Overview

overview

10

Static

static

3

GameHackBu...in.exe

windows7-x64

10

GameHackBu...in.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2025 12:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GameHackBuild1.exe.bin.exe

  • Size

    9.0MB

  • MD5

    35a0fbec2fc6d2a550a569719406d58d

  • SHA1

    bc73001a0600313803d3594dc51d3d0813dbdec1

  • SHA256

    221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d

  • SHA512

    2f4d71eaa62dded749f82660fd7ee90da422048459d63faa79f518c3c10b7343c482e95cf81cea6bfb4710ef07f53d2d7f835dd3f191029da38da2e9a7beb00f

  • SSDEEP

    196608:uGk5oFaEPX2GgYCCUDQ4yA8/vWOCFidWo+QOovFFoJXz0Bt99OGvFLuyAjA9UCo:9k5/EP2Gac4yHndWo+bodFgXz29OGNps

Score
10/10
dcratorcusgamehackdiscoveryexecutioninfostealerpersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

GameHack

C2

31.44.184.52:25350

Mutex

sudo_06kkh814g4vz7sfklrh1emcow75dz383

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %appdata%\Windows\Defender\MpDefenderCoreProtion.exe

  • reconnect_delay

    10000

  • registry_keyname

    Sudik

  • taskscheduler_taskname

    sudik

  • watchdog_path

    AppData\aga.exe

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 17 IoCs
    persistence
  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcus main payload 1 IoCs
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Orcurs Rat Executable 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Adds Run key to start application 2 TTPs 34 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
          "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4312
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\igghsuce\igghsuce.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2096
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA86.tmp" "c:\Windows\System32\CSCD8D644E09FC241AA8996A8F16E59FB8.TMP"
              6⤵
                PID:1608
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              PID:384
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1880
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\cmd.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              PID:980
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              PID:4840
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\runtimesvc.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              PID:4152
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              PID:4052
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k0tbFJWvqp.bat"
              5⤵
                PID:3452
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  6⤵
                    PID:5712
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    6⤵
                      PID:5932
                    • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                      "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe"
                      6⤵
                      • Executes dropped EXE
                      PID:5432
            • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
              "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe"
              2⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2824
              • C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                "C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"
                3⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2168
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                  4⤵
                    PID:3972
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4504
              • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
                "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe"
                2⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1836
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe"
                  3⤵
                  • Checks computer location settings
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4616
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat" "
                    4⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:3116
                    • C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                      "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"
                      5⤵
                      • Modifies WinLogon for persistence
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Drops file in Program Files directory
                      • Drops file in Windows directory
                      • Suspicious use of WriteProcessMemory
                      PID:2180
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:3188
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:3600
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\csrss.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:896
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\cmd.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:3716
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\conhost.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:4496
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\uk-UA\fontdrvhost.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:748
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\sppsvc.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:3540
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:2304
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:1368
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\OfficeClickToRun.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:988
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\MpDefenderCoreProtion.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:2596
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\cmd.exe'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:1020
                      • C:\Recovery\WindowsRE\OfficeClickToRun.exe
                        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
                        6⤵
                        • Executes dropped EXE
                        PID:4908
              • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
                "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe"
                2⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:336
                • C:\Windows\System32\Wbem\wmic.exe
                  wmic diskdrive get model,serialnumber
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4224
                • C:\Windows\System32\Wbem\wmic.exe
                  wmic path Win32_Keyboard get Description,DeviceID
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2876
                • C:\Windows\System32\Wbem\wmic.exe
                  wmic path Win32_PointingDevice get Description,PNPDeviceID
                  3⤵
                    PID:1488
                  • C:\Windows\System32\Wbem\wmic.exe
                    wmic path Win32_PointingDevice get Description,PNPDeviceID
                    3⤵
                      PID:3100
                    • C:\Windows\System32\Wbem\wmic.exe
                      wmic path Win32_DesktopMonitor get Description,PNPDeviceID
                      3⤵
                        PID:824
                      • C:\Windows\System32\Wbem\wmic.exe
                        wmic get name
                        3⤵
                          PID:1484
                    • C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                      C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                      1⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3348
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2396
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4760
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4644
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:5040
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:432
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4740
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\csrss.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4976
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:744
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2000
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\cmd.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:428
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\cmd.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4592
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\cmd.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4688
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\security\conhost.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1344
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\security\conhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4352
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\security\conhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2788
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\uk-UA\fontdrvhost.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4040
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:5076
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\uk-UA\fontdrvhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3736
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\uk-UA\fontdrvhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3932
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4160
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\sppsvc.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:5032
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\sppsvc.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1184
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\sppsvc.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3748
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:5100
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3452
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2824
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1300
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2236
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\cmd.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3096
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4224
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:228
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\OfficeClickToRun.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1200
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\OfficeClickToRun.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:736
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Security\cmd.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1784
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\OfficeClickToRun.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1716
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "MpDefenderCoreProtionM" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\MpDefenderCoreProtion.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2900
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\cmd.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1140
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "MpDefenderCoreProtion" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\MpDefenderCoreProtion.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3512
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "MpDefenderCoreProtionM" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\MpDefenderCoreProtion.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4692
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4376
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\cmd.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3728
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\cmd.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1884
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4884
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\cmd.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3392
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1924
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\runtimesvc.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:216
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\runtimesvc.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3100
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\runtimesvc.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2824
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2184
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2632
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2168
                    • C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                      C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                      1⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:520
                    • C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                      C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                      1⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1344

