dcrat | 221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe
Size

9.0MB
MD5

35a0fbec2fc6d2a550a569719406d58d
SHA1

bc73001a0600313803d3594dc51d3d0813dbdec1
SHA256

221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d
SHA512

2f4d71eaa62dded749f82660fd7ee90da422048459d63faa79f518c3c10b7343c482e95cf81cea6bfb4710ef07f53d2d7f835dd3f191029da38da2e9a7beb00f
SSDEEP

196608:uGk5oFaEPX2GgYCCUDQ4yA8/vWOCFidWo+QOovFFoJXz0Bt99OGvFLuyAjA9UCo:9k5/EP2Gac4yHndWo+bodFgXz29OGNps

Score

10^/10

dcrat orcus gamehack discovery execution infostealer persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

GameHack

31.44.184.52:25350

Mutex

sudo_06kkh814g4vz7sfklrh1emcow75dz383

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\Windows\Defender\MpDefenderCoreProtion.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		3904	schtasks.exe
		3828	schtasks.exe
		4248	schtasks.exe
		688	schtasks.exe
		5720	schtasks.exe
		5364	schtasks.exe
		560	schtasks.exe
		5636	schtasks.exe
		3444	schtasks.exe
		2512	schtasks.exe
		2424	schtasks.exe
		3536	schtasks.exe
		5232	schtasks.exe
		3180	schtasks.exe
		1744	schtasks.exe
		532	schtasks.exe
		4896	schtasks.exe
		5940	schtasks.exe
		1128	schtasks.exe
		1440	schtasks.exe
		2648	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\dotnet\\sysmon.exe\""		runtimesvc.exe
		4404	schtasks.exe
File created	C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24		runtimesvc.exe
		1784	schtasks.exe
		4732	schtasks.exe
		4404	schtasks.exe
		1540	schtasks.exe
		1440	schtasks.exe
		2124	schtasks.exe
		5092	schtasks.exe
		3688	schtasks.exe
		5440	schtasks.exe
		4000	schtasks.exe
		2636	schtasks.exe
		5984	schtasks.exe
		3144	schtasks.exe
		3724	schtasks.exe
		3124	schtasks.exe
		1240	schtasks.exe
		2996	schtasks.exe
		2232	schtasks.exe
		5000	schtasks.exe
		1728	schtasks.exe
		3904	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\""		runtimesvc.exe
		4540	schtasks.exe
		5540	schtasks.exe
		6004	schtasks.exe
		3556	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\All Users\\Desktop\\cmd.exe\""		runtimesvc.exe
		4600	schtasks.exe
		800	schtasks.exe
		2084	schtasks.exe
		4380	schtasks.exe
		552	schtasks.exe
		4400	schtasks.exe
		4592	schtasks.exe
File created	C:\Program Files\dotnet\121e5b5079f7c0		runtimesvc.exe
		2428	schtasks.exe
		452	schtasks.exe
		3532	schtasks.exe
		2540	schtasks.exe
		1280	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 35 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WaaSMedicAgent.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\services.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\services.exe\", \"C:\\Program Files\\Windows Defender\\dllhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\SearchApp.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\services.exe\", \"C:\\Program Files\\Windows Defender\\dllhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\services.exe\", \"C:\\Program Files\\Windows Defender\\dllhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\""	containerRuntime.exe

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cb1-15.dat	family_orcus

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	3276	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	3276	schtasks.exe	90

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cb3-26.dat	dcrat
behavioral2/memory/2152-86-0x000000001B2F0000-0x000000001B3F4000-memory.dmp	family_dcrat_v2
behavioral2/files/0x0007000000023cb6-135.dat	dcrat
behavioral2/memory/4948-137-0x0000000000790000-0x00000000008EA000-memory.dmp	dcrat

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cb1-15.dat	orcus
behavioral2/memory/3184-29-0x0000000000E80000-0x000000000117E000-memory.dmp	orcus

