Overview

overview

10

Static

static

3

GameHackBuild(1).exe

windows10-2004-x64

10

GameHackBuild(1).exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    74s
  • max time network
    76s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 21:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GameHackBuild(1).exe

  • Size

    9.0MB

  • MD5

    35a0fbec2fc6d2a550a569719406d58d

  • SHA1

    bc73001a0600313803d3594dc51d3d0813dbdec1

  • SHA256

    221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d

  • SHA512

    2f4d71eaa62dded749f82660fd7ee90da422048459d63faa79f518c3c10b7343c482e95cf81cea6bfb4710ef07f53d2d7f835dd3f191029da38da2e9a7beb00f

  • SSDEEP

    196608:uGk5oFaEPX2GgYCCUDQ4yA8/vWOCFidWo+QOovFFoJXz0Bt99OGvFLuyAjA9UCo:9k5/EP2Gac4yHndWo+bodFgXz29OGNps

Score
10/10
dcratorcusgamehackdiscoveryexecutioninfostealerpersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

GameHack

C2

31.44.184.52:25350

Mutex

sudo_06kkh814g4vz7sfklrh1emcow75dz383

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %appdata%\Windows\Defender\MpDefenderCoreProtion.exe

  • reconnect_delay

    10000

  • registry_keyname

    Sudik

  • taskscheduler_taskname

    sudik

  • watchdog_path

    AppData\aga.exe

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 19 IoCs
    persistence
  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcus main payload 1 IoCs
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Orcurs Rat Executable 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 38 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\GameHackBuild(1).exe
    "C:\Users\Admin\AppData\Local\Temp\GameHackBuild(1).exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4488
        • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
          "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3640
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ecopk4kh\ecopk4kh.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2724
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0C0.tmp" "c:\Windows\System32\CSC3E1D5AA54CED4C10B16F37AFA2625CA4.TMP"
              6⤵
                PID:2476
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\dwm.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              PID:5464
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\wininit.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              PID:5480
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Oracle\dllhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              PID:5488
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\services.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              PID:5496
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\RuntimeBroker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              PID:5520
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              PID:5528
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1wpfkPWzzI.bat"
              5⤵
                PID:5836
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  6⤵
                    PID:6460
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    6⤵
                      PID:6604
                    • C:\Windows\Tasks\RuntimeBroker.exe
                      "C:\Windows\Tasks\RuntimeBroker.exe"
                      6⤵
                      • Executes dropped EXE
                      PID:6976
            • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
              "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe"
              2⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1416
              • C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                "C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"
                3⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2036
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:856
            • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
              "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe"
              2⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2800
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe"
                3⤵
                • Checks computer location settings
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1140
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat" "
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2488
                  • C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                    "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"
                    5⤵
                    • Modifies WinLogon for persistence
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Drops file in Program Files directory
                    • Drops file in Windows directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2100
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:2376
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:3536
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\conhost.exe'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:3280
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\csrss.exe'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:4212
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:3672
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\SppExtComObj.exe'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:4404
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Idle.exe'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:1052
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\InstallUtil.exe'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:1764
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\dllhost.exe'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:1192
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\wininit.exe'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:4420
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\PackageManifests\sihost.exe'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:2352
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:1176
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\services.exe'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:2168
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\Idle.exe'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:864
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3hIIe8yInk.bat"
                      6⤵
                        PID:4592
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          7⤵
                            PID:3364
                          • C:\Users\Public\csrss.exe
                            "C:\Users\Public\csrss.exe"
                            7⤵
                            • Executes dropped EXE
                            PID:6896
                • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
                  "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe"
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4948
                  • C:\Windows\System32\Wbem\wmic.exe
                    wmic diskdrive get model,serialnumber
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3332
                  • C:\Windows\System32\Wbem\wmic.exe
                    wmic path Win32_Keyboard get Description,DeviceID
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2724
                  • C:\Windows\System32\Wbem\wmic.exe
                    wmic path Win32_PointingDevice get Description,PNPDeviceID
                    3⤵
                      PID:5092
                    • C:\Windows\System32\Wbem\wmic.exe
                      wmic path Win32_PointingDevice get Description,PNPDeviceID
                      3⤵
                        PID:1400
                      • C:\Windows\System32\Wbem\wmic.exe
                        wmic path Win32_DesktopMonitor get Description,PNPDeviceID
                        3⤵
                          PID:1700
                        • C:\Windows\System32\Wbem\wmic.exe
                          wmic get name
                          3⤵
                            PID:4416
                      • C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                        C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                        1⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:2452
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\dwm.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1416
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\dwm.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3332
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4400
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:440
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\dwm.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1648
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5092
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3080
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4240
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1828
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\csrss.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1104
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3004
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1332
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\csrss.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3652
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4356
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Modules\wininit.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3536
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3280
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\SppExtComObj.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4404
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SppExtComObj.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1764
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\SppExtComObj.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4420
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\wininit.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1176
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\Idle.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3736
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Idle.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1124
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Idle.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:436
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Modules\wininit.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1376
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "InstallUtilI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\InstallUtil.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4924
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "InstallUtil" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\InstallUtil.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2648
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "InstallUtilI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\InstallUtil.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2024
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Oracle\dllhost.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4792
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\de-DE\dllhost.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4892
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\dllhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:908
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\de-DE\dllhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3216
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\wininit.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2928
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\dllhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2640
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3332
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Oracle\dllhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4172
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3444
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\sihost.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2028
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\sihost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2196
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\services.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5092
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\PackageManifests\sihost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:808
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3080
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4208
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\services.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1700
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4860
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\services.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1380
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\services.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1104
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\it-IT\services.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3004
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\services.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1812
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2420
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\RuntimeBroker.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2688
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:220
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2032
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Tasks\RuntimeBroker.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4416
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\RuntimeBroker.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4264
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5428
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5940
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5456
                      • C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                        C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                        1⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:6176

