Overview

overview

10

Static

static

3

GameHackBuild(1).exe

windows10-2004-x64

10

GameHackBuild(1).exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    23s
  • max time network
    72s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    07-11-2024 21:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GameHackBuild(1).exe

  • Size

    9.0MB

  • MD5

    35a0fbec2fc6d2a550a569719406d58d

  • SHA1

    bc73001a0600313803d3594dc51d3d0813dbdec1

  • SHA256

    221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d

  • SHA512

    2f4d71eaa62dded749f82660fd7ee90da422048459d63faa79f518c3c10b7343c482e95cf81cea6bfb4710ef07f53d2d7f835dd3f191029da38da2e9a7beb00f

  • SSDEEP

    196608:uGk5oFaEPX2GgYCCUDQ4yA8/vWOCFidWo+QOovFFoJXz0Bt99OGvFLuyAjA9UCo:9k5/EP2Gac4yHndWo+bodFgXz29OGNps

Score
10/10
dcratorcusgamehackdiscoveryexecutioninfostealerpersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

GameHack

C2

31.44.184.52:25350

Mutex

sudo_06kkh814g4vz7sfklrh1emcow75dz383

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %appdata%\Windows\Defender\MpDefenderCoreProtion.exe

  • reconnect_delay

    10000

  • registry_keyname

    Sudik

  • taskscheduler_taskname

    sudik

  • watchdog_path

    AppData\aga.exe

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 29 IoCs
    persistence
  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcus main payload 1 IoCs
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Orcurs Rat Executable 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 31 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 58 IoCs
    persistence
  • Drops file in System32 directory 8 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 22 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 4 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\GameHackBuild(1).exe
    "C:\Users\Admin\AppData\Local\Temp\GameHackBuild(1).exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:240
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3152
        • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
          "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:5012
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dvxhrc0h\dvxhrc0h.cmdline"
            5⤵
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:3908
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD1E6.tmp" "c:\Windows\Containers\serviced\CSC7C26155F2E3F4B56AB357B8CBD979FA1.TMP"
              6⤵
                PID:4752
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q1ry3pxu\q1ry3pxu.cmdline"
              5⤵
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:2844
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD39C.tmp" "c:\Windows\System32\WindowsPowerShell\v1.0\CSCB4870DC440574D67BD9DA1D29E564B36.TMP"
                6⤵
                  PID:4528
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xxkseyt5\xxkseyt5.cmdline"
                5⤵
                • Drops file in System32 directory
                PID:2768
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD467.tmp" "c:\Windows\System32\CSC3ABBE63FD7BE4EC487D87F744ABBD9BB.TMP"
                  6⤵
                    PID:4552
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
                  5⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:5572
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\dllhost.exe'
                  5⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:5584
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Registry.exe'
                  5⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:5592
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\es-ES\sppsvc.exe'
                  5⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:5600
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\explorer.exe'
                  5⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:5608
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'
                  5⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:5616
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQ4Mb1yRtC.bat"
                  5⤵
                    PID:5796
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      6⤵
                        PID:3656
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        6⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:4540
                      • C:\Program Files\Microsoft Office\Registry.exe
                        "C:\Program Files\Microsoft Office\Registry.exe"
                        6⤵
                          PID:2228
                • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
                  "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe"
                  2⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4624
                  • C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                    "C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:4688
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                      4⤵
                        PID:1456
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                        4⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2040
                  • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
                    "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe"
                    2⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:4612
                    • C:\Windows\SysWOW64\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe"
                      3⤵
                      • Checks computer location settings
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:4356
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat" "
                        4⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:3060
                        • C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                          "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"
                          5⤵
                          • Modifies WinLogon for persistence
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Adds Run key to start application
                          • Drops file in System32 directory
                          • Drops file in Program Files directory
                          • Drops file in Windows directory
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:3136
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe'
                            6⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:4580
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\serviced\OfficeClickToRun.exe'
                            6⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:336
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\conhost.exe'
                            6⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:4424
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
                            6⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:348
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
                            6⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:4932
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\OfficeClickToRun.exe'
                            6⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:2700
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
                            6⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:2708
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Sun\Java\System.exe'
                            6⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:3088
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'
                            6⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:1064
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yV3tPJWGBp.bat"
                            6⤵
                              PID:3596
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                7⤵
                                  PID:3136
                                • C:\Windows\System32\WindowsPowerShell\v1.0\conhost.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\conhost.exe"
                                  7⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  PID:5648
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\conhost.exe.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\conhost.exe.exe"
                                    8⤵
                                    • Modifies WinLogon for persistence
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Adds Run key to start application
                                    • Drops file in System32 directory
                                    • Drops file in Program Files directory
                                    • Drops file in Windows directory
                                    PID:4468
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\conhost.exe.exe'
                                      9⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:4740
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe'
                                      9⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:5572
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe.exe'
                                      9⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:6004
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
                                      9⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:5804
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\cmd.exe'
                                      9⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:5944
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
                                      9⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:5460
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\unsecapp.exe'
                                      9⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:5892
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\winlogon.exe'
                                      9⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:5896
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\INT\winlogon.exe'
                                      9⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:3048
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\Links\SearchApp.exe'
                                      9⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:6000
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Network Sharing\sysmon.exe'
                                      9⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:5832
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OEM\backgroundTaskHost.exe'
                                      9⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:5996
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\AppLocker\MoUsoCoreWorker.exe'
                                      9⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:1644
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\GameBarPresenceWriter\SearchApp.exe'
                                      9⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:6080
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\conhost.exe.exe'
                                      9⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:5940
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\wininit.exe'
                                      9⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:2024
                                      • C:\Windows\System32\Conhost.exe
                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        10⤵
                                          PID:5616
                                      • C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\winlogon.exe
                                        "C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\winlogon.exe"
                                        9⤵
                                        • Executes dropped EXE
                                        PID:4472