Command and Scripting Interpreter: PowerShell 1 TTPs 37 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4940	powershell.exe
5480	powershell.exe
1704	powershell.exe
2428	powershell.exe
2920	powershell.exe
4592	powershell.exe
3488	powershell.exe
228	powershell.exe
5616	powershell.exe
1372	powershell.exe
5824	powershell.exe
3848	powershell.exe
1140	powershell.exe
2364	powershell.exe
4868	powershell.exe
4644	powershell.exe
968	powershell.exe
4372	powershell.exe
6000	powershell.exe
5488	powershell.exe
5600	powershell.exe
1692	powershell.exe
2188	powershell.exe
3600	powershell.exe
4524	powershell.exe
1676	powershell.exe
5620	powershell.exe
1888	powershell.exe
2596	powershell.exe
5808	powershell.exe
1640	powershell.exe
2724	powershell.exe
2612	powershell.exe
2880	powershell.exe
6016	powershell.exe
5544	powershell.exe
5692	powershell.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	runtimesvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	containerRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	containerRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	GameHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MpDefenderProtector.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 12 IoCs

pid	Process
3184	MpDefenderProtector.exe
3204	GameHack.exe
1872	Solara.exe
4808	MpDefenderCoreProtion.exe
2108	MpDefenderCoreProtion.exe
2152	runtimesvc.exe
4948	containerRuntime.exe
5356	cmd.exe
5852	containerRuntime.exe
5276	SearchApp.exe
6016	MpDefenderCoreProtion.exe
6080	MpDefenderCoreProtion.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Migration\\WTR\\winlogon.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Windows\\Tasks\\runtimesvc.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\SearchApp.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\All Users\\Desktop\\cmd.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Public\\sysmon.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Windows\\Tasks\\runtimesvc.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\dotnet\\sysmon.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WaaSMedicAgent.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\services.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\All Users\\Desktop\\cmd.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Uninstall Information\\cmd.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\dotnet\\sysmon.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Public\\sysmon.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Defender\\dllhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\Recovery\\WindowsRE\\containerRuntime.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Migration\\lsass.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\services.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\Recovery\\WindowsRE\\containerRuntime.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\SearchApp.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\services.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Program Files\\MSBuild\\runtimesvc.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WaaSMedicAgent.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Program Files\\MSBuild\\runtimesvc.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\Windows\\Speech\\containerRuntime.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Uninstall Information\\cmd.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Defender\\dllhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Migration\\WTR\\winlogon.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Migration\\lsass.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\""	containerRuntime.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC572C02F5E5594BD5BDBF6DA8838BDB8.TMP	csc.exe
File created	\??\c:\Windows\System32\kpkopw.exe	csc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4808 set thread context of 4924	4808	MpDefenderCoreProtion.exe	96