                    Network

                    MITRE ATT&CK Enterprise v15

                    Reconnaissance

                    Resource Development

                    Initial Access

                    Execution

                    Command and Scripting Interpreter

                    1
                    T1059

                    PowerShell

                    1
                    T1059.001

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Persistence

                    Boot or Logon Autostart Execution

                    2
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Winlogon Helper DLL

                    1
                    T1547.004

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Privilege Escalation

                    Boot or Logon Autostart Execution

                    2
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Winlogon Helper DLL

                    1
                    T1547.004

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Defense Evasion

                    Modify Registry

                    2
                    T1112

                    Credential Access

                    Discovery

                    Query Registry

                    2
                    T1012

                    System Information Discovery

                    2
                    T1082

                    System Location Discovery

                    1
                    T1614

                    System Language Discovery

                    1
                    T1614.001

                    Lateral Movement

                    Collection

                    Command and Control

                    Exfiltration

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      Filesize

                      2KB

                      MD5

                      d85ba6ff808d9e5444a4b369f5bc2730

                      SHA1

                      31aa9d96590fff6981b315e0b391b575e4c0804a

                      SHA256

                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                      SHA512

                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\runtimesvc.exe.log
                      Filesize

                      1KB

                      MD5

                      23e95ec462ffa2c6ca8cab1cb8724ab1

                      SHA1

                      ee3f5e815831cf925c4f00195cc8f336b6112862

                      SHA256

                      c6ed38229b96cfb59e61de06854a1a99a9d6c3285a6b8511a7b60d64caa6979c

                      SHA512

                      b92242ea8d3dbcd3de11725995c22f0a747b820cfff7cf44217589289621bdc2a25bb4db0e1f385bd6bc84c15d893fa5dad544e6bab89f072ccb822cd8bd08dd

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MpDefenderCoreProtion.exe.log
                      Filesize

                      1KB

                      MD5

                      663b8d5469caa4489d463aa9bc18124f

                      SHA1

                      e57123a7d969115853ea631a3b33826335025d28

                      SHA256

                      7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8

                      SHA512

                      45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      cadef9abd087803c630df65264a6c81c

                      SHA1

                      babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                      SHA256

                      cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                      SHA512

                      7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      77d622bb1a5b250869a3238b9bc1402b

                      SHA1

                      d47f4003c2554b9dfc4c16f22460b331886b191b

                      SHA256

                      f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                      SHA512

                      d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      6d42b6da621e8df5674e26b799c8e2aa

                      SHA1

                      ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                      SHA256

                      5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                      SHA512

                      53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      2979eabc783eaca50de7be23dd4eafcf