                                    • C:\Recovery\WindowsRE\RuntimeBroker.exe
                                      "C:\Recovery\WindowsRE\RuntimeBroker.exe"
                                      8⤵
                                      • Executes dropped EXE
                                      PID:4820
                        • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
                          "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe"
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2096
                          • C:\Windows\System32\Wbem\wmic.exe
                            wmic diskdrive get model,serialnumber
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3428
                          • C:\Windows\System32\Wbem\wmic.exe
                            wmic path Win32_Keyboard get Description,DeviceID
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4896
                          • C:\Windows\System32\Wbem\wmic.exe
                            wmic path Win32_PointingDevice get Description,PNPDeviceID
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2824
                          • C:\Windows\System32\Wbem\wmic.exe
                            wmic path Win32_PointingDevice get Description,PNPDeviceID
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3956
                          • C:\Windows\System32\Wbem\wmic.exe
                            wmic path Win32_DesktopMonitor get Description,PNPDeviceID
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1628
                          • C:\Windows\System32\Wbem\wmic.exe
                            wmic get name
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1384
                      • C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                        "C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"
                        1⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:3660
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\Containers\serviced\OfficeClickToRun.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4328
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2088
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\OfficeClickToRun.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1040
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\Containers\serviced\OfficeClickToRun.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:1120
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\WindowsPowerShell\v1.0\conhost.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:64
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:848
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\WindowsPowerShell\v1.0\conhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4792
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\WindowsPowerShell\v1.0\conhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:3244
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5088
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1196
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:5084
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1776
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2340
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:2488
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:1056
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\OfficeClickToRun.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:776
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\OfficeClickToRun.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2560
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\OfficeClickToRun.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:2660
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1440
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:1380
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1648
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Sun\Java\System.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1116
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Sun\Java\System.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4616
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Sun\Java\System.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4456
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3704
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1068
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4020
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\dllhost.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1380
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\dllhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:2616
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\dllhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3716
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Registry.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:2720
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Registry.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3252
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Registry.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2148
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\es-ES\sppsvc.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5176
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\sppsvc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5252
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\es-ES\sppsvc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5328
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\explorer.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5420
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\TAPI\explorer.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:5456
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\explorer.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5484
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5508
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:5540
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5564
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1168
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:6120
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3452
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "conhost.exec" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:3908
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "conhost.exe" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3928
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "conhost.exec" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1092
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1456
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2712
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3480
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\cmd.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5680
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\cmd.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1048
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\cmd.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4012
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2660
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3364
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:3540
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\unsecapp.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:1216
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3172
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5448
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\winlogon.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5524
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1736
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        PID:2236
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\IdentityCRL\INT\winlogon.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4896
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:4100
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\IdentityCRL\INT\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:1144
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Favorites\Links\SearchApp.exe'" /f
                        1⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:1488
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\SearchApp.exe'" /rl HIGHEST /f
                        1⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:5188
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Favorites\Links\SearchApp.exe'" /rl HIGHEST /f
                        1⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:1076
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\sysmon.exe'" /f
                        1⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:64
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\sysmon.exe'" /rl HIGHEST /f
                        1⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:5372
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\sysmon.exe'" /rl HIGHEST /f
                        1⤵
                          PID:3244
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\OEM\backgroundTaskHost.exe'" /f
                          1⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:2248
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\OEM\backgroundTaskHost.exe'" /rl HIGHEST /f
                          1⤵
                            PID:3924
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\OEM\backgroundTaskHost.exe'" /rl HIGHEST /f
                            1⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:4968
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\AppLocker\MoUsoCoreWorker.exe'" /f
                            1⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:5136
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\System32\AppLocker\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                            1⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:4652
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\AppLocker\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                            1⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:992
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\SearchApp.exe'" /f
                            1⤵
                              PID:1656
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\SearchApp.exe'" /rl HIGHEST /f
                              1⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:5360
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\GameBarPresenceWriter\SearchApp.exe'" /rl HIGHEST /f
                              1⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:3564
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "conhost.exec" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\conhost.exe.exe'" /f
                              1⤵
                                PID:5988
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "conhost.exe" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\conhost.exe.exe'" /rl HIGHEST /f
                                1⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:5836
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "conhost.exec" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\conhost.exe.exe'" /rl HIGHEST /f
                                1⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:5992
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /f
                                1⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:5760
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
                                1⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:5356
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
                                1⤵
                                  PID:5516
                                • C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                                  "C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"
                                  1⤵
                                    PID:4784