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe	containerRuntime.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\SearchApp.exe	containerRuntime.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\38384e6a620884	containerRuntime.exe
File created	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	runtimesvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24	runtimesvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe	containerRuntime.exe
File created	C:\Program Files\Windows Defender\en-US\9e8d7a4ca61bd9	containerRuntime.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\29c1c3cc0f7685	containerRuntime.exe
File created	C:\Program Files (x86)\MSBuild\RuntimeBroker.exe	containerRuntime.exe
File created	C:\Program Files (x86)\Windows Mail\conhost.exe	containerRuntime.exe
File created	C:\Program Files (x86)\Windows Mail\088424020bedd6	containerRuntime.exe
File created	C:\Program Files\MSBuild\97e9b57c6296f0	containerRuntime.exe
File created	C:\Program Files (x86)\Microsoft.NET\ee2ad38f3d4382	containerRuntime.exe
File created	C:\Program Files (x86)\Adobe\SppExtComObj.exe	containerRuntime.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\0a1fd5f707cd16	containerRuntime.exe
File created	C:\Program Files (x86)\Adobe\e1ef82546f0b02	containerRuntime.exe
File created	C:\Program Files\WindowsApps\fontdrvhost.exe	containerRuntime.exe
File created	C:\Program Files\Uninstall Information\ebf1f9fa8afd6d	containerRuntime.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\c82b8037eab33d	containerRuntime.exe
File created	C:\Program Files\Windows Defender\dllhost.exe	containerRuntime.exe
File created	C:\Program Files\dotnet\121e5b5079f7c0	runtimesvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\sppsvc.exe	containerRuntime.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RuntimeBroker.exe	containerRuntime.exe
File created	C:\Program Files (x86)\MSBuild\9e8d7a4ca61bd9	containerRuntime.exe
File created	C:\Program Files\Uninstall Information\cmd.exe	containerRuntime.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TextInputHost.exe	containerRuntime.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\containerRuntime.exe	containerRuntime.exe
File created	C:\Program Files\Windows Defender\5940a34987c991	containerRuntime.exe
File created	C:\Program Files\dotnet\sysmon.exe	runtimesvc.exe
File created	C:\Program Files\MSBuild\runtimesvc.exe	containerRuntime.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\ee2ad38f3d4382	containerRuntime.exe
File created	C:\Program Files (x86)\Microsoft.NET\Registry.exe	containerRuntime.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe	containerRuntime.exe
File created	C:\Program Files\Windows Defender\en-US\RuntimeBroker.exe	containerRuntime.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\22eafd247d37c3	containerRuntime.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\12549c30660286	containerRuntime.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\security\ApplicationId\PolicyManagement\0a1fd5f707cd16	containerRuntime.exe
File created	C:\Windows\Migration\WTR\winlogon.exe	containerRuntime.exe
File created	C:\Windows\Migration\WTR\cc11b995f2a76d	containerRuntime.exe
File created	C:\Windows\Speech\containerRuntime.exe	containerRuntime.exe
File created	C:\Windows\Speech\12549c30660286	containerRuntime.exe
File created	C:\Windows\Tasks\runtimesvc.exe	containerRuntime.exe
File created	C:\Windows\Tasks\97e9b57c6296f0	containerRuntime.exe
File created	C:\Windows\Migration\lsass.exe	containerRuntime.exe
File created	C:\Windows\Migration\6203df4a6bafc7	containerRuntime.exe
File created	C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe	containerRuntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpDefenderCoreProtion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caspol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpDefenderCoreProtion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpDefenderCoreProtion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpDefenderProtector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GameHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpDefenderCoreProtion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	runtimesvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	containerRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	GameHack.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2228	schtasks.exe
