zgrat | 95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

Analysis

max time kernel
151s
max time network
260s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
19-11-2023 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
Size

1.7MB
MD5

85503a298f3d3680349b8f956f335ba6
SHA1

25557850af352dd22f7f4a8e2392bd30d700e624
SHA256

95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93
SHA512

1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 17 IoCs

resource	yara_rule
behavioral2/memory/2336-0-0x00000000008C0000-0x0000000000A80000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000600000001abe3-26.dat	family_zgrat_v1
behavioral2/files/0x000600000001abe3-284.dat	family_zgrat_v1
behavioral2/files/0x000600000001abe3-285.dat	family_zgrat_v1
behavioral2/files/0x000600000001abe3-307.dat	family_zgrat_v1
behavioral2/files/0x000600000001abe3-329.dat	family_zgrat_v1
behavioral2/files/0x000600000001abe3-350.dat	family_zgrat_v1
behavioral2/files/0x000600000001abe3-372.dat	family_zgrat_v1
behavioral2/files/0x000600000001abe3-394.dat	family_zgrat_v1
behavioral2/files/0x000600000001abe3-415.dat	family_zgrat_v1
behavioral2/files/0x000600000001abe3-436.dat	family_zgrat_v1
behavioral2/files/0x000600000001abe3-457.dat	family_zgrat_v1
behavioral2/files/0x000600000001abe3-478.dat	family_zgrat_v1
behavioral2/files/0x000600000001abe3-499.dat	family_zgrat_v1
behavioral2/files/0x000600000001abe3-520.dat	family_zgrat_v1
behavioral2/files/0x000600000001abe3-541.dat	family_zgrat_v1
behavioral2/files/0x000600000001abe3-562.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 14 IoCs

pid	Process
4392	unsecapp.exe
4384	unsecapp.exe
4332	unsecapp.exe
3104	unsecapp.exe
680	unsecapp.exe
1084	unsecapp.exe
1348	unsecapp.exe
2076	unsecapp.exe
2288	unsecapp.exe
2396	unsecapp.exe
804	unsecapp.exe
1356	unsecapp.exe
4784	unsecapp.exe
4052	unsecapp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File created	C:\Program Files (x86)\MSBuild\3769a513fa5e6d	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	unsecapp.exe