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Reconnaissance

                                  Resource Development

                                  Initial Access

                                  Execution

                                  Command and Scripting Interpreter

                                  1
                                  T1059

                                  PowerShell

                                  1
                                  T1059.001

                                  Scheduled Task/Job

                                  1
                                  T1053

                                  Scheduled Task

                                  1
                                  T1053.005

                                  Persistence

                                  Boot or Logon Autostart Execution

                                  2
                                  T1547

                                  Registry Run Keys / Startup Folder

                                  1
                                  T1547.001

                                  Winlogon Helper DLL

                                  1
                                  T1547.004

                                  Scheduled Task/Job

                                  1
                                  T1053

                                  Scheduled Task

                                  1
                                  T1053.005

                                  Privilege Escalation

                                  Boot or Logon Autostart Execution

                                  2
                                  T1547

                                  Registry Run Keys / Startup Folder

                                  1
                                  T1547.001

                                  Winlogon Helper DLL

                                  1
                                  T1547.004

                                  Scheduled Task/Job

                                  1
                                  T1053

                                  Scheduled Task

                                  1
                                  T1053.005

                                  Defense Evasion

                                  Modify Registry

                                  2
                                  T1112

                                  Credential Access

                                  Credentials from Password Stores

                                  1
                                  T1555

                                  Credentials from Web Browsers

                                  1
                                  T1555.003

                                  Unsecured Credentials

                                  3
                                  T1552

                                  Credentials In Files

                                  2
                                  T1552.001

                                  Credentials in Registry

                                  1
                                  T1552.002

                                  Discovery

                                  Query Registry

                                  2
                                  T1012

                                  Remote System Discovery

                                  1
                                  T1018

                                  System Information Discovery

                                  2
                                  T1082

                                  System Location Discovery

                                  1
                                  T1614

                                  System Language Discovery

                                  1
                                  T1614.001

                                  System Network Configuration Discovery

                                  1
                                  T1016

                                  Internet Connection Discovery

                                  1
                                  T1016.001

                                  Lateral Movement

                                  Collection

                                  Data from Local System

                                  3
                                  T1005

                                  Command and Control

                                  Exfiltration

                                  Impact

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                    Filesize

                                    3KB

                                    MD5

                                    3eb3833f769dd890afc295b977eab4b4

                                    SHA1

                                    e857649b037939602c72ad003e5d3698695f436f

                                    SHA256

                                    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

                                    SHA512

                                    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MpDefenderCoreProtion.exe.log
                                    Filesize

                                    1KB

                                    MD5

                                    c68a2e976c1f2f378d322b9a73864ae9

                                    SHA1

                                    c5fcbe5512f04aef44e3003965525b11b19d090b

                                    SHA256

                                    7d1eb548705640194f5dd9935645dedfdf928a365d6131273ca1f0e85fb860e5

                                    SHA512

                                    e978e1281c015597d9b6616a3216ff3597219915e990b0d080a41f6218d7f2fb470d016591fd7a9d4833e3ac31a2855320899af3b4204d175d5a3be012808f1b

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    1KB

                                    MD5

                                    83d94e8aa23c7ad2db6f972739506306

                                    SHA1

                                    bd6d73d0417971c0077f772352d2f538a6201024

                                    SHA256

                                    dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881

                                    SHA512

                                    4224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    1KB

                                    MD5

                                    af1cc13f412ef37a00e668df293b1584

                                    SHA1

                                    8973b3e622f187fcf484a0eb9fa692bf3e2103cb

                                    SHA256

                                    449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

                                    SHA512

                                    75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    1KB

                                    MD5

                                    8bd23aab2f3dde6d419bc23912cedd13

                                    SHA1

                                    10dc192ce97798bafb97afc025fc48c87bbae61e

                                    SHA256

                                    f4ef5307e90a68fc6882f59f6005d8459688d1000e58594d11f576e923a0c99b

                                    SHA512

                                    ab80c811f3f7e8bb620732c4315eb2a42b2239fddd5ec0eafa46b005760faa3c9c0301d91330cffd8e79c49c0d3d847ce8afbafe1889f3f1822313015c8c5ff5

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    1KB

                                    MD5

                                    0abaf75ed9de3c6a6d7bfe4433970f6b

                                    SHA1

                                    d776203957d89412112d46c9ce18a6ac427ff822

                                    SHA256

                                    fc4259f935f700a925da2c7b4c17021761f738cc1bb857a72f7efc431ab7fbe1

                                    SHA512

                                    02d5fba0d472cc09b85635771b34381dbe4be5712bae2a10bcf5cb65c3784314b468bb0fc795cef7447b77b887130abf740d3c27428a0963d428f799e9f1f32b

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    1KB

                                    MD5

                                    90d696d6a8ab185c1546b111fa208281

                                    SHA1

                                    b0ce1efde1dad3d65f7a78d1f6467d8a1090d659

                                    SHA256

                                    78497ed2c4ccac6e870afc80224724f45a7356bde55580a5c6ea52ef5079a3f4

                                    SHA512

                                    0a19628ae31ec31f382b3fd430c205a39985730e12c608b66b83ee4826e3f3fc9f4a034e03f38ac5260defdf805b927528ffca1a2ccdd59d9bfe05822923c4ba