2124	schtasks.exe
2540	schtasks.exe
1108	schtasks.exe
5532	schtasks.exe
3176	schtasks.exe
4380	schtasks.exe
2228	schtasks.exe
3048	schtasks.exe
5092	schtasks.exe
5336	schtasks.exe
2040	schtasks.exe
1128	schtasks.exe
968	schtasks.exe
1664	schtasks.exe
2364	schtasks.exe
4400	schtasks.exe
4536	schtasks.exe
4540	schtasks.exe
3464	schtasks.exe
800	schtasks.exe
3144	schtasks.exe
1924	schtasks.exe
1240	schtasks.exe
1428	schtasks.exe
3536	schtasks.exe
2396	schtasks.exe
5208	schtasks.exe
5540	schtasks.exe
4268	schtasks.exe
4440	schtasks.exe
2084	schtasks.exe
3972	schtasks.exe
4404	schtasks.exe
4000	schtasks.exe
3688	schtasks.exe
2636	schtasks.exe
3824	schtasks.exe
4744	schtasks.exe
4732	schtasks.exe
5728	schtasks.exe
1744	schtasks.exe
4592	schtasks.exe
1728	schtasks.exe
3532	schtasks.exe
5756	schtasks.exe
5000	schtasks.exe
5232	schtasks.exe
560	schtasks.exe
5720	schtasks.exe
2232	schtasks.exe
3904	schtasks.exe
5064	schtasks.exe
5984	schtasks.exe
688	schtasks.exe
5176	schtasks.exe
1432	schtasks.exe
1440	schtasks.exe
2120	schtasks.exe
3904	schtasks.exe
2204	schtasks.exe
2780	schtasks.exe
5440	schtasks.exe
5744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3184	MpDefenderProtector.exe
4808	MpDefenderCoreProtion.exe
4808	MpDefenderCoreProtion.exe
4808	MpDefenderCoreProtion.exe
4808	MpDefenderCoreProtion.exe
4808	MpDefenderCoreProtion.exe
4808	MpDefenderCoreProtion.exe
4924	caspol.exe
4924	caspol.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe
2152	runtimesvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3184	MpDefenderProtector.exe
Token: SeDebugPrivilege	1872	Solara.exe
Token: SeDebugPrivilege	4808	MpDefenderCoreProtion.exe
Token: SeIncreaseQuotaPrivilege	1540	wmic.exe
Token: SeSecurityPrivilege	1540	wmic.exe
Token: SeTakeOwnershipPrivilege	1540	wmic.exe
Token: SeLoadDriverPrivilege	1540	wmic.exe
Token: SeSystemProfilePrivilege	1540	wmic.exe
Token: SeSystemtimePrivilege	1540	wmic.exe
Token: SeProfSingleProcessPrivilege	1540	wmic.exe
Token: SeIncBasePriorityPrivilege	1540	wmic.exe
Token: SeCreatePagefilePrivilege	1540	wmic.exe
Token: SeBackupPrivilege	1540	wmic.exe
Token: SeRestorePrivilege	1540	wmic.exe
Token: SeShutdownPrivilege	1540	wmic.exe
Token: SeDebugPrivilege	1540	wmic.exe
Token: SeSystemEnvironmentPrivilege	1540	wmic.exe
Token: SeRemoteShutdownPrivilege	1540	wmic.exe
Token: SeUndockPrivilege	1540	wmic.exe
Token: SeManageVolumePrivilege	1540	wmic.exe
Token: 33	1540	wmic.exe
Token: 34	1540	wmic.exe
Token: 35	1540	wmic.exe
Token: 36	1540	wmic.exe
Token: SeIncreaseQuotaPrivilege	1540	wmic.exe
Token: SeSecurityPrivilege	1540	wmic.exe
Token: SeTakeOwnershipPrivilege	1540	wmic.exe
Token: SeLoadDriverPrivilege	1540	wmic.exe
Token: SeSystemProfilePrivilege	1540	wmic.exe
Token: SeSystemtimePrivilege	1540	wmic.exe
Token: SeProfSingleProcessPrivilege	1540	wmic.exe
Token: SeIncBasePriorityPrivilege	1540	wmic.exe
Token: SeCreatePagefilePrivilege	1540	wmic.exe
Token: SeBackupPrivilege	1540	wmic.exe
Token: SeRestorePrivilege	1540	wmic.exe
Token: SeShutdownPrivilege	1540	wmic.exe
Token: SeDebugPrivilege	1540	wmic.exe
Token: SeSystemEnvironmentPrivilege	1540	wmic.exe
Token: SeRemoteShutdownPrivilege	1540	wmic.exe
Token: SeUndockPrivilege	1540	wmic.exe
Token: SeManageVolumePrivilege	1540	wmic.exe
Token: 33	1540	wmic.exe
Token: 34	1540	wmic.exe
Token: 35	1540	wmic.exe
Token: 36	1540	wmic.exe
Token: SeDebugPrivilege	4924	caspol.exe
Token: SeIncreaseQuotaPrivilege	3688	wmic.exe
Token: SeSecurityPrivilege	3688	wmic.exe
Token: SeTakeOwnershipPrivilege	3688	wmic.exe
Token: SeLoadDriverPrivilege	3688	wmic.exe
Token: SeSystemProfilePrivilege	3688	wmic.exe
Token: SeSystemtimePrivilege	3688	wmic.exe
Token: SeProfSingleProcessPrivilege	3688	wmic.exe
Token: SeIncBasePriorityPrivilege	3688	wmic.exe
Token: SeCreatePagefilePrivilege	3688	wmic.exe
Token: SeBackupPrivilege	3688	wmic.exe
Token: SeRestorePrivilege	3688	wmic.exe
Token: SeShutdownPrivilege	3688	wmic.exe
Token: SeDebugPrivilege	3688	wmic.exe
Token: SeSystemEnvironmentPrivilege	3688	wmic.exe
Token: SeRemoteShutdownPrivilege	3688	wmic.exe
Token: SeUndockPrivilege	3688	wmic.exe