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
4136	PING.EXE
2216	PING.EXE
2716	PING.EXE
4572	PING.EXE
3000	PING.EXE
4956	PING.EXE
4516	PING.EXE
2776	PING.EXE
4640	PING.EXE
1080	PING.EXE
208	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeIncreaseQuotaPrivilege	4100	powershell.exe
Token: SeSecurityPrivilege	4100	powershell.exe
Token: SeTakeOwnershipPrivilege	4100	powershell.exe
Token: SeLoadDriverPrivilege	4100	powershell.exe
Token: SeSystemProfilePrivilege	4100	powershell.exe
Token: SeSystemtimePrivilege	4100	powershell.exe
Token: SeProfSingleProcessPrivilege	4100	powershell.exe
Token: SeIncBasePriorityPrivilege	4100	powershell.exe
Token: SeCreatePagefilePrivilege	4100	powershell.exe
Token: SeBackupPrivilege	4100	powershell.exe
Token: SeRestorePrivilege	4100	powershell.exe
Token: SeShutdownPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeSystemEnvironmentPrivilege	4100	powershell.exe
Token: SeRemoteShutdownPrivilege	4100	powershell.exe
Token: SeUndockPrivilege	4100	powershell.exe
Token: SeManageVolumePrivilege	4100	powershell.exe
Token: 33	4100	powershell.exe
Token: 34	4100	powershell.exe
Token: 35	4100	powershell.exe
Token: 36	4100	powershell.exe
Token: SeIncreaseQuotaPrivilege	1348	powershell.exe
Token: SeSecurityPrivilege	1348	powershell.exe
Token: SeTakeOwnershipPrivilege	1348	powershell.exe
Token: SeLoadDriverPrivilege	1348	powershell.exe
Token: SeSystemProfilePrivilege	1348	powershell.exe
Token: SeSystemtimePrivilege	1348	powershell.exe
Token: SeProfSingleProcessPrivilege	1348	powershell.exe
Token: SeIncBasePriorityPrivilege	1348	powershell.exe
Token: SeCreatePagefilePrivilege	1348	powershell.exe
Token: SeBackupPrivilege	1348	powershell.exe
Token: SeRestorePrivilege	1348	powershell.exe
Token: SeShutdownPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeSystemEnvironmentPrivilege	1348	powershell.exe
Token: SeRemoteShutdownPrivilege	1348	powershell.exe
Token: SeUndockPrivilege	1348	powershell.exe
Token: SeManageVolumePrivilege	1348	powershell.exe
Token: 33	1348	powershell.exe
Token: 34	1348	powershell.exe
Token: 35	1348	powershell.exe
Token: 36	1348	powershell.exe
Token: SeIncreaseQuotaPrivilege	2436	powershell.exe
Token: SeSecurityPrivilege	2436	powershell.exe
Token: SeTakeOwnershipPrivilege	2436	powershell.exe
Token: SeLoadDriverPrivilege	2436	powershell.exe
Token: SeSystemProfilePrivilege	2436	powershell.exe
Token: SeSystemtimePrivilege	2436	powershell.exe
Token: SeProfSingleProcessPrivilege	2436	powershell.exe
Token: SeIncBasePriorityPrivilege	2436	powershell.exe
Token: SeCreatePagefilePrivilege	2436	powershell.exe
Token: SeBackupPrivilege	2436	powershell.exe
Token: SeRestorePrivilege	2436	powershell.exe
Token: SeShutdownPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeSystemEnvironmentPrivilege	2436	powershell.exe
Token: SeRemoteShutdownPrivilege	2436	powershell.exe
Token: SeUndockPrivilege	2436	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2436	2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	71
PID 2336 wrote to memory of 2436	2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	71
PID 2336 wrote to memory of 1432	2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	80
PID 2336 wrote to memory of 1432	2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	80
PID 2336 wrote to memory of 5032	2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	72
PID 2336 wrote to memory of 5032	2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	72
PID 2336 wrote to memory of 1348	2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	78
PID 2336 wrote to memory of 1348	2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	78
PID 2336 wrote to memory of 4100	2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	76
PID 2336 wrote to memory of 4100	2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	76
PID 2336 wrote to memory of 3108	2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	81
PID 2336 wrote to memory of 3108	2336	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	81
PID 3108 wrote to memory of 4144	3108	cmd.exe	83
PID 3108 wrote to memory of 4144	3108	cmd.exe	83
PID 3108 wrote to memory of 3000	3108	cmd.exe	84
PID 3108 wrote to memory of 3000	3108	cmd.exe	84
PID 3108 wrote to memory of 4392	3108	cmd.exe	86
PID 3108 wrote to memory of 4392	3108	cmd.exe	86
PID 4392 wrote to memory of 2204	4392	unsecapp.exe	87
PID 4392 wrote to memory of 2204	4392	unsecapp.exe	87
PID 2204 wrote to memory of 4920	2204	cmd.exe	89
PID 2204 wrote to memory of 4920	2204	cmd.exe	89
PID 2204 wrote to memory of 4956	2204	cmd.exe	90
PID 2204 wrote to memory of 4956	2204	cmd.exe	90
PID 2204 wrote to memory of 4384	2204	cmd.exe	91
PID 2204 wrote to memory of 4384	2204	cmd.exe	91
PID 4384 wrote to memory of 1964	4384	unsecapp.exe	95
PID 4384 wrote to memory of 1964	4384	unsecapp.exe	95
PID 1964 wrote to memory of 4804	1964	cmd.exe	93
PID 1964 wrote to memory of 4804	1964	cmd.exe	93
PID 1964 wrote to memory of 168	1964	cmd.exe	92
PID 1964 wrote to memory of 168	1964	cmd.exe	92
PID 1964 wrote to memory of 4332	1964	cmd.exe	96
PID 1964 wrote to memory of 4332	1964	cmd.exe	96
PID 4332 wrote to memory of 912	4332	unsecapp.exe	100
PID 4332 wrote to memory of 912	4332	unsecapp.exe	100
PID 912 wrote to memory of 2836	912	cmd.exe	99
PID 912 wrote to memory of 2836	912	cmd.exe	99
PID 912 wrote to memory of 4516	912	cmd.exe	98
PID 912 wrote to memory of 4516	912	cmd.exe	98
PID 912 wrote to memory of 3104	912	cmd.exe	101
PID 912 wrote to memory of 3104	912	cmd.exe	101
PID 3104 wrote to memory of 4408	3104	unsecapp.exe	105
PID 3104 wrote to memory of 4408	3104	unsecapp.exe	105
PID 4408 wrote to memory of 5020	4408	cmd.exe	102
PID 4408 wrote to memory of 5020	4408	cmd.exe	102
PID 4408 wrote to memory of 4136	4408	cmd.exe	103
PID 4408 wrote to memory of 4136	4408	cmd.exe	103
PID 4408 wrote to memory of 680	4408	cmd.exe	106
PID 4408 wrote to memory of 680	4408	cmd.exe	106
PID 680 wrote to memory of 308	680	unsecapp.exe	110
PID 680 wrote to memory of 308	680	unsecapp.exe	110
PID 308 wrote to memory of 3948	308	cmd.exe	108
PID 308 wrote to memory of 3948	308	cmd.exe	108
PID 308 wrote to memory of 2776	308	cmd.exe	107
PID 308 wrote to memory of 2776	308	cmd.exe	107
PID 308 wrote to memory of 1084	308	cmd.exe	111
PID 308 wrote to memory of 1084	308	cmd.exe	111
PID 1084 wrote to memory of 1188	1084	unsecapp.exe	115
PID 1084 wrote to memory of 1188	1084	unsecapp.exe	115
PID 1188 wrote to memory of 1596	1188	cmd.exe	113
PID 1188 wrote to memory of 1596	1188	cmd.exe	113
PID 1188 wrote to memory of 2216	1188	cmd.exe	112
PID 1188 wrote to memory of 2216	1188	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
"C:\Users\Admin\AppData\Local\Temp\95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\winlogon.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\dwm.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\unsecapp.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\sppsvc.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\csDadPKOGr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4144
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:3000
- - C:\odt\unsecapp.exe
    "C:\odt\unsecapp.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ksuDlslcWD.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4920
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:4956
    - - C:\odt\unsecapp.exe
        