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    1KB

                                    MD5

                                    60b3262c3163ee3d466199160b9ed07d

                                    SHA1

                                    994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

                                    SHA256

                                    e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

                                    SHA512

                                    081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    1KB

                                    MD5

                                    6a807b1c91ac66f33f88a787d64904c1

                                    SHA1

                                    83c554c7de04a8115c9005709e5cd01fca82c5d3

                                    SHA256

                                    155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

                                    SHA512

                                    29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    1KB

                                    MD5

                                    34076a7ed20957dea3a1468e5782e7f1

                                    SHA1

                                    3867b375ec4709d6c46358701c225096e40951c0

                                    SHA256

                                    a36abe7ac03cd5eda1c36ea2c89b2408d1a253fe5451165f473a8971414c0921

                                    SHA512

                                    d70f6d6f1d0ccae8bf2ca24a5b577e66c9392e749c414f5a7c8a659275042d8c40ec0b0695777d7b36003736038caec728effbad6517f217e4458dbff18403dd

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    1KB

                                    MD5

                                    cdbbe7e6f925bfe06f5e44d2ad68152f

                                    SHA1

                                    63a85c1fe44ce04415b99e3ed494a29847a50bdf

                                    SHA256

                                    8ba65fb63e378a28656574eed54550430c9ddf7c75661b9163696031d4bb3c40

                                    SHA512

                                    11be9ef6262a6a1a2222c94249c509955886419264e120a7e1e45d48e7aec08228fdd32f67cbeaa3fd7ab98b74f81a4005060f0fbe2b1cb2079c0d8bf3b775ea

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    1KB

                                    MD5

                                    34a000649429d01cdadcfc499b976bdf

                                    SHA1

                                    3ca9856936fe9f0ee030eb9a27051deeb6e01c5c

                                    SHA256

                                    3f20cf99f7425267157c2ae34e7e306b613f30b80a101749df8f9ca599df4cb5

                                    SHA512

                                    3912f27d20de5c1af767b35430eb5ab98deac76d34a019731b30e974ed5251d9f56f8692be7c9ff629dfcb9777ddee089c4735f17a8da0e989c694babb1347b0

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    1KB

                                    MD5

                                    def690aaf9402f3d8b9af5c4065a8e42

                                    SHA1

                                    c23e8003245beb13b2a5591a1a1900a563fb964d

                                    SHA256

                                    a345a568640e59fd842638965718e3cf1142bc72257e214fb860b5d44dfdb740

                                    SHA512

                                    e59943044811ac6571aa33f36b1280ee59fa1ec70d458cbfcb8b590e9f1cb4c3902e89e056affd820e54f24c988561ecf99d73679b0e0987f648101237b525b0

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    1KB

                                    MD5

                                    b01705aeee3b26aaf44b9ef31df7dedc

                                    SHA1

                                    8b28cc637d07e2fb48491f7d583a22f5f450e8a7

                                    SHA256

                                    f8fdd3b32d894efb455c4bf51ab495d0c9c29bbfbe5ccd7450ef89be1bb80b05

                                    SHA512

                                    be2c4dabd826bd1327aa183daf37047b48aee39e19c318c5cbd32bc8ab30faced54040210eb1f536ac725aeb426733ffaafd1d9da9a3eace96bc3c917032ea08

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    1KB

                                    MD5

                                    82f2debea0d24d000deba3949e291db3

                                    SHA1

                                    7486ee37bb97577d3215d3aba1885094a15747cd

                                    SHA256

                                    372710e95d53b25241bddf65f5584cc365fa113db89718c37869c8e2f1392deb

                                    SHA512

                                    95a2255da38fc51cee584e8a3023b8966ead2e04429188484b07f3bd1d397a0bb94502b27e4c785992e1fd6719c4c34b0b336d6a95d8826898573572e0444615

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\RESD1E6.tmp
                                    Filesize

                                    1KB

                                    MD5

                                    a4355a94d8a3353fc0a5abfe5049d32e

                                    SHA1

                                    60b36c266c20a8aa932014e6707e0cd86439c5c7

                                    SHA256

                                    8b749abfd4d510cda6d67d1dcc9faf959b0ed1371e3f1708c9ad197fa94be748

                                    SHA512

                                    df932c5fc2beb167b0f532bea89efc0bdc196485c706f066ab2ed3198475c04e94f3427ff0d307eb6b098c6bb169d9eeb07947733804b88586d63aa53dac2fce

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\RESD39C.tmp
                                    Filesize

                                    1KB

                                    MD5

                                    1fe23a3b84e031b7993cda0341e9b709

                                    SHA1

                                    ca76002827cb06f76e8685b8c984889cf67c6030

                                    SHA256

                                    e2c32c1063e71cb4358d675e28b33701bada553f18b402e5033a89a5c11c1a2d

                                    SHA512

                                    71bdc4f4125e2b7ce0531a4de63235d9f5c4e7cc15b19576ae56b9e753b11fbd6d37c73a0a47a6ee72ed4cf46f9283276669762ef49df2e616f0cd2228ff3238

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\RESD467.tmp
                                    Filesize

                                    1KB

                                    MD5

                                    5578881c0d8ffb3498b9169a4c793477

                                    SHA1

                                    b045010750aaf4c957361dadffea11a211b590b2

                                    SHA256

                                    bf1cb8a2e1de7504a1a0a26baf562329691ea7c540834d0b8ce3d268e690b0b5

                                    SHA512

                                    f7a818a4f7f5e2fdb3705f9383acaa8e6483391a81681f188e350f14acf71c2f3ae8f035fe11aa3a781eba81507df2f66ef3f64c45ef1663032072c46b4aa5d8