Token: SeManageVolumePrivilege	3688	wmic.exe
Token: 33	3688	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3204	GameHack.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1428	536	221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe	83
PID 536 wrote to memory of 1428	536	221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe	83
PID 536 wrote to memory of 1428	536	221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe	83
PID 536 wrote to memory of 3184	536	221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe	84
PID 536 wrote to memory of 3184	536	221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe	84
PID 536 wrote to memory of 3184	536	221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe	84
PID 536 wrote to memory of 3204	536	221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe	86
PID 536 wrote to memory of 3204	536	221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe	86
PID 536 wrote to memory of 3204	536	221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe	86
PID 536 wrote to memory of 1872	536	221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe	87
PID 536 wrote to memory of 1872	536	221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe	87
PID 3204 wrote to memory of 4200	3204	GameHack.exe	89
PID 3204 wrote to memory of 4200	3204	GameHack.exe	89
PID 3204 wrote to memory of 4200	3204	GameHack.exe	89
PID 3184 wrote to memory of 4808	3184	MpDefenderProtector.exe	91
PID 3184 wrote to memory of 4808	3184	MpDefenderProtector.exe	91
PID 3184 wrote to memory of 4808	3184	MpDefenderProtector.exe	91
PID 1872 wrote to memory of 1540	1872	Solara.exe	92
PID 1872 wrote to memory of 1540	1872	Solara.exe	92
PID 4808 wrote to memory of 3864	4808	MpDefenderCoreProtion.exe	94
PID 4808 wrote to memory of 3864	4808	MpDefenderCoreProtion.exe	94
PID 4808 wrote to memory of 3864	4808	MpDefenderCoreProtion.exe	94
PID 4808 wrote to memory of 2976	4808	MpDefenderCoreProtion.exe	95
PID 4808 wrote to memory of 2976	4808	MpDefenderCoreProtion.exe	95
PID 4808 wrote to memory of 2976	4808	MpDefenderCoreProtion.exe	95
PID 4808 wrote to memory of 4924	4808	MpDefenderCoreProtion.exe	96
PID 4808 wrote to memory of 4924	4808	MpDefenderCoreProtion.exe	96
PID 4808 wrote to memory of 4924	4808	MpDefenderCoreProtion.exe	96
PID 4808 wrote to memory of 4924	4808	MpDefenderCoreProtion.exe	96
PID 4808 wrote to memory of 4924	4808	MpDefenderCoreProtion.exe	96
PID 4808 wrote to memory of 4924	4808	MpDefenderCoreProtion.exe	96
PID 4808 wrote to memory of 4924	4808	MpDefenderCoreProtion.exe	96
PID 4808 wrote to memory of 4924	4808	MpDefenderCoreProtion.exe	96
PID 1872 wrote to memory of 3688	1872	Solara.exe	133
PID 1872 wrote to memory of 3688	1872	Solara.exe	133
PID 1872 wrote to memory of 3988	1872	Solara.exe	98
PID 1872 wrote to memory of 3988	1872	Solara.exe	98
PID 1872 wrote to memory of 3752	1872	Solara.exe	99
PID 1872 wrote to memory of 3752	1872	Solara.exe	99
PID 1872 wrote to memory of 3756	1872	Solara.exe	100
PID 1872 wrote to memory of 3756	1872	Solara.exe	100
PID 1872 wrote to memory of 2680	1872	Solara.exe	101
PID 1872 wrote to memory of 2680	1872	Solara.exe	101
PID 1428 wrote to memory of 3664	1428	WScript.exe	102
PID 1428 wrote to memory of 3664	1428	WScript.exe	102
PID 1428 wrote to memory of 3664	1428	WScript.exe	102
PID 3664 wrote to memory of 2152	3664	cmd.exe	104
PID 3664 wrote to memory of 2152	3664	cmd.exe	104
PID 2152 wrote to memory of 1676	2152	runtimesvc.exe	197
PID 2152 wrote to memory of 1676	2152	runtimesvc.exe	197
PID 4200 wrote to memory of 2328	4200	WScript.exe	111
PID 4200 wrote to memory of 2328	4200	WScript.exe	111
PID 4200 wrote to memory of 2328	4200	WScript.exe	111
PID 1676 wrote to memory of 2116	1676	csc.exe	113
PID 1676 wrote to memory of 2116	1676	csc.exe	113
PID 2328 wrote to memory of 4948	2328	cmd.exe	117
PID 2328 wrote to memory of 4948	2328	cmd.exe	117
PID 2152 wrote to memory of 3600	2152	runtimesvc.exe	227
PID 2152 wrote to memory of 3600	2152	runtimesvc.exe	227
PID 2152 wrote to memory of 2188	2152	runtimesvc.exe	148
PID 2152 wrote to memory of 2188	2152	runtimesvc.exe	148
PID 2152 wrote to memory of 1888	2152	runtimesvc.exe	149
PID 2152 wrote to memory of 1888	2152	runtimesvc.exe	149
PID 2152 wrote to memory of 2428	2152	runtimesvc.exe	229