        "C:\odt\unsecapp.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1BWw2qr2Xq.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\odt\unsecapp.exe
        
        "C:\odt\unsecapp.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bw8qtkvcAA.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\odt\unsecapp.exe
        
        "C:\odt\unsecapp.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VN2lTwXPff.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\odt\unsecapp.exe
        
        "C:\odt\unsecapp.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k6czFnjgVb.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\odt\unsecapp.exe
        
        "C:\odt\unsecapp.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bw0avzYF4z.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\odt\unsecapp.exe
        
        "C:\odt\unsecapp.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RP5SY0RjS3.bat"
        16⤵
        
        PID:2220
        
        C:\odt\unsecapp.exe
        
        "C:\odt\unsecapp.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2aNa3Lme8P.bat"
        18⤵
        
        PID:3604
        
        C:\odt\unsecapp.exe
        
        "C:\odt\unsecapp.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8wGhM86rNu.bat"
        20⤵
        
        PID:3012
        
        C:\odt\unsecapp.exe
        
        "C:\odt\unsecapp.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ksuDlslcWD.bat"
        22⤵
        
        PID:5040
        
        C:\odt\unsecapp.exe
        
        "C:\odt\unsecapp.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QQ1IAg9p0i.bat"
        24⤵
        
        PID:4548
        
        C:\odt\unsecapp.exe
        
        "C:\odt\unsecapp.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bw0avzYF4z.bat"
        26⤵
        
        PID:1588
        
        C:\odt\unsecapp.exe
        
        "C:\odt\unsecapp.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WmtPUST1GD.bat"
        28⤵
        
