744 wrote to memory of 3404	4744	cmd.exe	w32tm.exe
PID 4744 wrote to memory of 3404	4744	cmd.exe	w32tm.exe
PID 4744 wrote to memory of 1912	4744	cmd.exe	winlogon.exe
PID 4744 wrote to memory of 1912	4744	cmd.exe	winlogon.exe
PID 1912 wrote to memory of 4112	1912	winlogon.exe	cmd.exe
PID 1912 wrote to memory of 4112	1912	winlogon.exe	cmd.exe
PID 4112 wrote to memory of 404	4112	cmd.exe	w32tm.exe
PID 4112 wrote to memory of 404	4112	cmd.exe	w32tm.exe
PID 4112 wrote to memory of 704	4112	cmd.exe	winlogon.exe
PID 4112 wrote to memory of 704	4112	cmd.exe	winlogon.exe
PID 704 wrote to memory of 3716	704	winlogon.exe	cmd.exe
PID 704 wrote to memory of 3716	704	winlogon.exe	cmd.exe
PID 3716 wrote to memory of 1688	3716	cmd.exe	w32tm.exe
PID 3716 wrote to memory of 1688	3716	cmd.exe	w32tm.exe
PID 3716 wrote to memory of 2300	3716	cmd.exe	winlogon.exe
PID 3716 wrote to memory of 2300	3716	cmd.exe	winlogon.exe
PID 2300 wrote to memory of 1276	2300	winlogon.exe	cmd.exe
PID 2300 wrote to memory of 1276	2300	winlogon.exe	cmd.exe
PID 1276 wrote to memory of 3052	1276	cmd.exe	w32tm.exe
PID 1276 wrote to memory of 3052	1276	cmd.exe	w32tm.exe
PID 1276 wrote to memory of 4392	1276	cmd.exe	winlogon.exe
PID 1276 wrote to memory of 4392	1276	cmd.exe	winlogon.exe
PID 4392 wrote to memory of 2536	4392	winlogon.exe	cmd.exe
PID 4392 wrote to memory of 2536	4392	winlogon.exe	cmd.exe
PID 2536 wrote to memory of 2420	2536	cmd.exe	w32tm.exe
PID 2536 wrote to memory of 2420	2536	cmd.exe	w32tm.exe
PID 2536 wrote to memory of 3668	2536	cmd.exe	winlogon.exe
PID 2536 wrote to memory of 3668	2536	cmd.exe	winlogon.exe
PID 3668 wrote to memory of 3576	3668	winlogon.exe	cmd.exe
PID 3668 wrote to memory of 3576	3668	winlogon.exe	cmd.exe
PID 3576 wrote to memory of 4996	3576	cmd.exe	w32tm.exe
PID 3576 wrote to memory of 4996	3576	cmd.exe	w32tm.exe
PID 3576 wrote to memory of 5096	3576	cmd.exe	winlogon.exe
PID 3576 wrote to memory of 5096	3576	cmd.exe	winlogon.exe
PID 5096 wrote to memory of 2504	5096	winlogon.exe	cmd.exe
PID 5096 wrote to memory of 2504	5096	winlogon.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\86be3fb32de9f4b948dc170257a957e958162f9703e4c54c0017af9d64940608.exe
"C:\Users\Admin\AppData\Local\Temp\86be3fb32de9f4b948dc170257a957e958162f9703e4c54c0017af9d64940608.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FKbwRtL6Tn.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3136
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4544
      - C:\odt\winlogon.exe
        
        "C:\odt\winlogon.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3404
        
        C:\odt\winlogon.exe
        
        "C:\odt\winlogon.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:404
        
        C:\odt\winlogon.exe
        
        "C:\odt\winlogon.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1688
        
        C:\odt\winlogon.exe
        
        "C:\odt\winlogon.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3052
        
        C:\odt\winlogon.exe
        
        "C:\odt\winlogon.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2420
        
        C:\odt\winlogon.exe
        
        "C:\odt\winlogon.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4996
        
        C:\odt\winlogon.exe
        
        "C:\odt\winlogon.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat"
        19⤵
        