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe
"C:\Users\Admin\AppData\Local\Temp\221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
      "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe"
      4⤵
      DcRat
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wbdhqn2r\wbdhqn2r.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD561.tmp" "c:\Windows\System32\CSC572C02F5E5594BD5BDBF6DA8838BDB8.TMP"
        6⤵
        
        PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o6GueKAs7f.bat"
        5⤵
        
        PID:3040
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:640
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1416
      - C:\Users\All Users\Desktop\cmd.exe
        
        "C:\Users\All Users\Desktop\cmd.exe"
        6⤵
        Executes dropped EXE
        
        PID:5356
- C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
  "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
    "C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      PID:3864
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      PID:2976
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4924
- C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
  "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
        
        "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        
        PID:4948
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3848
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:968
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\runtimesvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4524
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\containerRuntime.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2724
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2920
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4592
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Registry.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2596
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1676
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\SppExtComObj.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4940
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\containerRuntime.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1140
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\runtimesvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3488
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4372
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\lsass.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2612
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\sppsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2364
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2880
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Hx5oYWlBQw.bat"
        6⤵
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
        
        "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"
        7⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        
        PID:5852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\cmd.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\RuntimeBroker.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TextInputHost.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\winlogon.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\features\containerRuntime.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\unsecapp.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\conhost.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\Microsoft\services.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\dllhost.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\SearchApp.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6000
        
        C:\Program Files (x86)\Internet Explorer\de-DE\SearchApp.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\SearchApp.exe"
        8⤵
        Executes dropped EXE
        
        PID:5276
- C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
  "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\System32\Wbem\wmic.exe
    wmic diskdrive get model,serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path Win32_Keyboard get Description,DeviceID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3688
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path Win32_PointingDevice get Description,PNPDeviceID
    3⤵
    PID:3988
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path Win32_PointingDevice get Description,PNPDeviceID
    3⤵
    PID:3752
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path Win32_DesktopMonitor get Description,PNPDeviceID
    3⤵
    PID:3756
- - C:\Windows\System32\Wbem\wmic.exe
    wmic get name
    3⤵
    PID:2680

C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\dotnet\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Public\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Public\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\runtimesvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\runtimesvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\runtimesvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\containerRuntime.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntime" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\containerRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\containerRuntime.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech\containerRuntime.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntime" /sc ONLOGON /tr "'C:\Windows\Speech\containerRuntime.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech\containerRuntime.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\runtimesvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Windows\Tasks\runtimesvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\runtimesvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Migration\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
PID:5884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\en-US\RuntimeBroker.exe'" /f
1⤵
- DcRat
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TextInputHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TextInputHost.exe'" /rl HIGHEST /f
1⤵
PID:5144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /f
1⤵
- DcRat
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:5364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:5400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\browser\features\containerRuntime.exe'" /f
1⤵
- DcRat
PID:5940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntime" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\containerRuntime.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\browser\features\containerRuntime.exe'" /rl HIGHEST /f
1⤵
PID:5212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\unsecapp.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
PID:5432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\dllhost.exe'" /f
1⤵
- DcRat
PID:5636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\SearchApp.exe'" /f
1⤵
- DcRat
PID:6004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:5976

C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6016

C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\containerRuntime.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MpDefenderCoreProtion.exe.log

Filesize
1KB

MD5
663b8d5469caa4489d463aa9bc18124f

SHA1
e57123a7d969115853ea631a3b33826335025d28

SHA256
7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8

SHA512
45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e094d3dd06d66000f1ef728ee6d8e60e

SHA1
4aa04aa09fc2aee0a44317f7f2a9fdc9325dec63

SHA256
afa28f5bd38e21db0f71e21be34a6f7932e70ad80e2d3edc26fe1ffab231ce91

SHA512
9c7d86abb71d17b992ca5aa474e492e18172068462512c7f4fe542b5e3674577fb48069f217a7f4ec1f2fa6edad64350ec8ddaccfa8200651b4d909c377ef3bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ca096cffc72897eef3fabe2d41e832f4

SHA1
7845e32bee77b6a04d46d094da98d67751cff3f9

SHA256
aa0f909402a6b01ac8ad21464f3a28a2afc0f36ba2fd256e5a2e77b81f3c4355

SHA512
d385bba22c839754f3165e05d0d94b118cacc72a125a424051c9a0c8008b2eaabbd0c361e7d5e2d0d48cbff32beef0dbcf51d77f01bd959d6e6ea6c444ac92c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
08526e4d8fed0a382c243c9aa8b1fe45