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rhvju5tr.h5e.ps1
                                    Filesize

                                    60B

                                    MD5

                                    d17fe0a3f47be24a6453e9ef58c94641

                                    SHA1

                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                    SHA256

                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                    SHA512

                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\yQ4Mb1yRtC.bat
                                    Filesize

                                    174B

                                    MD5

                                    8d20817c40d4349632d0c8b310a73a46

                                    SHA1

                                    8a6a8aff18a817ff00b90de14678f306cae0b01c

                                    SHA256

                                    d09240abf57ddb0cf7608a42433927264be9320a2a0b3e94c19aef62c0b33a94

                                    SHA512

                                    b354995e6604497d6dd6d72eb5b5dfb0fb4638ce40e23527edd577d530aa2a28fee4484a87017517d0ba99b035bfe4eb174fe268ccef8cd2f4c8dfbcefa2b38c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\yV3tPJWGBp.bat
                                    Filesize

                                    219B

                                    MD5

                                    86dd956cbd2c84fad3a0376d2ac4751d

                                    SHA1

                                    de3d604091403cc216dad47ba92c6605efae520c

                                    SHA256

                                    a4ab63ef473b68716b02dc12b5bbc7ff9e8ed236ae3add1c9e2afc41777d192b

                                    SHA512

                                    f5a4d347f5f18705d7a766bd66e4d820eb47822b396c22e9285bd193d2f91e9edeca95e2715f178d63602c5ee13de1000449b5f39f7ae80695a57f5d3f340b23

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat
                                    Filesize

                                    104B

                                    MD5

                                    fbef3b76368e503dca520965bb79565f

                                    SHA1

                                    9a1a27526b8b9bdaae81c5301cd23eb613ea62ba

                                    SHA256

                                    bcb2af67a4ea1e6aa341cf3141941dbe7b17f1911e7f20aba46552571f99c9f3

                                    SHA512

                                    2b99bc9a945b6d9a2c0d3206dce9221eb7f4a2040c5096909d60c3278254c52b39a28dd18dd4e005eff0ebd7e7cba6dd3a6a94ea8a7d7598da3001da174db3f5

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
                                    Filesize

                                    1.6MB

                                    MD5

                                    bc7804fca6dd09b4f16e86d80b8d28fa

                                    SHA1

                                    a04800b90db1f435dd1ac723c054b14d6dd16c8a

                                    SHA256

                                    1628864ab0bafe8afea2ad70956b653550dab3db7c4cdf6f405e93a6c2441dce

                                    SHA512

                                    7534ac0a215f02af85bdf2b414e23face0570943f8820e7bfe97ea274ccd1a01618556e93b7465c2d9fbb0bcde5e97fab9e9b6bddd366554277ef308cde3a83c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
                                    Filesize

                                    3.0MB

                                    MD5

                                    10e817a4d5e216279a8de8ed71c91044

                                    SHA1

                                    97c6fb42791be24d12bd74819ef67fa8f3d21724

                                    SHA256

                                    c60f74f6e164049e683a5f01b8cfea24aa85cbf6c7b31b765cbad16d8ab0d7b2

                                    SHA512

                                    34421a517f5f1909afd694d24e22cafad9930725df964ba9c80666e9f0f2dcfdd2a254dcf6699e5797296ec3ae611593563779df05e3a617c7f8679a154dfd37

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
                                    Filesize

                                    4.6MB

                                    MD5

                                    e8c32cc88db9fef57fd9e2bb6d20f70b

                                    SHA1

                                    e732b91cd8ac16fa4ce8ad9e639bf21d69f6bb45

                                    SHA256

                                    f787ce198538b1c0b2bfce8ce5297e34152cf6deebe559df6887f65c72a081a4

                                    SHA512

                                    077307d42438f2b72d62ce9e35c67c09e1375c2e203e6d6d455c6c8861c6442b3d82f1345b6c76940f5e8015fe93491158a59b102fabd139c742d75c2c42ba7a

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe
                                    Filesize

                                    263B

                                    MD5

                                    a05e26d89c5be7e2c6408b09cd05cf74

                                    SHA1

                                    c24231c6301f499b35441615b63db6969a1762fd

                                    SHA256

                                    05628dfff22e15b219a711cf52a2c87521170853979f00fcd014cf164656418e

                                    SHA512

                                    8c8733f12dd71cfafd2edbfad487279d6ed971eb119b1cde92a905f4658a9b090f831f42ef2228a4f6c64071a1f54fb74708438b4361e317e36016897577913d

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    Filesize

                                    556KB

                                    MD5

                                    00c4245522082b7f87721f9a26e96ba4

                                    SHA1

                                    993a8aa88436b6c62b74bb399c09b8d45d9fb85b

                                    SHA256

                                    a728f531427d89c5b7691f989e886df57d46f90d934448e6dabf29d64d0662bf

                                    SHA512

                                    fdd8d2444b28883face793f6ea77913c2096a425e6101202536ea001c3df5e76a60a01673ee7a52eae827a12299b2727002895395315db190ec82ae11a68559f

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe.config
                                    Filesize

                                    357B

                                    MD5

                                    a2b76cea3a59fa9af5ea21ff68139c98

                                    SHA1

                                    35d76475e6a54c168f536e30206578babff58274

                                    SHA256

                                    f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

                                    SHA512

                                    b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat
                                    Filesize