                      Network

                      MITRE ATT&CK Enterprise v15

                      Reconnaissance

                      Resource Development

                      Initial Access

                      Execution

                      Command and Scripting Interpreter

                      1
                      T1059

                      PowerShell

                      1
                      T1059.001

                      Scheduled Task/Job

                      1
                      T1053

                      Scheduled Task

                      1
                      T1053.005

                      Persistence

                      Boot or Logon Autostart Execution

                      2
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Winlogon Helper DLL

                      1
                      T1547.004

                      Scheduled Task/Job

                      1
                      T1053

                      Scheduled Task

                      1
                      T1053.005

                      Privilege Escalation

                      Boot or Logon Autostart Execution

                      2
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Winlogon Helper DLL

                      1
                      T1547.004

                      Scheduled Task/Job

                      1
                      T1053

                      Scheduled Task

                      1
                      T1053.005

                      Defense Evasion

                      Modify Registry

                      2
                      T1112

                      Credential Access

                      Credentials from Password Stores

                      1
                      T1555

                      Credentials from Web Browsers

                      1
                      T1555.003

                      Unsecured Credentials

                      2
                      T1552

                      Credentials In Files

                      2
                      T1552.001

                      Discovery

                      Query Registry

                      2
                      T1012

                      System Information Discovery

                      2
                      T1082

                      System Location Discovery

                      1
                      T1614

                      System Language Discovery

                      1
                      T1614.001

                      Lateral Movement

                      Collection

                      Data from Local System

                      2
                      T1005

                      Command and Control

                      Exfiltration

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                        Filesize

                        2KB

                        MD5

                        d85ba6ff808d9e5444a4b369f5bc2730

                        SHA1

                        31aa9d96590fff6981b315e0b391b575e4c0804a

                        SHA256

                        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                        SHA512

                        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MpDefenderCoreProtion.exe.log
                        Filesize

                        1KB

                        MD5

                        663b8d5469caa4489d463aa9bc18124f

                        SHA1

                        e57123a7d969115853ea631a3b33826335025d28

                        SHA256

                        7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8

                        SHA512

                        45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        3a6bad9528f8e23fb5c77fbd81fa28e8