        PID:2680
        
        C:\odt\unsecapp.exe
        
        "C:\odt\unsecapp.exe"
        29⤵
        Executes dropped EXE
        
        PID:4052

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:168

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4804

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:4516

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2836

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5020

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:4136

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2776

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:3948

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2216

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1596

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:4640

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:3500

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3644

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5104

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:688

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3324

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1080

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5036

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:208

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4232

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2716

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4164

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:4572

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
d9fbbda32f03209ae8e2d8e1ce595b32

SHA1
04996e2efdd89a0a7f5172690f96d34abe28ccc6

SHA256
d3f038da27a23a26f88df2466c10c4a846acfdbb323987d5cdd235ade8c16a60

SHA512
5ff8493732d18f6439e548a8149d291e619ad98d4d2280367add07e8fcf38d55803bf2396dba897a239ae0ed1455b157f3a7f827432196c52bc94c5f4154db6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf5b18e304c445d9b428267a2fe8c7d6

SHA1
0bdefa9bc084cab936484c5f8d5e58023d3b7350

SHA256
a35c71b5b28726fc951226789bdca8f889b6c8282f39fdf388c3a406c4c422e5

SHA512
489e16318ec7e60c662837419e93d8b1be3257e56b1c492a8eed26143a68a253542ba0f31d2a8b8cc54d7e0500a6c172cece978e6a021ff4192d003ba1b9b642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
86290f3ee96aced3731cc03c7fac3bfe

SHA1
85ff23ae7efe104e5c68cf78e306792353f65bf6

SHA256
eed2d35033abded4ee21205ae364ea9afbaba45284fb819721979e2b0d0788e4

SHA512
a1dc93c27c31524636f42626dc95371266f339640ad3836912626250510879636f2c122539df0e598978b225e10e7d296bcc335a471bc09645569bf0c995b208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cf01235f7dc0fef2d95d265f63fdf319

SHA1
7b11d53a977f1fce3cb22a54cd1ca0e001e910ec

SHA256
9295146e2ae917b1f727465ee86ae30a6365ae754ac596c13b4de096f111ab9b

SHA512
d356ea0c69b98ac472ccc35c87fbfe71366fb3985b5758927465bf4712b94a52f99c292c8d60964c6317e16e0d1f30dd414025ac2bcd8339b00bbf14217594ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BWw2qr2Xq.bat

Filesize
195B

MD5
a92197ecea945969cb0911b35daa237d

SHA1
7e115c258e196a0c9bb49c03e78b386ed370202e

SHA256
e118435c85338644bf5d6ca93ed97429a49c1b4d7825a6ac3cf9d3b344c6c635

SHA512
18532f0663460ed1f005229e9d6f430223eb2f74fb6d379bbbe6eaa7643d4663bdce83103b926b810c5f06d45cdb28bbcf91fd56a894db31205fc9d6dd358057

Download Submit
C:\Users\Admin\AppData\Local\Temp\2aNa3Lme8P.bat

Filesize
195B

MD5
ee4e24652798e12bb77cc6e3cd53c198

SHA1
f64b7a12b0ead48cb99adb2f8391417f826ea1d1

SHA256
ed62d25d628ec4b3e97e30886cfe8f91d37a058be2c9cbcb20c90eab9df0735e

SHA512
f9a67347fa304ea059b692564347eb64b35642c0cbcfadec4a3622ab6d1dda1f0395a16fdbf2497b0eb9564c6ce6aab6a12b6f5cf0cae1c56347d43c10f58f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\8wGhM86rNu.bat

Filesize
195B

MD5
54a5ef6084a2c23dc9359f4de43ac8ea

SHA1
75fc0efb25a1284ed9d2f5c759a7c06f6e0d627b

SHA256
f6ae38c2797fbe61d818afb8b6afd2c26a9e29b6ae90a4b415c0dcf10d463cd3

SHA512
0e72b352c6d1aea5b8a84018b51e9f6cc106b034409ae3b3525e22f36ed6d0f75895262150207d08a0eba96bcb5548997b111a475e4dcd3f7a62239aba932f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bw8qtkvcAA.bat

