Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

pOIK3KqYhOU5.exe

windows7-x64

10

pOIK3KqYhOU5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/01/2024, 23:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pOIK3KqYhOU5.exe

  • Size

    1.5MB

  • MD5

    78776612b260f09e939629b036c3c4a2

  • SHA1

    bb671b7d0385cacc4756481df29dcc62bacfb4bb

  • SHA256

    af2a0d3a997ab4aacd34c2cb383ff7572f46898035ce7b958a98df6b431591f5

  • SHA512

    14714d0e3c57aa55294f274364c464464f3a74e45a2ed30daa6ea7075128c205d7a70a82c6b753526706180c1636c621068692ee372a0feacf785305116ec496

  • SSDEEP

    24576:Dex5rAoPwujnJN0bArlSm/iwCU7IINgSr59bOFJjcOZCaI:D89Ak+mlWw11Ng6al

Score
10/10
dcratevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in Program Files directory 52 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\pOIK3KqYhOU5.exe
    "C:\Users\Admin\AppData\Local\Temp\pOIK3KqYhOU5.exe"
    1⤵
    • DcRat
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\pOIK3KqYhOU5.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4712
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\explorer.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:392
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\csrss.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\pOIK3KqYhOU5.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\OfficeClickToRun.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2220
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\RuntimeBroker.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4276
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\backgroundTaskHost.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4884
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\pOIK3KqYhOU5.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2052
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\services.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3472
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\smss.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\unsecapp.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1308
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\backgroundTaskHost.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3224
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\WmiPrvSE.exe'
      2⤵
        PID:2412
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sysmon.exe'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3464
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3cSGxVKOt0.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5296
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:5976
          • C:\Users\Admin\AppData\Local\Temp\pOIK3KqYhOU5.exe
            "C:\Users\Admin\AppData\Local\Temp\pOIK3KqYhOU5.exe"
            3⤵
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:5216
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\pOIK3KqYhOU5.exe'
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3148
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3400
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\winlogon.exe'
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2812
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\csrss.exe'
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4028
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4988
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\smss.exe'
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:5768
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\encapsulation\dllhost.exe'
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:772
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\SearchApp.exe'
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1784
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\de-DE\sihost.exe'
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4704
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2400
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uRWOxc209p.bat"
              4⤵
                PID:6056
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  5⤵
                    PID:1492
                  • C:\Recovery\WindowsRE\sppsvc.exe
                    "C:\Recovery\WindowsRE\sppsvc.exe"
                    5⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:5992
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\explorer.exe'" /f
            1⤵
            • Process spawned unexpected child process
            PID:3052
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Tasks\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:4512
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\explorer.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1540
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\odt\sysmon.exe'" /f
            1⤵
            • Process spawned unexpected child process
            PID:3536
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3104
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1380
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\odt\WmiPrvSE.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1976
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2248
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4136
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\backgroundTaskHost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2332
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5108
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4724
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\odt\unsecapp.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:4812
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4404
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1888
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3464
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4272
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4396
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3472
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:1800
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1992
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3928
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:636
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:4540
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            PID:2748
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Desktop\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:3136
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\services.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:4160
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "pOIK3KqYhOU5p" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\pOIK3KqYhOU5.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2148
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "pOIK3KqYhOU5" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\pOIK3KqYhOU5.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4244
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "pOIK3KqYhOU5p" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\pOIK3KqYhOU5.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:936
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\backgroundTaskHost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1560
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:368
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2300
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3724
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1308
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:772
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2172
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3140
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:560
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2336
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2004
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:888
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3116
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1012
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5092
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2820
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:1684
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\OfficeClickToRun.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1492
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\7-Zip\OfficeClickToRun.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4236
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\OfficeClickToRun.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3688
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "pOIK3KqYhOU5p" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\pOIK3KqYhOU5.exe'" /f
            1⤵
            • Process spawned unexpected child process
            PID:3428
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "pOIK3KqYhOU5" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\pOIK3KqYhOU5.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:4972
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "pOIK3KqYhOU5p" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\pOIK3KqYhOU5.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:408
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3768
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1460
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:1416
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\odt\conhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5408
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5204
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5840
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3872
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5148
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3724
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:3460
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Creates scheduled task(s)
            PID:5716
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Creates scheduled task(s)
            PID:6124
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
            1⤵
            • DcRat
            • Creates scheduled task(s)
            PID:4252
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
            1⤵
              PID:4076
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Creates scheduled task(s)
              PID:5684
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\smss.exe'" /f
              1⤵
              • DcRat
              • Creates scheduled task(s)
              PID:2368
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              PID:4120
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Creates scheduled task(s)
              PID:5400
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\appcompat\encapsulation\dllhost.exe'" /f
              1⤵
              • DcRat
              PID:6120
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Creates scheduled task(s)
              PID:2424
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\appcompat\encapsulation\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Creates scheduled task(s)
              PID:4380
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\SearchApp.exe'" /f
              1⤵
              • DcRat
              • Creates scheduled task(s)
              PID:5480
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Pictures\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              PID:5488
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Creates scheduled task(s)
              PID:2404
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
              1⤵
              • DcRat
              PID:5664
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Creates scheduled task(s)
              PID:2624
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Creates scheduled task(s)
              PID:5476
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\de-DE\sihost.exe'" /f
              1⤵
              • Creates scheduled task(s)
              PID:2344
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\sihost.exe'" /rl HIGHEST /f
              1⤵
              • Creates scheduled task(s)
              PID:5556
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\de-DE\sihost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Creates scheduled task(s)
              PID:5784