                        SHA1

                        f127317c3bc6407f536c0f0600dcbcf1aabfba36

                        SHA256

                        986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                        SHA512

                        846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        d28a889fd956d5cb3accfbaf1143eb6f

                        SHA1

                        157ba54b365341f8ff06707d996b3635da8446f7

                        SHA256

                        21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                        SHA512

                        0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        bd5940f08d0be56e65e5f2aaf47c538e

                        SHA1

                        d7e31b87866e5e383ab5499da64aba50f03e8443

                        SHA256

                        2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                        SHA512

                        c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        e243a38635ff9a06c87c2a61a2200656

                        SHA1

                        ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                        SHA256

                        af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                        SHA512

                        4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        aaaac7c68d2b7997ed502c26fd9f65c2

                        SHA1

                        7c5a3731300d672bf53c43e2f9e951c745f7fbdf

                        SHA256

                        8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

                        SHA512

                        c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        5f0ddc7f3691c81ee14d17b419ba220d

                        SHA1

                        f0ef5fde8bab9d17c0b47137e014c91be888ee53

                        SHA256

                        a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                        SHA512

                        2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        2e907f77659a6601fcc408274894da2e

                        SHA1

                        9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                        SHA256

                        385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                        SHA512

                        34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        cadef9abd087803c630df65264a6c81c

                        SHA1

                        babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                        SHA256

                        cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                        SHA512

                        7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\1wpfkPWzzI.bat
                        Filesize

                        210B

                        MD5

                        0b9a228862a3cea8307f5a8b9cb980f3

                        SHA1

                        f3444bae95c2d927615e0cc035bab5d800d26fe3

                        SHA256

                        b3e8abfdb4d6788cdc614ccc9910ea15587e50753ee949e3d6f06a344c88c1c0

                        SHA512

                        d4213a2887e07acb954d8d2afed87df1ef555d4231c71506f0314779bfc6184e770b583091a498f7cbf311753be0505ccd791a08ac8f376d21b913b570c6796a

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\3hIIe8yInk.bat
                        Filesize

                        190B

                        MD5

                        839eda97d400b4eeb8b770ad8423ce14

                        SHA1

                        153a512e642c601d51b8b66b0534159a000eed3a

                        SHA256

                        24f558ef1c5e94d984b4a40a1a7a65eb55eedae93117c9fb2d5b3c7b238b5e17

                        SHA512

                        d69fb073f0dbb44736514a93090ec4da440d8806097b03838386084e5208e2a6a2eb66857a82329db2265ca0f866876010e93e44381cb6f4be1ec16bbc629e4f

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\5FqbMCUgcX
                        Filesize

                        116KB

                        MD5

                        f70aa3fa04f0536280f872ad17973c3d

                        SHA1

                        50a7b889329a92de1b272d0ecf5fce87395d3123

                        SHA256

                        8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

                        SHA512

                        30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\RESC0C0.tmp
                        Filesize

                        1KB

                        MD5

                        516c90291de43dab383b0675531be2cd

                        SHA1

                        499c98b5b243b7a9e8859ea95e8f2d82a19c900a

                        SHA256

                        4eab2891ccbf775b0b17c084dd7a2ef36a4ffcebb4d825915e1edf7ba16de2c8

                        SHA512

                        6910c3d958aa662b491fbf12f6f0c47c1bd17f2c4d297c9f679579a58a139d570d90ac6b75ab064ca68bcedcd0addcbd40a3f7b9fde4c206d6f939bb416f4c54

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbhomj0v.5o5.ps1
                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\qleH5Jotbw
                        Filesize

                        114KB

                        MD5

                        2ba42ee03f1c6909ca8a6575bd08257a

                        SHA1

                        88b18450a4d9cc88e5f27c8d11c0323f475d1ae6

                        SHA256

                        a14fb57193e6930fa9e410d9c55dfe98e3ae5e69b22356e621edc73683a581bd

                        SHA512

                        a1f32c22f0d78cba95c04c432e2a58ea47fb34942e70bfdceffcc2ac1e91b87a3da2cd9f93793427ee09a623c7da700e1c16977d41a44286317e8fc20502f035