Filesize
147B

MD5
16e964ad0506d0dc9bc79f39bab0ef99

SHA1
20b1adb877533f880e8c2e69d72c83f477fb8e5c

SHA256
9770086b8ccd9771d26e9b5f5faab697409c883341dfe909c537de765815fd1f

SHA512
c2a54759905b72996af9ec0fd306b60c4c9e8470f8e61ba95a4ebabc8ad8fbc8ebbade9b3fc8f72dbccb8f80ce3fff0c1e46475c1e92fa38cea393803e3233b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQ1IAg9p0i.bat

Filesize
147B

MD5
5521a56f5f3eaecd4bb4e89323bc50a0

SHA1
61d1e37d80ea213ca27a9542eeeb49b4e1177f72

SHA256
8976ad33a8c61330d720e0105f6a78856ca13386286f6ad3555eb2f8cf243bee

SHA512
76d75bf666164e6e224e10a601eff34afb341889efb6bd7162a452c2fb8340e9d1bab3637a5a183d5703ab0bfe3d7e1370ff2e97687d69d647e586091598017c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RP5SY0RjS3.bat

Filesize
147B

MD5
00b2e2ecc8713fe8c88da9a7c2ed3e0c

SHA1
44826a2b6d11e6a54f8601882cb6c8ccd1bda529

SHA256
402fde80aae93ca8ee22c143d2153dcd7177546194f98b9c8726ebe74700b584

SHA512
57e3bc3439e905e903cfcdc421c541a785dad0c4d0d9df0ca64c9b524ea656fa3d16acf2ed65f48273a141b5ec71c1e8ebcf6a5b167d36ce4e3065f76ad481a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\VN2lTwXPff.bat

Filesize
147B

MD5
cc20a32be628163d7149efa8cfc0103d

SHA1
e2777a0374b099970cafe3123a496e43d0f232b5

SHA256
8e48f1a7cfc7d47d640a77893d5360331a390fdef132c16e4b10a41d3a00d658

SHA512
396a23ab69fef1bc32910f68d045707e9edc6e7887a0b40573b6c59f8b1c43b74785570cbef71d55adbfdc0a43597b8db5c55d7e0dc9e66c86915caac329e148

Download Submit
C:\Users\Admin\AppData\Local\Temp\WmtPUST1GD.bat

Filesize
147B

MD5
6afe93ee4e942292cfd56a7681b29afd

SHA1
8981f5147d84bf2fd9e1adf18496fa5cc4d5a273

SHA256
3f0036ece03953dc3d045ced57dabd31f8420a9fade9996cc5c2fc23f8ae9c5c

SHA512
d7b61ff7829129d4b1948fef1bc93975129e7b34ef5b23397b4e46d7521c428dfbb4ab6e0465e81bc7dbecf77f6aea992142111321e73a1634cdda7c5d7cc047

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4acms0p.chd.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bw0avzYF4z.bat

Filesize
147B

MD5
315a3d353aaf78617748fa32bc38a7f9

SHA1
54bab211d10aa179ced5a97652661c3bafed7e25

SHA256
2c786cf009ef981c3e9cfa942518fbc5b227a62a5674c88603d4e1fabfbb24ec

SHA512
4f366e7f8a1f70a6d6e4f7679d9eb4e19dfab8c5ade2efb1a96b7a10fd98483d8a239cff7ea11983584e44c20b85d14a58795339c9fc58eb6c2d2cbcc964ada7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bw0avzYF4z.bat

Filesize
147B

MD5
315a3d353aaf78617748fa32bc38a7f9

SHA1
54bab211d10aa179ced5a97652661c3bafed7e25

SHA256
2c786cf009ef981c3e9cfa942518fbc5b227a62a5674c88603d4e1fabfbb24ec

SHA512
4f366e7f8a1f70a6d6e4f7679d9eb4e19dfab8c5ade2efb1a96b7a10fd98483d8a239cff7ea11983584e44c20b85d14a58795339c9fc58eb6c2d2cbcc964ada7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csDadPKOGr.bat