                                    48B

                                    MD5

                                    2fa8decc3dafe6f196f6c28769192e7c

                                    SHA1

                                    69f4e0cf41b927634a38b77a8816ca58c0bfb2de

                                    SHA256

                                    7e40eb542d164397c0bf17a47c8f0db79e7028299e9f180d38505220fd2cfb30

                                    SHA512

                                    c9fb6c2ac2441ff14673ccaa3f1d5e703356c093353992d302d34df6c9e26a85aba6760c3b98f0cd0ada45183c55b2e5cabc09978ca084077dd71743ca9fdbc1

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    Filesize

                                    1.3MB

                                    MD5

                                    52c95032ff8b8c3d4dfd98e51d8f6f58

                                    SHA1

                                    e841a32cb07adaad4db35b1f87b5df6e019eb9af

                                    SHA256

                                    39b35293e7efaa4cb94028e59872013bef4065788fef9fe3cd3206a8aee711e4

                                    SHA512

                                    a1177740ffbb476fb11f8112d98cabe3012ee3d54f2f848bb22ea99b53bd3526bf59065951fb6ef29f29408ab2fd90c942de65fe16d66a098abce8ba5d7d4e00

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe
                                    Filesize

                                    227B

                                    MD5

                                    d47062c8738a534fc931c0f341a61773

                                    SHA1

                                    c1175037a0e96363da56bc9d8abdb726cddc74fc

                                    SHA256

                                    484cc22b88e1eaae619f948e96812ebf70275f9e6408e2e3dbd8af827ac5199a

                                    SHA512

                                    9de6dcf7944ec9f2ff44c8fdbe562a6755c2af9800028b01fb0969921e6ef969c1ecc6e2ab129f191ac5feeaa9aa30cf436489dfee8e94433d6678a9942ffe39

                                    Download Submit

                                  • C:\Windows\System32\WindowsPowerShell\v1.0\conhost.exe
                                    Filesize

                                    4KB

                                    MD5

                                    bc36ae255e3d161c24f126d8a58bf7ab

                                    SHA1

                                    8379679ff96c427c42546ec6cadd03f0a989dc11

                                    SHA256

                                    4bde3f6452d481604ccdc551f50d52c96d32872ae34a3325c03a6df25c5025d6

                                    SHA512

                                    bcaac1326de0ed63798021603d881df239a05f1a8ea82695e68bf3f2847b2b9b7a6fb58021e7c55c3a80deb01d79cf092d642fc8e08b3d6213091fcdc79377e9

                                    Download Submit

                                  • \??\c:\Users\Admin\AppData\Local\Temp\dvxhrc0h\dvxhrc0h.0.cs
                                    Filesize

                                    392B

                                    MD5

                                    e25862eedea8a42b6b395ae984904f6b

                                    SHA1

                                    c3349c92d401aa31c8df6ddd0a5c1ff9e0e0f758

                                    SHA256

                                    efb99c5c0a9e8a3b9a82b2916da7b1a7b24deb034d4de8a28c779a021a9e948f

                                    SHA512

                                    bd4faebf8868acd6f179bd9fe3d13e646861ecf5b9f8aa08928fed28b0bc4c18af5186743223702d1354740ed61c697b5c5c23cb1d6739b27497daf2fb6d17b4

                                    Download Submit

                                  • \??\c:\Users\Admin\AppData\Local\Temp\dvxhrc0h\dvxhrc0h.cmdline
                                    Filesize

                                    256B

                                    MD5

                                    9c0677de2894908160d2ab009177e256

                                    SHA1

                                    35ca5d9c9d4131e90f48eab669d045afb01947f7

                                    SHA256

                                    9b57b11c316b4de655db19990a849cd07ac817f0c65b1e921fbeac052c37b006

                                    SHA512

                                    dc62756639b4a28660fc4dc276a70757db100be2ec7a433ebcfa4ebf624dc80d7751c349044d70f2ae76195dc6e2572e56f86103111492370902635e093c3055

                                    Download Submit

                                  • \??\c:\Users\Admin\AppData\Local\Temp\q1ry3pxu\q1ry3pxu.0.cs
                                    Filesize

                                    395B

                                    MD5

                                    528e3d5217b77f92dc41b7d34b8ca992

                                    SHA1

                                    a002b8d3700bb950200942a5406ce745af2a4412

                                    SHA256

                                    2ed2e58884cf90fc0a4f18ab1529c44736545c798c441031ca726d0e578eb21c

                                    SHA512

                                    4cbe4a2c8503979d1e80e7ba42c7e9c45ea6bbd17e6f0a3a06009abe4ef3e57718582d73907e6888e1969fd959350baccbd0561e659f17d5daa152209cdeec90

                                    Download Submit

                                  • \??\c:\Users\Admin\AppData\Local\Temp\q1ry3pxu\q1ry3pxu.cmdline
                                    Filesize

                                    259B

                                    MD5

                                    22f36fa3ae0d39f575f670f3d99732a2

                                    SHA1

                                    578f24f699a9d315ec07e51745604e711e099c8d

                                    SHA256

                                    9b98edbd9560abe6641f8d6dcbd06b55f9d6d2e175183c598837676645a1d466

                                    SHA512

                                    6f5b0e96026d9faed450c2dc61f912203662ba632a3001f6af5e85e73ae85de6bec901bcbb082b40155ce5bd0c88e009c7b47dd35f75f832d8690eb6f66c88f1