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\usKRBCrQDd
                        Filesize

                        40KB

                        MD5

                        a182561a527f929489bf4b8f74f65cd7

                        SHA1

                        8cd6866594759711ea1836e86a5b7ca64ee8911f

                        SHA256

                        42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                        SHA512

                        9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat
                        Filesize

                        104B

                        MD5

                        fbef3b76368e503dca520965bb79565f

                        SHA1

                        9a1a27526b8b9bdaae81c5301cd23eb613ea62ba

                        SHA256

                        bcb2af67a4ea1e6aa341cf3141941dbe7b17f1911e7f20aba46552571f99c9f3

                        SHA512

                        2b99bc9a945b6d9a2c0d3206dce9221eb7f4a2040c5096909d60c3278254c52b39a28dd18dd4e005eff0ebd7e7cba6dd3a6a94ea8a7d7598da3001da174db3f5

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
                        Filesize

                        1.6MB

                        MD5

                        bc7804fca6dd09b4f16e86d80b8d28fa

                        SHA1

                        a04800b90db1f435dd1ac723c054b14d6dd16c8a

                        SHA256

                        1628864ab0bafe8afea2ad70956b653550dab3db7c4cdf6f405e93a6c2441dce

                        SHA512

                        7534ac0a215f02af85bdf2b414e23face0570943f8820e7bfe97ea274ccd1a01618556e93b7465c2d9fbb0bcde5e97fab9e9b6bddd366554277ef308cde3a83c

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
                        Filesize

                        3.0MB

                        MD5

                        10e817a4d5e216279a8de8ed71c91044

                        SHA1

                        97c6fb42791be24d12bd74819ef67fa8f3d21724

                        SHA256

                        c60f74f6e164049e683a5f01b8cfea24aa85cbf6c7b31b765cbad16d8ab0d7b2

                        SHA512

                        34421a517f5f1909afd694d24e22cafad9930725df964ba9c80666e9f0f2dcfdd2a254dcf6699e5797296ec3ae611593563779df05e3a617c7f8679a154dfd37

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
                        Filesize

                        4.6MB

                        MD5

                        e8c32cc88db9fef57fd9e2bb6d20f70b

                        SHA1

                        e732b91cd8ac16fa4ce8ad9e639bf21d69f6bb45

                        SHA256

                        f787ce198538b1c0b2bfce8ce5297e34152cf6deebe559df6887f65c72a081a4

                        SHA512

                        077307d42438f2b72d62ce9e35c67c09e1375c2e203e6d6d455c6c8861c6442b3d82f1345b6c76940f5e8015fe93491158a59b102fabd139c742d75c2c42ba7a

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe
                        Filesize

                        263B

                        MD5

                        a05e26d89c5be7e2c6408b09cd05cf74

                        SHA1

                        c24231c6301f499b35441615b63db6969a1762fd

                        SHA256

                        05628dfff22e15b219a711cf52a2c87521170853979f00fcd014cf164656418e

                        SHA512

                        8c8733f12dd71cfafd2edbfad487279d6ed971eb119b1cde92a905f4658a9b090f831f42ef2228a4f6c64071a1f54fb74708438b4361e317e36016897577913d

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                        Filesize

                        556KB

                        MD5

                        00c4245522082b7f87721f9a26e96ba4

                        SHA1

                        993a8aa88436b6c62b74bb399c09b8d45d9fb85b

                        SHA256

                        a728f531427d89c5b7691f989e886df57d46f90d934448e6dabf29d64d0662bf

                        SHA512

                        fdd8d2444b28883face793f6ea77913c2096a425e6101202536ea001c3df5e76a60a01673ee7a52eae827a12299b2727002895395315db190ec82ae11a68559f

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe.config
                        Filesize

                        357B

                        MD5

                        a2b76cea3a59fa9af5ea21ff68139c98

                        SHA1

                        35d76475e6a54c168f536e30206578babff58274

                        SHA256

                        f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

                        SHA512

                        b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat
                        Filesize