        PID:2504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1968
        
        C:\odt\winlogon.exe
        
        "C:\odt\winlogon.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat"
        21⤵
        
        PID:3788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4560
        
        C:\odt\winlogon.exe
        
        "C:\odt\winlogon.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"
        23⤵
        
        PID:4260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4972
        
        C:\odt\winlogon.exe
        
        "C:\odt\winlogon.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"
        25⤵
        
        PID:212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:404
        
        C:\odt\winlogon.exe
        
        "C:\odt\winlogon.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
        27⤵
        
        PID:3292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\debug\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat

Filesize
184B

MD5
aad9ce5743c4b63a45b76c832a9eb5ae

SHA1
19d4ad5ecce656df5819671a87d5a6aa78e1fbc7

SHA256
2b37688988b909ee31bf4116eb876c5e7e658722968b1c9610b17a764dd2e7ac

SHA512
ab289d43c6d168487e01430e850c05dca889b22667a8d7f314689a25b0cf59023551a059ed1024b581540255cd74df23514a4aa1ee51dd307f4455fe55107ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat

Filesize
184B

MD5
a8e5ccdd378f7129f3893689918c6f93

SHA1
fc9dbafa8813ca8382da30303559b139f4576054

SHA256
d5716097679d1c640560ccea6e6f2993791ac32854407de18bf88da72f82d54a

SHA512
80fc13b65ff081c7107e2394c1afa7e95262623f31a139463b3cb4a735b391352b8af72e36ec78b0f8c289bd65d7472e96885618e1a7d135cc9c1a0fffeb9fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat

Filesize
184B

MD5
f815c1b885f7efd3bc808e4326ad45a6

SHA1
13d45775218fd0f0d5d335744867c24a38066395

SHA256
0e8a70f21eb0d856d7079d998082a600d417aea93d2cdd491f897bca1012cd61

SHA512
561ddea17218d5f08f96291899c6a101957da9b3b811af103340cd48d128ad785623540a40d0659b16e593c81dde169013f83444403f068d7ebde3aa1b6e23ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat

Filesize
184B

MD5
fbd80f5319a0ce021f1cce2e8d902cc4

SHA1
dc1f5f5096864a81af49fc8bd1cf581d006f5c6c

SHA256
ace7b14c229eeb75dbf4282ffd1c64198ca3be7fe3f31c2d5b0a55b95d4a0c35

SHA512
16e3760705dad5b01b0de19fd77742d5febbf145db8d272fb8585690103033936a53ee16c2fdfeccfe4d49968bfb8efd70b1e9cdaa7f92ae2a93d62567bd281b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat

Filesize
184B

MD5
0e1d3b486e85e03297cf747e8dfb9189

SHA1
64107866daddf65da4835fdf1e637fd2ae0a5e53

SHA256
85115a4f704d573ecf3eb4483366f9a8c002c41f2e4b1ed7652d0986ee38c654

SHA512
9008eec4f4a68dcd8e72eed919da0118481cfc841f3d16d91fc38d9e2b7b414c5b500c77f50c05301eab864e1986c5893d4922d0d577c6f2589ce6162e22ea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FKbwRtL6Tn.bat

Filesize
184B

MD5
516bd450d027e67eef9ef6f5e9af2f2d

SHA1
a55e96ca63301e5a91df1fb84205f1977e5e4a55

SHA256
f6740389c6d7a677495f82b16ef9cda0e28dd13ad86ce86cdf6b0b010428a9e0

SHA512
f31a4e38e3b8edb16699c715370eae0f341622303988eff29d5290300dbf0c59b8d62e266f0b6d6640b7e6aa962a4ca0556a993abbfb711a7a96091008b563af

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat

Filesize
184B

MD5
07a2d251c6c04bf92852d326566221df

SHA1
6ac9f893f7aff339e2eb78c2a9765408e201c2e1

SHA256
36de0973b38f42565e6abe12519e9e42f69975f8abd3fd203769f71f1b83f960

SHA512
760820ead4b014b4feb48249e17ff572ed72e68b35c0e19fb1c1a598ddd7e65eb53e6683ef16f7c658fbe1a276afaefe3e4b584252393710ce8294cb17a9f85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat