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\pOIK3KqYhOU5.exe.log
              Filesize

              1KB

              MD5

              7800fca2323a4130444c572374a030f4

              SHA1

              40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

              SHA256

              29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

              SHA512

              c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              61e06aa7c42c7b2a752516bcbb242cc1

              SHA1

              02c54f8b171ef48cad21819c20b360448418a068

              SHA256

              5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

              SHA512

              03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              f6b5bbcd2386512d0b9af775e45d3770

              SHA1

              a3f6c4f46c10ce9d9b7d8a0a7b8a922dbbdd3d43

              SHA256

              50adabd48c94301dd4c4338e23583a702f7626abf793e6ae2eb919a18c8db999

              SHA512

              3775a27e3ad5a6149b88214f8bc6e45335e02af4589468ca8c140db758f152a59adf3c56361523b09c6ac2b316bd6c66886f9755a1823fc2c4468a1fad417add

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              63d5afdd42b24e7446787c07335bc175

              SHA1

              df4753e97375ec706839dbe70b1c6dc828372f12

              SHA256

              2dd056e730cbe6b12c0b3a46faf05aed1f02677924a5d2f33051f707f4dfcb12

              SHA512

              9a7c4d23bfd5b2098649727bec531b1b3925c901ffee319f4fc58d5c4be5a0fdb2aa497c75e71128df9a3d46f4f881984257f5074db70a9f391f43b3ddba05a9

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              4a40b6dc9559e70af09a5466cba5abc6

              SHA1

              d4cfd42fe9afe6c43489950849d9cd38302cb4d6

              SHA256

              743601e30b004830c766fe094f50404ab1e82eefb07f113417c11c1b70fbf861

              SHA512

              70387883cfdbc3ebbf46d73cc0bd9039db5fc02f48bdafb20f0f50c4c4368ddf834e2675a061e1feb3c7865d0187554e0656f5962327f28a3538b29e994f8519

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              ed75df6460ae1a8159eee17daca696d6

              SHA1

              ff117141176c4e75d67d935c7311df191e641820

              SHA256

              9a15da41ac61a90afc18cb817c5885f3e32394257b1f3871c2141ebe5420c0cd

              SHA512

              082b3920587dbbe1a7605017d09f64448b976f40cb97a1e027dfb10bab8521c8a69a4bbe4990346bd629e5edbde7ea82a505e1f9287399e59d0439005f494eca

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              76de0d381ca270b0d7daa729b8040090

              SHA1

              3aefa584da0da87c1ef7b24b5eff0fca29348f54

              SHA256

              01768f5b8af8d74fe499a48537bf897f995ebab0ce3054c3a54fb48d2d7e7d93

              SHA512

              c305a3a6193bef8766e90e378735b2e343fa22134c177f977a1ccd6394717b33d523071374dcca5759cf7050745d496995f0c9eed944550d44cfe7b7766e01d7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\3cSGxVKOt0.bat
              Filesize

              215B

              MD5

              109d65d055b141b5aa2493a5dccedded

              SHA1

              5a283823001e4ab6a67022a8d2340a66a589a1d1

              SHA256

              c0a5f9a89c24df33325b6e6eefc5c1616c19b898d2e8de65f65fe813e06935f9

              SHA512

              3f6450a60883bdb86d7555b867ea167797474a2f4706e9cb4fbbea801e869147bfe79e0b8db2863c8fcb41f448afa43f498de532dd877f03380a7978a1b7e128

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2fzhzqm4.djz.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\pOIK3KqYhOU5.exe
              Filesize

              512KB

              MD5

              b42976c9dbbc1d35cc50c854b9998711

              SHA1

              eec52085e0399b4c7cc67759d05098bad47db121

              SHA256

              e86cedb86cb9c80c0a9f28a5822f8eaca1e413b19e7ab80a7b1d579d971438ef

              SHA512

              b568421a0155cf8d5d2de6fab62370c5b28c7078c78bc02fe3de622456f9d3ce0de490f625ebb700b513a4b0a328589174ec0dee19342ef6a2a08e90c4c8edce

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\uRWOxc209p.bat
              Filesize