                        48B

                        MD5

                        2fa8decc3dafe6f196f6c28769192e7c

                        SHA1

                        69f4e0cf41b927634a38b77a8816ca58c0bfb2de

                        SHA256

                        7e40eb542d164397c0bf17a47c8f0db79e7028299e9f180d38505220fd2cfb30

                        SHA512

                        c9fb6c2ac2441ff14673ccaa3f1d5e703356c093353992d302d34df6c9e26a85aba6760c3b98f0cd0ada45183c55b2e5cabc09978ca084077dd71743ca9fdbc1

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                        Filesize

                        1.3MB

                        MD5

                        52c95032ff8b8c3d4dfd98e51d8f6f58

                        SHA1

                        e841a32cb07adaad4db35b1f87b5df6e019eb9af

                        SHA256

                        39b35293e7efaa4cb94028e59872013bef4065788fef9fe3cd3206a8aee711e4

                        SHA512

                        a1177740ffbb476fb11f8112d98cabe3012ee3d54f2f848bb22ea99b53bd3526bf59065951fb6ef29f29408ab2fd90c942de65fe16d66a098abce8ba5d7d4e00

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe
                        Filesize

                        227B

                        MD5

                        d47062c8738a534fc931c0f341a61773

                        SHA1

                        c1175037a0e96363da56bc9d8abdb726cddc74fc

                        SHA256

                        484cc22b88e1eaae619f948e96812ebf70275f9e6408e2e3dbd8af827ac5199a

                        SHA512

                        9de6dcf7944ec9f2ff44c8fdbe562a6755c2af9800028b01fb0969921e6ef969c1ecc6e2ab129f191ac5feeaa9aa30cf436489dfee8e94433d6678a9942ffe39

                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\ecopk4kh\ecopk4kh.0.cs
                        Filesize

                        382B

                        MD5

                        9a093ed6233ca25f2049ef7dc4d6a864

                        SHA1

                        7b253a0559445ec8cac2fefc142935e0fede04b8

                        SHA256

                        be7ea8c2ea4dc1e6b66ab268fe7b02f0a95bb4d3041b27b86f91f9ba50e6496e

                        SHA512

                        dc0775e36ea5fe4c428fe45d28db9b28d8316a4fcf2196a38a8ea93379382c8118f5efe116c60b102ed204d757a8ce99827e9b57381d1e2b4510966d23760e39

                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\ecopk4kh\ecopk4kh.cmdline
                        Filesize

                        235B

                        MD5

                        e2548dc5efd7aa5f95b55ec0cb31cefd

                        SHA1

                        edb751835b89184e610225220c7fbdaa1dee5221

                        SHA256

                        60b4261f33dd370a289debccd3cdbda0f94b52b45292291cacfecc018394ca50

                        SHA512

                        51a96b1f45512a415664cb23133f4beeaa5017b4fcd6d76e89b93ccf2f52d6d03509d7d1bcf4d8abd535332cb1fc02e02b5eceb28337cd3022bbc9464817fd06

                        Download Submit

                      • \??\c:\Windows\System32\CSC3E1D5AA54CED4C10B16F37AFA2625CA4.TMP
                        Filesize

                        1KB

                        MD5

                        be99f41194f5159cc131a1a4353a0e0a

                        SHA1

                        f24e3bf06e777b4de8d072166cff693e43f2295c

                        SHA256

                        564d9051e5639603c83562a9ff2c2e478cc7e13d54faf39f761297bac78603bf

                        SHA512

                        51d1a50772bb7d689193e6a9b2e363185cf5438103644b2b68cf13e08274c5d99407b99f8cdc856143d28669f5ee4ee316041a8e33df42f55bfd181aa3f3c0f5