Filesize
147B

MD5
5785e86b427f20194e567f3116113a1e

SHA1
ec87aebc2d978c4093d22983cce58902e8e52dbb

SHA256
605616bc3e2accab60fc50506f7baa949e4cfc76e0636ed9344a7f6c0cc8bd1a

SHA512
048365d113d425ab8f33f10617111d50957ef7b1a96e522504055cb7e2e1842a226f0809140eeb475704b8b33fee2908463766b13c849f98310d15e5d381b37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\k6czFnjgVb.bat

Filesize
147B

MD5
02594faa2ccc0d9a68a48f910b897e6c

SHA1
cba655bbd8f67a3b6086e96631917c6a5ec3632a

SHA256
04b24da13140f8660519098723f02ead373eb31fb6487695a8295d83cfbb719a

SHA512
9c4b87944aff5043c06aa181b67925849ac3cc7fde11e6c417c6b36de6fc35c37ef78f47c36932840f702567396cf07263ce0c33ded5600b556aaa340d4b5dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksuDlslcWD.bat

Filesize
147B

MD5
7de0ee4d19a9c3d1b3e0b79452fdc7a9

SHA1
8026470cbecd0f4a2fc8cc11629b74e72ffcaef0

SHA256
7e74968e9483427b2bf3922fe50edcede5fa96ed9774fd7667a173794fc82d1c

SHA512
91db211f89dd9ea7d80b60339e5f5f58985f1ef6daca3bf8436b84327be3da627acb2364b2ce9ce00451bb3fb78cf067232269bd96358ac24fdbaf182eed8238

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksuDlslcWD.bat

Filesize
147B

MD5
7de0ee4d19a9c3d1b3e0b79452fdc7a9

SHA1
8026470cbecd0f4a2fc8cc11629b74e72ffcaef0

SHA256
7e74968e9483427b2bf3922fe50edcede5fa96ed9774fd7667a173794fc82d1c

SHA512
91db211f89dd9ea7d80b60339e5f5f58985f1ef6daca3bf8436b84327be3da627acb2364b2ce9ce00451bb3fb78cf067232269bd96358ac24fdbaf182eed8238

Download Submit
C:\odt\unsecapp.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\odt\unsecapp.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\odt\unsecapp.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\odt\unsecapp.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\odt\unsecapp.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\odt\unsecapp.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\odt\unsecapp.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\odt\unsecapp.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\odt\unsecapp.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\odt\unsecapp.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\odt\unsecapp.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\odt\unsecapp.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\odt\unsecapp.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\odt\unsecapp.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\odt\unsecapp.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\odt\unsecapp.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
memory/680-391-0x0000000002AF0000-0x0000000002B8E000-memory.dmp