                      SHA1

                      d709ce5f3a06b7958a67e20870bfd95b83cad2ea

                      SHA256

                      006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

                      SHA512

                      92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      232B

                      MD5

                      27f4165033acb4d91c709ff2f52c8564

                      SHA1

                      0aaad2ad23295b51b306b5bd7533355f278d0850

                      SHA256

                      3ad4137f5d9fa2369347f14acd4ba3736089440683edb0e72b7e5b1488f9ccee

                      SHA512

                      40324c119124f637d99cf9f4f0331c0e4c98597fefd1b0dd9db5416b177c72a7ab77a7d6655e5cca63151ac25b2f950a6cebf5e21736800c9726d672da0c7853

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\RESBA86.tmp
                      Filesize

                      1KB

                      MD5

                      0748262b111d6be414544e5921787b88

                      SHA1

                      0375a8dc4a74f253ce1d33848e9fbccd82bf5cd7

                      SHA256

                      2425b92cd8c236a407010ace4b8fe70385722bef76e2b52e3c378ea063dd7eab

                      SHA512

                      353795e45f1fad6df297a1f60540eccef1aa5bcbef8051a3da82834d4bb6d2664c567eff3cd8c026671f901521459dd8be7cc22366a67117f2479617e6421098

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mtwzinkm.ywp.ps1
                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\k0tbFJWvqp.bat
                      Filesize

                      243B

                      MD5

                      872623011b29ff61b30e5774abfa7c3f

                      SHA1

                      df0177c676805c85604948980043a312ad56c9d9

                      SHA256

                      5b822cf6541581900e49449634e8b6dd615bbdd3603a111a97eb93638b3928a0

                      SHA512

                      b290a30926c2619fead5cb0b27c5141625da2482823e7a5a09d77704766e88285e0935a977a3b9acd21b388acccf34ce3695924af30ad1cd34138d8e530d9e13

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat
                      Filesize

                      104B

                      MD5

                      fbef3b76368e503dca520965bb79565f

                      SHA1

                      9a1a27526b8b9bdaae81c5301cd23eb613ea62ba

                      SHA256

                      bcb2af67a4ea1e6aa341cf3141941dbe7b17f1911e7f20aba46552571f99c9f3

                      SHA512

                      2b99bc9a945b6d9a2c0d3206dce9221eb7f4a2040c5096909d60c3278254c52b39a28dd18dd4e005eff0ebd7e7cba6dd3a6a94ea8a7d7598da3001da174db3f5

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
                      Filesize

                      1.6MB

                      MD5

                      bc7804fca6dd09b4f16e86d80b8d28fa

                      SHA1

                      a04800b90db1f435dd1ac723c054b14d6dd16c8a

                      SHA256

                      1628864ab0bafe8afea2ad70956b653550dab3db7c4cdf6f405e93a6c2441dce

                      SHA512

                      7534ac0a215f02af85bdf2b414e23face0570943f8820e7bfe97ea274ccd1a01618556e93b7465c2d9fbb0bcde5e97fab9e9b6bddd366554277ef308cde3a83c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
                      Filesize

                      3.0MB

                      MD5

                      10e817a4d5e216279a8de8ed71c91044

                      SHA1

                      97c6fb42791be24d12bd74819ef67fa8f3d21724

                      SHA256

                      c60f74f6e164049e683a5f01b8cfea24aa85cbf6c7b31b765cbad16d8ab0d7b2

                      SHA512

                      34421a517f5f1909afd694d24e22cafad9930725df964ba9c80666e9f0f2dcfdd2a254dcf6699e5797296ec3ae611593563779df05e3a617c7f8679a154dfd37

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
                      Filesize

                      4.6MB

                      MD5

                      e8c32cc88db9fef57fd9e2bb6d20f70b

                      SHA1

                      e732b91cd8ac16fa4ce8ad9e639bf21d69f6bb45

                      SHA256

                      f787ce198538b1c0b2bfce8ce5297e34152cf6deebe559df6887f65c72a081a4

                      SHA512

                      077307d42438f2b72d62ce9e35c67c09e1375c2e203e6d6d455c6c8861c6442b3d82f1345b6c76940f5e8015fe93491158a59b102fabd139c742d75c2c42ba7a

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe
                      Filesize