                        Download Submit

                      • memory/856-76-0x0000000005D60000-0x0000000005D78000-memory.dmp

                        Filesize

                        96KB

                        Download

                      • memory/856-141-0x00000000083C0000-0x0000000008410000-memory.dmp

                        Filesize

                        320KB

                        Download

                      • memory/856-75-0x00000000058A0000-0x00000000058B2000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/856-77-0x00000000066F0000-0x0000000006700000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/856-78-0x0000000006A20000-0x0000000006A2A000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/856-81-0x00000000071F0000-0x0000000007256000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/856-136-0x00000000074A0000-0x00000000074AE000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/856-132-0x0000000007EA0000-0x0000000008062000-memory.dmp

                        Filesize

                        1.8MB

                        Download

                      • memory/856-131-0x00000000074C0000-0x00000000075CA000-memory.dmp

                        Filesize

                        1.0MB

                        Download

                      • memory/856-130-0x0000000007330000-0x000000000737C000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/856-127-0x0000000007290000-0x00000000072A2000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/856-128-0x00000000072F0000-0x000000000732C000-memory.dmp

                        Filesize

                        240KB

                        Download

                      • memory/856-126-0x0000000007880000-0x0000000007E98000-memory.dmp

                        Filesize

                        6.1MB

                        Download

                      • memory/1416-35-0x0000000072A6E000-0x0000000072A6F000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1416-45-0x0000000000630000-0x000000000092E000-memory.dmp

                        Filesize

                        3.0MB

                        Download

                      • memory/1416-48-0x0000000002B40000-0x0000000002B4E000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/1416-50-0x00000000053B0000-0x000000000540C000-memory.dmp

                        Filesize

                        368KB

                        Download

                      • memory/1416-51-0x0000000005AB0000-0x0000000006054000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/1416-52-0x0000000005500000-0x0000000005592000-memory.dmp

                        Filesize

                        584KB

                        Download

                      • memory/1416-53-0x00000000059F0000-0x0000000005A02000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/2036-72-0x00000000064D0000-0x000000000656C000-memory.dmp

                        Filesize

                        624KB

                        Download

                      • memory/2036-69-0x0000000005590000-0x00000000055A2000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/2036-70-0x0000000005B70000-0x0000000005BBE000-memory.dmp

                        Filesize

                        312KB

                        Download

                      • memory/2100-137-0x0000000000B90000-0x0000000000B9E000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/2100-133-0x0000000000B70000-0x0000000000B8C000-memory.dmp

                        Filesize

                        112KB

                        Download

                      • memory/2100-134-0x000000001B470000-0x000000001B486000-memory.dmp

                        Filesize

                        88KB

                        Download

                      • memory/2100-135-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2100-138-0x000000001B490000-0x000000001B49C000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/2100-129-0x00000000001C0000-0x000000000031A000-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/3640-98-0x0000000001310000-0x000000000131E000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/3640-89-0x000000001B7C0000-0x000000001B8C4000-memory.dmp

                        Filesize

                        1.0MB

                        Download

                      • memory/3640-104-0x0000000002D30000-0x0000000002D3C000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/3640-102-0x0000000001330000-0x000000000133E000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/3640-100-0x0000000001320000-0x000000000132C000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/3640-93-0x0000000002CF0000-0x0000000002D0C000-memory.dmp

                        Filesize

                        112KB

                        Download

                      • memory/3640-94-0x000000001B8C0000-0x000000001B910000-memory.dmp

                        Filesize

                        320KB

                        Download

                      • memory/3640-96-0x0000000002D10000-0x0000000002D28000-memory.dmp

                        Filesize

                        96KB

                        Download

                      • memory/3640-88-0x0000000000C30000-0x0000000000C38000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/3640-108-0x000000001B770000-0x000000001B77E000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/3640-106-0x000000001B760000-0x000000001B76C000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/3640-91-0x0000000001300000-0x000000000130E000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/3640-110-0x000000001B780000-0x000000001B78C000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/4420-192-0x000002404EBC0000-0x000002404EBE2000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/4948-83-0x0000000000400000-0x0000000000DF4000-memory.dmp

                        Filesize

                        10.0MB

                        Download

                      • memory/4948-40-0x0000000000400000-0x0000000000DF4000-memory.dmp

                        Filesize

                        10.0MB

                        Download