Filesize
632KB

Download
memory/804-517-0x000000001C190000-0x000000001C22E000-memory.dmp

Filesize
632KB

Download
memory/1084-412-0x000000001BF10000-0x000000001BFAE000-memory.dmp

Filesize
632KB

Download
memory/1348-433-0x000000001C780000-0x000000001C81E000-memory.dmp

Filesize
632KB

Download
memory/1348-66-0x000001EF9A8F0000-0x000001EF9A900000-memory.dmp

Filesize
64KB

Download
memory/1348-67-0x000001EF9A8F0000-0x000001EF9A900000-memory.dmp

Filesize
64KB

Download
memory/1348-133-0x000001EF9A8F0000-0x000001EF9A900000-memory.dmp

Filesize
64KB

Download
memory/1348-282-0x00007FFDEE3C0000-0x00007FFDEEDAC000-memory.dmp

Filesize
9.9MB

Download
memory/1348-57-0x00007FFDEE3C0000-0x00007FFDEEDAC000-memory.dmp

Filesize
9.9MB

Download
memory/1348-83-0x000001EFB2D20000-0x000001EFB2D96000-memory.dmp

Filesize
472KB

Download
memory/1348-263-0x000001EF9A8F0000-0x000001EF9A900000-memory.dmp

Filesize
64KB

Download
memory/1356-538-0x000000001BAA0000-0x000000001BB3E000-memory.dmp

Filesize
632KB

Download
memory/1432-52-0x00007FFDEE3C0000-0x00007FFDEEDAC000-memory.dmp

Filesize
9.9MB

Download
memory/1432-63-0x00000218ECA50000-0x00000218ECA60000-memory.dmp

Filesize
64KB

Download
memory/1432-64-0x00000218ECA50000-0x00000218ECA60000-memory.dmp

Filesize
64KB

Download
memory/1432-62-0x00000218EC9F0000-0x00000218ECA12000-memory.dmp

Filesize
136KB

Download
memory/1432-171-0x00000218ECA50000-0x00000218ECA60000-memory.dmp

Filesize
64KB

Download
memory/1432-281-0x00007FFDEE3C0000-0x00007FFDEEDAC000-memory.dmp

Filesize
9.9MB

Download
memory/1432-261-0x00000218ECA50000-0x00000218ECA60000-memory.dmp

Filesize
64KB

Download
memory/2076-454-0x000000001B350000-0x000000001B3EE000-memory.dmp

Filesize
632KB

Download
memory/2288-475-0x000000001BCA0000-0x000000001BD3E000-memory.dmp

Filesize
632KB

Download
memory/2336-9-0x00007FFDFB590000-0x00007FFDFB591000-memory.dmp

Filesize
4KB

Download
memory/2336-6-0x00007FFDFB5A0000-0x00007FFDFB5A1000-memory.dmp

Filesize
4KB

Download
memory/2336-1-0x00007FFDEE3C0000-0x00007FFDEEDAC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-2-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/2336-3-0x000000001B690000-0x000000001B6A0000-memory.dmp

Filesize
64KB

Download
memory/2336-4-0x000000001B690000-0x000000001B6A0000-memory.dmp

Filesize
64KB

Download
memory/2336-54-0x00007FFDEE3C0000-0x00007FFDEEDAC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-17-0x00007FFDFB570000-0x00007FFDFB571000-memory.dmp

Filesize
4KB

Download
memory/2336-5-0x000000001B690000-0x000000001B6A0000-memory.dmp

Filesize
64KB

Download
memory/2336-11-0x0000000001390000-0x000000000139E000-memory.dmp

Filesize
56KB

Download
memory/2336-16-0x000000001B6A0000-0x000000001B6AC000-memory.dmp

Filesize
48KB

Download
memory/2336-13-0x00000000013A0000-0x00000000013AC000-memory.dmp

Filesize
48KB

Download
memory/2336-47-0x000000001BC10000-0x000000001BCAE000-memory.dmp

Filesize
632KB

Download
memory/2336-45-0x00007FFDEE3C0000-0x00007FFDEEDAC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-0-0x00000000008C0000-0x0000000000A80000-memory.dmp