                      263B

                      MD5

                      a05e26d89c5be7e2c6408b09cd05cf74

                      SHA1

                      c24231c6301f499b35441615b63db6969a1762fd

                      SHA256

                      05628dfff22e15b219a711cf52a2c87521170853979f00fcd014cf164656418e

                      SHA512

                      8c8733f12dd71cfafd2edbfad487279d6ed971eb119b1cde92a905f4658a9b090f831f42ef2228a4f6c64071a1f54fb74708438b4361e317e36016897577913d

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                      Filesize

                      556KB

                      MD5

                      00c4245522082b7f87721f9a26e96ba4

                      SHA1

                      993a8aa88436b6c62b74bb399c09b8d45d9fb85b

                      SHA256

                      a728f531427d89c5b7691f989e886df57d46f90d934448e6dabf29d64d0662bf

                      SHA512

                      fdd8d2444b28883face793f6ea77913c2096a425e6101202536ea001c3df5e76a60a01673ee7a52eae827a12299b2727002895395315db190ec82ae11a68559f

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe.config
                      Filesize

                      357B

                      MD5

                      a2b76cea3a59fa9af5ea21ff68139c98

                      SHA1

                      35d76475e6a54c168f536e30206578babff58274

                      SHA256

                      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

                      SHA512

                      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat
                      Filesize

                      48B

                      MD5

                      2fa8decc3dafe6f196f6c28769192e7c

                      SHA1

                      69f4e0cf41b927634a38b77a8816ca58c0bfb2de

                      SHA256

                      7e40eb542d164397c0bf17a47c8f0db79e7028299e9f180d38505220fd2cfb30

                      SHA512

                      c9fb6c2ac2441ff14673ccaa3f1d5e703356c093353992d302d34df6c9e26a85aba6760c3b98f0cd0ada45183c55b2e5cabc09978ca084077dd71743ca9fdbc1

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                      Filesize

                      1.3MB

                      MD5

                      52c95032ff8b8c3d4dfd98e51d8f6f58

                      SHA1

                      e841a32cb07adaad4db35b1f87b5df6e019eb9af

                      SHA256

                      39b35293e7efaa4cb94028e59872013bef4065788fef9fe3cd3206a8aee711e4

                      SHA512

                      a1177740ffbb476fb11f8112d98cabe3012ee3d54f2f848bb22ea99b53bd3526bf59065951fb6ef29f29408ab2fd90c942de65fe16d66a098abce8ba5d7d4e00

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe
                      Filesize

                      227B

                      MD5

                      d47062c8738a534fc931c0f341a61773

                      SHA1

                      c1175037a0e96363da56bc9d8abdb726cddc74fc

                      SHA256

                      484cc22b88e1eaae619f948e96812ebf70275f9e6408e2e3dbd8af827ac5199a

                      SHA512

                      9de6dcf7944ec9f2ff44c8fdbe562a6755c2af9800028b01fb0969921e6ef969c1ecc6e2ab129f191ac5feeaa9aa30cf436489dfee8e94433d6678a9942ffe39

                      Download Submit

                    • \??\c:\Users\Admin\AppData\Local\Temp\igghsuce\igghsuce.0.cs
                      Filesize

                      367B

                      MD5

                      42da9bd77f4212d41a0c0829aa24dbef

                      SHA1

                      2243674d35b802737c52ce7763fc0c3a993d08b1

                      SHA256

                      6f59a64a07b34e6e41fb96093d59a2cb5fe768f292ae184fad01ee6b3f4535b1

                      SHA512

                      234ef962a3a1f6c722631ac26119f890457cb809109ae8349217075eb23d3dcb71dd5670dae6fcdde5230a6343a30cdbbd811ad9ecf7747abf844d94040d5a72

                      Download Submit

                    • \??\c:\Users\Admin\AppData\Local\Temp\igghsuce\igghsuce.cmdline
                      Filesize

                      235B

                      MD5

                      1a2ee3a3487267d6810a536332371ddc

                      SHA1

                      0d07c211fa946644073202e25edf27cfe6607258

                      SHA256

                      08798cfa1b05f38668bf19f39678f281c432590b1c5a614919905324899a2010

                      SHA512

                      8d117a5936a3c9fcc128e94de0c4a1e5483f5a9b6436f818ff51c38f96db3e1f27a905322a0402087823413377561f7cbf25205c169699e303358bedffbd6036