Filesize
184B

MD5
8ca9aa0e22de980789bfefe4c7c91cc8

SHA1
cc587f5163e1b1ee78c655c6fc18ebf0e3685c33

SHA256
c65711c4b822f19c44128f0f994eee17ca6783e3bcc9fa13a08aaf5307d6e778

SHA512
3ae1c994a57c24e7a48c5986c05bd1784c2574950ace2bea83cead1f7aa2fa587f251e950e98bf1581c302a5d1035ebd3d62f8b2d558e3031337905e69039afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat

Filesize
184B

MD5
dae0823ec8351e57b078c9c7f76fc0a0

SHA1
1825bac1b2aa3af8864c451d18bf87706dd1bcaa

SHA256
82a0798450cbe8f0a33a144fab9db920cc33e47b9b69e1493ce560ce7b047a8b

SHA512
b014d182410181ee8a01b4e37674111bfbcd29b0e65ab2399ae5f9928a977941763db61e6b49a0690f3002c24bd4c6d362430c456b26dce751954f86ea069f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat

Filesize
184B

MD5
5026c43add377f6780da45de39551907

SHA1
c2c59a0a99fce7be2b3710bb9734cc8cdd54f730

SHA256
4f9199aa624bce90b1483c4ba11d59e8dda22adb2aaae9aea650b97ca343fa1d

SHA512
d95da82a73a6b5741b04fde8ce072f88f09c7e80d6d4c44e59701a6245b5c99def689f9779d7b33682ef6603ed7113ebc05a12efbe663a3fc3ce1a4d7a96b96f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat

Filesize
184B

MD5
21019a288321246ebeed1ae1d9dae181

SHA1
db7870fe04035cea089ee9f4e618f2db7032d7a1

SHA256
8b8f5c8a5856efe3a2ba8f54e5be4b9c7e114e99a173d7a32b3e089582b100dc

SHA512
11b3d7cd8bd4f5b455c0305f37b94b4328db3de0efa5d5f83746e787852706ad397b525459961ba28497695f57c5eb404c53f80528717370cc494bda8bbfb1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat

Filesize
184B

MD5
8b37812ecc9272183a873b94acff8a3c

SHA1
94bc1ed8ede985b67ba994944215233ace08dce8

SHA256
8c4cab3ecdf60252d3d313e74c43ff53efd7d3aaea06d2632cfe508081675edd

SHA512
485bbb845183008e935a9bfdaf2d634f2935e61c018d5f3e31b02554989329a4e404520a510b0e7a5bf160add7cdcce491455b19a55be9cccf790b3897899af4

Download Submit
C:\odt\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/212-237-0x0000000000000000-mapping.dmp

Download
memory/392-240-0x00007FFC3AEB0000-0x00007FFC3B971000-memory.dmp

Filesize
10.8MB

Download
memory/392-234-0x0000000000000000-mapping.dmp

Download
memory/392-236-0x00007FFC3AEB0000-0x00007FFC3B971000-memory.dmp

Filesize
10.8MB

Download
memory/404-183-0x0000000000000000-mapping.dmp

Download
memory/404-239-0x0000000000000000-mapping.dmp

Download
memory/704-185-0x0000000000000000-mapping.dmp

Download
memory/704-187-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/704-191-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/760-154-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/760-143-0x0000000000000000-mapping.dmp

Download
memory/760-163-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/784-139-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/784-136-0x0000000000000000-mapping.dmp

Download
memory/784-140-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/784-151-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/976-160-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/976-141-0x0000000000000000-mapping.dmp

Download
memory/976-152-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/1276-195-0x0000000000000000-mapping.dmp

Download
memory/1688-190-0x0000000000000000-mapping.dmp

Download
memory/1816-220-0x0000000000000000-mapping.dmp

Download
memory/1816-222-0x00007FFC3AEB0000-0x00007FFC3B971000-memory.dmp

Filesize
10.8MB

Download
memory/1816-226-0x00007FFC3AEB0000-0x00007FFC3B971000-memory.dmp

Filesize
10.8MB

Download
memory/1892-142-0x0000000000000000-mapping.dmp

Download
memory/1892-167-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/1892-153-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/1912-177-0x0000000000000000-mapping.dmp