                                    Download Submit

                                  • \??\c:\Users\Admin\AppData\Local\Temp\xxkseyt5\xxkseyt5.0.cs
                                    Filesize

                                    371B

                                    MD5

                                    2af777175cf75509562440b094bc0daa

                                    SHA1

                                    7903dcdc9ee3a73006bf1f650441c4e35087e8f7

                                    SHA256

                                    6d70b78a1c0fbfb620d14a6bfbe6f5b6f72b811887f36d298a4be6362188bd29

                                    SHA512

                                    fc3e5b126297bd7aa10afa03332082d42d041e0feb2182e4224463f14c6ea45b79c5b614b2f287e95743491a0e2284c55d61ccd526e98c63acd41e89f4ccb10b

                                    Download Submit

                                  • \??\c:\Users\Admin\AppData\Local\Temp\xxkseyt5\xxkseyt5.cmdline
                                    Filesize

                                    235B

                                    MD5

                                    e5b1f57ccb35a9045b3433973850d91b

                                    SHA1

                                    ca2d50322a2f6c7ee8838a07ff418359aac6428a

                                    SHA256

                                    41809704dcd11843c2c2ead008c2657a91aa5cdd258532ba3a081aa29e16c22f

                                    SHA512

                                    1b96efbde78e07c968b18ef301c4fd615b16cb9c333d2755a5f326f1dc7af7f636ee8b806eaecf79cf7fd56f509dd7875b67de7d80ecd31278f88cd425f98038

                                    Download Submit

                                  • \??\c:\Windows\Containers\serviced\CSC7C26155F2E3F4B56AB357B8CBD979FA1.TMP
                                    Filesize

                                    1KB

                                    MD5

                                    8646a5e75779514abe73c90f56e622a4

                                    SHA1

                                    b4abca3ec4e9385c61e0bb186a74011e3efa39c8

                                    SHA256

                                    c8f173154d19a0abcee4a35a9b2005f46903218c83ef5a0ff4aba3552ea08ac7

                                    SHA512

                                    f80363c2c564fed56d2da571bb120728ffe0ce4737ce38bedac7e31dd140e069be09e6e0562c08ab748aba7d824680f68f5db3d38d43afea7202c4f4cff02994

                                    Download Submit

                                  • \??\c:\Windows\System32\CSC3ABBE63FD7BE4EC487D87F744ABBD9BB.TMP
                                    Filesize

                                    1KB

                                    MD5

                                    7f5a99b73bc2f54b87adcbabdbd154b6

                                    SHA1

                                    4f36b714e88423822ad621b953316959e4daea04

                                    SHA256

                                    bbbf732eb476941c61919cbfe6ee039a5515ff472bc09874096f641e287cf0fc

                                    SHA512

                                    8c62f8fce3c3e6e1b635032ef108927582c54295ab0c6b69a9e09898aaea2a85d46406a8f943997f92a1c7ecdd5f8695cd091666b6fea30c0029f618d5c0feb5

                                    Download Submit

                                  • \??\c:\Windows\System32\WindowsPowerShell\v1.0\CSCB4870DC440574D67BD9DA1D29E564B36.TMP
                                    Filesize

                                    1KB

                                    MD5

                                    169bc6dc73ba66baacdb4d2a953f6ba6

                                    SHA1

                                    539f14f124f21548bff9e0c4af763cd54fa1527d

                                    SHA256

                                    bfc43c31534d80937c6af4f8db9a5e05c2982a7db57460cda32d95493f83d5e3

                                    SHA512

                                    12b3a50df4d7bd16325af7d1e8cf2d4ed29cb6426538550168806b8bb73755f93f1622e60157efb3873ecc70bb1d9dc2e6ad276e7eed4a794af46f50089c969d

                                    Download Submit

                                  • memory/1064-195-0x0000024BB9FC0000-0x0000024BB9FE2000-memory.dmp

                                    Filesize

                                    136KB

                                    Download

                                  • memory/2040-129-0x00000000075B0000-0x00000000075BE000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/2040-84-0x00000000072B0000-0x0000000007316000-memory.dmp

                                    Filesize

                                    408KB

                                    Download

                                  • memory/2040-128-0x0000000007F60000-0x0000000008122000-memory.dmp

                                    Filesize

                                    1.8MB

                                    Download

                                  • memory/2040-119-0x0000000007460000-0x00000000074AC000-memory.dmp

                                    Filesize

                                    304KB

                                    Download

                                  • memory/2040-118-0x0000000007420000-0x000000000745C000-memory.dmp

                                    Filesize

                                    240KB

                                    Download

                                  • memory/2040-117-0x00000000073C0000-0x00000000073D2000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/2040-116-0x0000000007940000-0x0000000007F58000-memory.dmp