                      Download Submit

                    • \??\c:\Windows\System32\CSCD8D644E09FC241AA8996A8F16E59FB8.TMP
                      Filesize

                      1KB

                      MD5

                      d544bac668d308d2aba58ded2c13d82d

                      SHA1

                      e5dd50ef24d5c16629092f9290661a92387773b3

                      SHA256

                      84b05d56c45fd0382410fcd59e16aeef467ed0a455595dda88386dd5c87d7a02

                      SHA512

                      0826de2bc95d93dde2c540d2d768a0188481ee88f1da79f9c7d70d7ccd3c8715b8f1d62053f84d14f19e4d2b0a13e67084d970a158464e6223e340eb0733e1b0

                      Download Submit

                    • memory/336-46-0x0000000000400000-0x0000000000DF4000-memory.dmp

                      Filesize

                      10.0MB

                      Download

                    • memory/336-135-0x0000000000400000-0x0000000000DF4000-memory.dmp

                      Filesize

                      10.0MB

                      Download

                    • memory/988-183-0x000002E477BF0000-0x000002E477C12000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2168-71-0x00000000061F0000-0x000000000628C000-memory.dmp

                      Filesize

                      624KB

                      Download

                    • memory/2168-70-0x0000000005890000-0x00000000058DE000-memory.dmp

                      Filesize

                      312KB

                      Download

                    • memory/2168-69-0x00000000053D0000-0x00000000053E2000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/2180-126-0x0000000002680000-0x000000000268C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2180-121-0x00000000003C0000-0x000000000051A000-memory.dmp

                      Filesize

                      1.4MB

                      Download

                    • memory/2180-125-0x0000000002670000-0x000000000267E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/2180-124-0x0000000002660000-0x0000000002670000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2180-123-0x0000000002640000-0x0000000002656000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/2180-122-0x0000000002620000-0x000000000263C000-memory.dmp

                      Filesize

                      112KB

                      Download

                    • memory/2824-53-0x0000000005F90000-0x0000000005FA2000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/2824-51-0x0000000005AA0000-0x0000000005B32000-memory.dmp

                      Filesize

                      584KB

                      Download

                    • memory/2824-28-0x00000000728FE000-0x00000000728FF000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2824-36-0x0000000000AA0000-0x0000000000D9E000-memory.dmp

                      Filesize

                      3.0MB

                      Download

                    • memory/2824-45-0x00000000056B0000-0x00000000056BE000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/2824-48-0x0000000005960000-0x00000000059BC000-memory.dmp

                      Filesize

                      368KB

                      Download

                    • memory/2824-50-0x0000000006050000-0x00000000065F4000-memory.dmp

                      Filesize

                      5.6MB

                      Download

                    • memory/4312-84-0x000000001B850000-0x000000001B954000-memory.dmp

                      Filesize

                      1.0MB

                      Download

                    • memory/4312-99-0x0000000002DA0000-0x0000000002DAC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/4312-88-0x0000000002D60000-0x0000000002D7C000-memory.dmp

                      Filesize

                      112KB

                      Download

                    • memory/4312-86-0x0000000002D10000-0x0000000002D1E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/4312-93-0x0000000002D20000-0x0000000002D2E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/4312-83-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/4312-95-0x0000000002D30000-0x0000000002D3C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/4312-105-0x000000001BA50000-0x000000001BA5C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/4312-103-0x000000001B830000-0x000000001B83E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/4312-97-0x0000000002D40000-0x0000000002D4E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/4312-89-0x000000001B7E0000-0x000000001B830000-memory.dmp

                      Filesize

                      320KB

                      Download

                    • memory/4312-91-0x0000000002D80000-0x0000000002D98000-memory.dmp

                      Filesize

                      96KB

                      Download

                    • memory/4312-101-0x000000001B7D0000-0x000000001B7DC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/4504-76-0x00000000058D0000-0x00000000058E8000-memory.dmp

                      Filesize

                      96KB

                      Download

                    • memory/4504-77-0x0000000005960000-0x0000000005970000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4504-78-0x0000000006590000-0x000000000659A000-memory.dmp

                      Filesize

                      40KB

                      Download