Filesize
1.8MB

Download
memory/2336-8-0x0000000001380000-0x000000000138E000-memory.dmp

Filesize
56KB

Download
memory/2336-14-0x00007FFDFB580000-0x00007FFDFB581000-memory.dmp

Filesize
4KB

Download
memory/2396-496-0x000000001BAC0000-0x000000001BB5E000-memory.dmp

Filesize
632KB

Download
memory/2436-61-0x000002B0A0820000-0x000002B0A0830000-memory.dmp

Filesize
64KB

Download
memory/2436-274-0x00007FFDEE3C0000-0x00007FFDEEDAC000-memory.dmp

Filesize
9.9MB

Download
memory/2436-60-0x000002B0A0820000-0x000002B0A0830000-memory.dmp

Filesize
64KB

Download
memory/2436-34-0x00007FFDEE3C0000-0x00007FFDEEDAC000-memory.dmp

Filesize
9.9MB

Download
memory/2436-260-0x000002B0A0820000-0x000002B0A0830000-memory.dmp

Filesize
64KB

Download
memory/2436-158-0x000002B0A0820000-0x000002B0A0830000-memory.dmp

Filesize
64KB

Download
memory/3104-369-0x000000001BB30000-0x000000001BBCE000-memory.dmp

Filesize
632KB

Download
memory/4100-72-0x000001C27CC60000-0x000001C27CC70000-memory.dmp

Filesize
64KB

Download
memory/4100-65-0x00007FFDEE3C0000-0x00007FFDEEDAC000-memory.dmp

Filesize
9.9MB

Download
memory/4100-137-0x000001C27CC60000-0x000001C27CC70000-memory.dmp

Filesize
64KB

Download
memory/4100-70-0x000001C27CC60000-0x000001C27CC70000-memory.dmp

Filesize
64KB

Download
memory/4100-262-0x000001C27CC60000-0x000001C27CC70000-memory.dmp

Filesize
64KB

Download
memory/4100-272-0x00007FFDEE3C0000-0x00007FFDEEDAC000-memory.dmp

Filesize
9.9MB

Download
memory/4332-347-0x0000000002BC0000-0x0000000002C5E000-memory.dmp

Filesize
632KB

Download
memory/4384-312-0x000000001BD10000-0x000000001BD20000-memory.dmp

Filesize
64KB

Download
memory/4384-311-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/4384-310-0x000000001BD10000-0x000000001BD20000-memory.dmp

Filesize
64KB

Download
memory/4384-326-0x000000001BC20000-0x000000001BCBE000-memory.dmp

Filesize
632KB

Download
memory/4384-309-0x00007FFDEE3C0000-0x00007FFDEEDAC000-memory.dmp

Filesize
9.9MB

Download
memory/4384-315-0x00007FFDFB5A0000-0x00007FFDFB5A1000-memory.dmp

Filesize
4KB

Download
memory/4384-313-0x000000001BD10000-0x000000001BD20000-memory.dmp

Filesize
64KB

Download
memory/4392-287-0x000000001BDE0000-0x000000001BDF0000-memory.dmp

Filesize
64KB

Download
memory/4392-298-0x00007FFDFB570000-0x00007FFDFB571000-memory.dmp

Filesize
4KB

Download
memory/4392-304-0x000000001C850000-0x000000001C8EE000-memory.dmp

Filesize
632KB

Download
memory/4392-296-0x00007FFDFB580000-0x00007FFDFB581000-memory.dmp

Filesize
4KB

Download
memory/4392-293-0x00007FFDFB590000-0x00007FFDFB591000-memory.dmp

Filesize
4KB

Download
memory/4392-292-0x00007FFDFB5A0000-0x00007FFDFB5A1000-memory.dmp

Filesize
4KB

Download
memory/4392-291-0x000000001BDE0000-0x000000001BDF0000-memory.dmp

Filesize
64KB

Download
memory/4392-286-0x00007FFDEE3C0000-0x00007FFDEEDAC000-memory.dmp

Filesize
9.9MB

Download
memory/4392-305-0x00007FFDEE3C0000-0x00007FFDEEDAC000-memory.dmp

Filesize
9.9MB

Download
memory/4392-289-0x000000001BDE0000-0x000000001BDF0000-memory.dmp

Filesize
64KB

Download
memory/4392-288-0x00000000018F0000-0x00000000018F1000-memory.dmp

Filesize
4KB

Download
memory/4784-559-0x000000001BC60000-0x000000001BCFE000-memory.dmp

Filesize
632KB

Download
memory/5032-273-0x00007FFDEE3C0000-0x00007FFDEEDAC000-memory.dmp

Filesize
9.9MB

Download
memory/5032-69-0x000001C2F55B0000-0x000001C2F55C0000-memory.dmp

Filesize
64KB

Download
memory/5032-167-0x000001C2F55B0000-0x000001C2F55C0000-memory.dmp

Filesize
64KB

Download
memory/5032-258-0x000001C2F55B0000-0x000001C2F55C0000-memory.dmp

Filesize
64KB

Download
memory/5032-59-0x00007FFDEE3C0000-0x00007FFDEEDAC000-memory.dmp

Filesize
9.9MB

Download
memory/5032-68-0x000001C2F55B0000-0x000001C2F55C0000-memory.dmp

Filesize
64KB

Download