SHA1
f3da4b97529aaa38230db8bfa34a345bbc211622

SHA256
b5044625d66b7835745c7c4efa14d21aaf4ee42bf971f8bbc44f04416b91441f

SHA512
cbeb569db60eabd89c13b073f1bdf7ba991b6206e75f548396a150b08a0ffed1962d88d664e069c64ac740afbb69941df2f43e81a3f138e2185934967898941d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
057e7742b25e65a341d1341da25b54a8

SHA1
65c874ac4f429a4172bdf89a73922e39873ecab6

SHA256
f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468

SHA512
94b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b22bcc023ccf6782c755f5b743aa3a52

SHA1
141150057021a07fa6aa03f46c9f2fd5719b3eeb

SHA256
a977c9d6fc409dbc0abbaa17e306eca391657f1f3c974cf1b004826000b8d1b4

SHA512
05c78b755324319a86857f3d249cfc9cc0c6c51a4f8ee94350a1936853e323af668fa8ee224d60eea618f1a7684897c3ce24713365dbeeba02e7718cbe4b3b0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cfecb4e0f846589c2742fd84d6bbd1db

SHA1
730c66c99e80f1c7d0fdd1ef7483c9dfb0a770ec

SHA256
12190c96e9eef24f7ee9a4e19d806f29d4aedab1f2c696478dea5684941824aa

SHA512
669241f726837dcd3b6c6664e002c4938cf1ccf9be3f3b4a953efb35a2977c6ea9536e1b61b92b1b716991f9801f4516d8e1d53c65ac605174ece553f19da475

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hx5oYWlBQw.bat

Filesize
232B

MD5
7b26bbf03c63f067d47eba4f16071425

SHA1
fb98e4ec76494d44854b85aa4ff023d4ecba56be

SHA256
1bb7c9c9685e7d534bbc79693fa4af6a7d0d2b4119cab868b5a066def49d060c

SHA512
de7aa77c5355dc4d38c09f5df153a906cc7fcb8abb306bb6cdb2f584117eccce4b9664f50953c8f01cce8debd97a4efec77b6da7a47fbd002523214a76fbf43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD561.tmp

Filesize
1KB

MD5
66a7d8d8ea0f369b5985958262f31834

SHA1
61a6055e8d4fdb5eb66f54d268df096644c5564d

SHA256
19be7f97c68a69936a88e46ff104411936cb818aa096c22428641bebc7c97893

SHA512
286a8d753fa88b464bf4298169c0e70a1d382a283355483a7c594686c09621ec0e010b2a8db6d04546c7bcb09cc14c6dbd851cb0f46b8fe37b776c39fb661f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_445lgbnh.ukz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\o6GueKAs7f.bat

Filesize
210B

MD5
79ba77cbede825569662909d218c626b

SHA1
0478a7a2ef46aa2fb6ba316cf9db512e1edb0560

SHA256
e4cfc40f6bd61d158f4d53eb098791534a2168e14c88d963ddde31030a4a08cf

SHA512
f6d797ade836fc1f6f1a11fdf46c7a096ed9a338c2aa2db4877f834ed8404ddb821588ad2d566bc626259ad7909919c1ee323c1078ca2d86cce43a25c6072082

Download Submit
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat

Filesize
104B

MD5
fbef3b76368e503dca520965bb79565f

SHA1
9a1a27526b8b9bdaae81c5301cd23eb613ea62ba

SHA256
bcb2af67a4ea1e6aa341cf3141941dbe7b17f1911e7f20aba46552571f99c9f3

SHA512
2b99bc9a945b6d9a2c0d3206dce9221eb7f4a2040c5096909d60c3278254c52b39a28dd18dd4e005eff0ebd7e7cba6dd3a6a94ea8a7d7598da3001da174db3f5

Download Submit
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe

Filesize
1.6MB

MD5
bc7804fca6dd09b4f16e86d80b8d28fa

SHA1
a04800b90db1f435dd1ac723c054b14d6dd16c8a

SHA256
1628864ab0bafe8afea2ad70956b653550dab3db7c4cdf6f405e93a6c2441dce

SHA512
7534ac0a215f02af85bdf2b414e23face0570943f8820e7bfe97ea274ccd1a01618556e93b7465c2d9fbb0bcde5e97fab9e9b6bddd366554277ef308cde3a83c