Download
memory/1912-180-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/1912-184-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/1968-218-0x0000000000000000-mapping.dmp

Download
memory/2300-194-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/2300-198-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/2300-192-0x0000000000000000-mapping.dmp

Download
memory/2348-246-0x0000000000000000-mapping.dmp

Download
memory/2420-204-0x0000000000000000-mapping.dmp

Download
memory/2504-216-0x0000000000000000-mapping.dmp

Download
memory/2536-202-0x0000000000000000-mapping.dmp

Download
memory/2736-148-0x00000222E2130000-0x00000222E2152000-memory.dmp

Filesize
136KB

Download
memory/2736-155-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/2736-164-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/2736-144-0x0000000000000000-mapping.dmp

Download
memory/2916-161-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/2916-145-0x0000000000000000-mapping.dmp

Download
memory/3052-197-0x0000000000000000-mapping.dmp

Download
memory/3124-135-0x0000000000000000-mapping.dmp

Download
memory/3136-147-0x0000000000000000-mapping.dmp

Download
memory/3292-244-0x0000000000000000-mapping.dmp

Download
memory/3404-175-0x0000000000000000-mapping.dmp

Download
memory/3576-209-0x0000000000000000-mapping.dmp

Download
memory/3664-146-0x0000000000000000-mapping.dmp

Download
memory/3664-172-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/3664-165-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/3668-206-0x0000000000000000-mapping.dmp

Download
memory/3668-208-0x00007FFC3AEB0000-0x00007FFC3B971000-memory.dmp

Filesize
10.8MB

Download
memory/3668-212-0x00007FFC3AEB0000-0x00007FFC3B971000-memory.dmp

Filesize
10.8MB

Download
memory/3716-188-0x0000000000000000-mapping.dmp

Download
memory/3788-223-0x0000000000000000-mapping.dmp

Download
memory/4112-181-0x0000000000000000-mapping.dmp

Download
memory/4164-132-0x0000000000000000-mapping.dmp

Download
memory/4260-230-0x0000000000000000-mapping.dmp

Download
memory/4392-199-0x0000000000000000-mapping.dmp

Download
memory/4392-205-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/4392-201-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/4484-227-0x0000000000000000-mapping.dmp

Download
memory/4484-229-0x00007FFC3AEB0000-0x00007FFC3B971000-memory.dmp

Filesize
10.8MB

Download
memory/4484-233-0x00007FFC3AEB0000-0x00007FFC3B971000-memory.dmp

Filesize
10.8MB

Download
memory/4544-150-0x0000000000000000-mapping.dmp

Download
memory/4560-225-0x0000000000000000-mapping.dmp

Download
memory/4588-241-0x0000000000000000-mapping.dmp

Download
memory/4588-243-0x00007FFC3AEB0000-0x00007FFC3B971000-memory.dmp

Filesize
10.8MB

Download
memory/4588-247-0x00007FFC3AEB0000-0x00007FFC3B971000-memory.dmp

Filesize
10.8MB

Download
memory/4708-176-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/4708-168-0x0000000000000000-mapping.dmp

Download
memory/4708-171-0x00007FFC3A9B0000-0x00007FFC3B471000-memory.dmp

Filesize
10.8MB

Download
memory/4744-173-0x0000000000000000-mapping.dmp

Download
memory/4972-232-0x0000000000000000-mapping.dmp

Download
memory/4996-211-0x0000000000000000-mapping.dmp

Download
memory/5096-219-0x00007FFC3AEB0000-0x00007FFC3B971000-memory.dmp

Filesize
10.8MB

Download
memory/5096-215-0x00007FFC3AEB0000-0x00007FFC3B971000-memory.dmp

Filesize
10.8MB

Download
memory/5096-213-0x0000000000000000-mapping.dmp

Download