              197B

              MD5

              a267c3a5e94832fc212572a79b15727a

              SHA1

              001373ac53be602d8146728d338930f126ac859e

              SHA256

              a35945a8b4f63e5cb66c97246aaa711bec130d1fc9c2af9f32837b014547aa0d

              SHA512

              7acddaa6863202f37c959e5b3da93e4356bd5a11a07be3f363490606e30d6c4d837988d6aaf75ebe69ce0642a60d02fb53690c5b68afbca493292eab3d6dd8ed

              Download Submit

            • C:\odt\sysmon.exe
              Filesize

              1.5MB

              MD5

              3fcc2cd6ab918b6b50d900e71d607dcc

              SHA1

              817aa25b5262a3210e96376b0e9df109c966331b

              SHA256

              ad9bbd24cfd9a512ea91dfa623d41908b520404761af2393ccb1c0dbd05fd3b3

              SHA512

              91325ae4d213ec24283c57a918b75933e1401a5d38694f7015c14d0162ee71339be196749ba8814194bce23803010b28bb1ab69e1bb192cd4d0904a593cc82d5

              Download Submit

            • C:\odt\unsecapp.exe
              Filesize

              1.5MB

              MD5

              78776612b260f09e939629b036c3c4a2

              SHA1

              bb671b7d0385cacc4756481df29dcc62bacfb4bb

              SHA256

              af2a0d3a997ab4aacd34c2cb383ff7572f46898035ce7b958a98df6b431591f5

              SHA512

              14714d0e3c57aa55294f274364c464464f3a74e45a2ed30daa6ea7075128c205d7a70a82c6b753526706180c1636c621068692ee372a0feacf785305116ec496

              Download Submit

            • memory/116-477-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/392-291-0x000001E826CB0000-0x000001E826CC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/392-290-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/672-500-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/700-506-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/700-498-0x0000020E0D1A0000-0x0000020E0D1B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/700-499-0x0000020E0D1A0000-0x0000020E0D1B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1308-292-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1308-293-0x00000260F0530000-0x00000260F0540000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1308-328-0x00000260F0530000-0x00000260F0540000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1604-507-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1992-501-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2052-289-0x000001C801550000-0x000001C801560000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2052-287-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2220-505-0x0000021D7F1A0000-0x0000021D7F1B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2220-495-0x0000021D7F1A0000-0x0000021D7F1B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2220-497-0x0000021D7F1A0000-0x0000021D7F1B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2220-494-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3224-508-0x0000028154FB0000-0x0000028154FC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3224-492-0x0000028154FB0000-0x0000028154FC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3224-490-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3464-504-0x000001B7EC870000-0x000001B7EC880000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3464-491-0x000001B7EC870000-0x000001B7EC880000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3464-489-0x000001B7EC870000-0x000001B7EC880000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3464-488-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3472-485-0x000001C289960000-0x000001C289970000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3472-481-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3472-487-0x000001C289960000-0x000001C289970000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3472-319-0x000001C289790000-0x000001C2897B2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/3768-351-0x00000254F3730000-0x00000254F3740000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3768-309-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3768-329-0x00000254F3730000-0x00000254F3740000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3996-496-0x00000258CFE40000-0x00000258CFE50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3996-493-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4276-473-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4276-474-0x000001AAEBD60000-0x000001AAEBD70000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4276-476-0x000001AAEBD60000-0x000001AAEBD70000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4544-0-0x0000000000AA0000-0x0000000000C2A000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/4544-14-0x000000001B960000-0x000000001B970000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4544-1-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4544-2-0x000000001B960000-0x000000001B970000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4544-3-0x00000000014F0000-0x000000000150C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/4544-4-0x000000001B8E0000-0x000000001B930000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4544-15-0x0000000002EC0000-0x0000000002ECC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4544-5-0x0000000001570000-0x0000000001580000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4544-13-0x0000000002EB0000-0x0000000002EB8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4544-10-0x0000000002E90000-0x0000000002E9E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4544-6-0x0000000001580000-0x0000000001596000-memory.dmp

              Filesize

              88KB

              Download

            • memory/4544-7-0x00000000015B0000-0x00000000015BA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4544-8-0x0000000002E70000-0x0000000002E7A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4544-9-0x0000000002E80000-0x0000000002E8E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4544-12-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4544-11-0x0000000002EA0000-0x0000000002EAC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4544-350-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4576-482-0x0000022718010000-0x0000022718020000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4576-479-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4576-480-0x0000022718010000-0x0000022718020000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4712-502-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4712-503-0x00000236FBE30000-0x00000236FBE40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4812-483-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4812-484-0x0000015642F40000-0x0000015642F50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4812-486-0x0000015642F40000-0x0000015642F50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4884-475-0x00000245FE530000-0x00000245FE540000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4884-436-0x00007FFB4AF20000-0x00007FFB4B9E1000-memory.dmp

              Filesize

              10.8MB

              Download