                                    Filesize

                                    6.1MB

                                    Download

                                  • memory/2040-122-0x00000000075F0000-0x00000000076FA000-memory.dmp

                                    Filesize

                                    1.0MB

                                    Download

                                  • memory/2040-81-0x0000000006B50000-0x0000000006B5A000-memory.dmp

                                    Filesize

                                    40KB

                                    Download

                                  • memory/2040-136-0x00000000083C0000-0x0000000008410000-memory.dmp

                                    Filesize

                                    320KB

                                    Download

                                  • memory/2040-79-0x00000000059B0000-0x00000000059C8000-memory.dmp

                                    Filesize

                                    96KB

                                    Download

                                  • memory/2040-80-0x0000000006810000-0x0000000006820000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/2096-138-0x0000000000400000-0x0000000000DF4000-memory.dmp

                                    Filesize

                                    10.0MB

                                    Download

                                  • memory/2096-56-0x0000000000400000-0x0000000000DF4000-memory.dmp

                                    Filesize

                                    10.0MB

                                    Download

                                  • memory/3136-132-0x00000000016E0000-0x00000000016F0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/3136-133-0x0000000001700000-0x000000000170E000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/3136-134-0x000000001C010000-0x000000001C01C000-memory.dmp

                                    Filesize

                                    48KB

                                    Download

                                  • memory/3136-130-0x000000001BFD0000-0x000000001BFEC000-memory.dmp

                                    Filesize

                                    112KB

                                    Download

                                  • memory/3136-131-0x000000001BFF0000-0x000000001C006000-memory.dmp

                                    Filesize

                                    88KB

                                    Download

                                  • memory/3136-120-0x0000000000D50000-0x0000000000EAA000-memory.dmp

                                    Filesize

                                    1.4MB

                                    Download

                                  • memory/3136-189-0x000000001C1A0000-0x000000001C289000-memory.dmp

                                    Filesize

                                    932KB

                                    Download

                                  • memory/4468-400-0x000000001B100000-0x000000001B1E9000-memory.dmp

                                    Filesize

                                    932KB

                                    Download

                                  • memory/4472-576-0x000000001BB50000-0x000000001BC39000-memory.dmp

                                    Filesize

                                    932KB

                                    Download

                                  • memory/4624-55-0x0000000000310000-0x000000000060E000-memory.dmp

                                    Filesize

                                    3.0MB

                                    Download

                                  • memory/4624-57-0x00000000729AE000-0x00000000729AF000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/4624-62-0x0000000000FF0000-0x0000000000FFE000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/4624-65-0x0000000005100000-0x000000000515C000-memory.dmp

                                    Filesize

                                    368KB

                                    Download

                                  • memory/4624-66-0x0000000005A00000-0x0000000005FA6000-memory.dmp

                                    Filesize

                                    5.6MB

                                    Download

                                  • memory/4624-67-0x0000000005450000-0x00000000054E2000-memory.dmp

                                    Filesize

                                    584KB

                                    Download

                                  • memory/4624-68-0x0000000005930000-0x0000000005942000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/4688-74-0x0000000006610000-0x00000000066AC000-memory.dmp

                                    Filesize

                                    624KB

                                    Download

                                  • memory/4688-73-0x0000000005CB0000-0x0000000005CFE000-memory.dmp

                                    Filesize

                                    312KB

                                    Download

                                  • memory/4820-587-0x000000001EE80000-0x000000001F027000-memory.dmp

                                    Filesize

                                    1.7MB

                                    Download

                                  • memory/4820-547-0x000000001E200000-0x000000001E2A9000-memory.dmp

                                    Filesize

                                    676KB

                                    Download

                                  • memory/4820-548-0x000000001EE80000-0x000000001F027000-memory.dmp

                                    Filesize

                                    1.7MB

                                    Download

                                  • memory/5012-110-0x000000001C990000-0x000000001C99E000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/5012-97-0x000000001BC20000-0x000000001BC38000-memory.dmp

                                    Filesize

                                    96KB

                                    Download

                                  • memory/5012-90-0x000000001BA00000-0x000000001BB04000-memory.dmp

                                    Filesize

                                    1.0MB

                                    Download

                                  • memory/5012-112-0x000000001C9A0000-0x000000001C9AC000-memory.dmp

                                    Filesize

                                    48KB

                                    Download

                                  • memory/5012-92-0x000000001B7C0000-0x000000001B7CE000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/5012-94-0x000000001BC00000-0x000000001BC1C000-memory.dmp

                                    Filesize

                                    112KB

                                    Download

                                  • memory/5012-95-0x000000001C930000-0x000000001C980000-memory.dmp

                                    Filesize

                                    320KB

                                    Download

                                  • memory/5012-89-0x0000000000D70000-0x0000000000D78000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/5012-281-0x000000001E0B0000-0x000000001E159000-memory.dmp

                                    Filesize

                                    676KB

                                    Download

                                  • memory/5012-99-0x000000001B7D0000-0x000000001B7DE000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/5012-101-0x000000001B7E0000-0x000000001B7EC000-memory.dmp

                                    Filesize

                                    48KB

                                    Download

                                  • memory/5012-104-0x000000001BC40000-0x000000001BC4E000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/5012-108-0x000000001C980000-0x000000001C98C000-memory.dmp

                                    Filesize

                                    48KB

                                    Download

                                  • memory/5012-106-0x000000001C920000-0x000000001C92C000-memory.dmp

                                    Filesize

                                    48KB

                                    Download

                                  • memory/5648-369-0x0000000000D30000-0x0000000000D38000-memory.dmp

                                    Filesize

                                    32KB

                                    Download