Download Submit
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe

Filesize
3.0MB

MD5
10e817a4d5e216279a8de8ed71c91044

SHA1
97c6fb42791be24d12bd74819ef67fa8f3d21724

SHA256
c60f74f6e164049e683a5f01b8cfea24aa85cbf6c7b31b765cbad16d8ab0d7b2

SHA512
34421a517f5f1909afd694d24e22cafad9930725df964ba9c80666e9f0f2dcfdd2a254dcf6699e5797296ec3ae611593563779df05e3a617c7f8679a154dfd37

Download Submit
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe

Filesize
4.6MB

MD5
e8c32cc88db9fef57fd9e2bb6d20f70b

SHA1
e732b91cd8ac16fa4ce8ad9e639bf21d69f6bb45

SHA256
f787ce198538b1c0b2bfce8ce5297e34152cf6deebe559df6887f65c72a081a4

SHA512
077307d42438f2b72d62ce9e35c67c09e1375c2e203e6d6d455c6c8861c6442b3d82f1345b6c76940f5e8015fe93491158a59b102fabd139c742d75c2c42ba7a

Download Submit
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe

Filesize
263B

MD5
a05e26d89c5be7e2c6408b09cd05cf74

SHA1
c24231c6301f499b35441615b63db6969a1762fd

SHA256
05628dfff22e15b219a711cf52a2c87521170853979f00fcd014cf164656418e

SHA512
8c8733f12dd71cfafd2edbfad487279d6ed971eb119b1cde92a905f4658a9b090f831f42ef2228a4f6c64071a1f54fb74708438b4361e317e36016897577913d

Download Submit
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe

Filesize
556KB

MD5
00c4245522082b7f87721f9a26e96ba4

SHA1
993a8aa88436b6c62b74bb399c09b8d45d9fb85b

SHA256
a728f531427d89c5b7691f989e886df57d46f90d934448e6dabf29d64d0662bf

SHA512
fdd8d2444b28883face793f6ea77913c2096a425e6101202536ea001c3df5e76a60a01673ee7a52eae827a12299b2727002895395315db190ec82ae11a68559f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat

Filesize
48B

MD5
2fa8decc3dafe6f196f6c28769192e7c

SHA1
69f4e0cf41b927634a38b77a8816ca58c0bfb2de

SHA256
7e40eb542d164397c0bf17a47c8f0db79e7028299e9f180d38505220fd2cfb30

SHA512
c9fb6c2ac2441ff14673ccaa3f1d5e703356c093353992d302d34df6c9e26a85aba6760c3b98f0cd0ada45183c55b2e5cabc09978ca084077dd71743ca9fdbc1

Download Submit
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe

Filesize
1.3MB

MD5
52c95032ff8b8c3d4dfd98e51d8f6f58

SHA1
e841a32cb07adaad4db35b1f87b5df6e019eb9af

SHA256
39b35293e7efaa4cb94028e59872013bef4065788fef9fe3cd3206a8aee711e4

SHA512
a1177740ffbb476fb11f8112d98cabe3012ee3d54f2f848bb22ea99b53bd3526bf59065951fb6ef29f29408ab2fd90c942de65fe16d66a098abce8ba5d7d4e00

Download Submit
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe

Filesize
227B

MD5
d47062c8738a534fc931c0f341a61773

SHA1
c1175037a0e96363da56bc9d8abdb726cddc74fc

SHA256
484cc22b88e1eaae619f948e96812ebf70275f9e6408e2e3dbd8af827ac5199a

SHA512
9de6dcf7944ec9f2ff44c8fdbe562a6755c2af9800028b01fb0969921e6ef969c1ecc6e2ab129f191ac5feeaa9aa30cf436489dfee8e94433d6678a9942ffe39

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wbdhqn2r\wbdhqn2r.0.cs

Filesize
366B

MD5
a0251e479d557bba18a71d9e4e30bf65

SHA1
d3b177d8f8bcec460a50728dc0122264f54dd25c

SHA256
f5d0da5147f50c8b65509a7b86e2106fbfb4776803a3910096343b2869d3c6e9

SHA512
be1e3695f060dc1d4e8f7246b82b60b2b49c1ab1410b4875b0f0825fe0ce8b67e332182881b066896ea9cb188f5ef516cd8ee8882a45b5d34cb0a694ca247b87

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wbdhqn2r\wbdhqn2r.cmdline

Filesize
235B

MD5
80cff285d8b4b4ba15ccbd1d5232cc8a

SHA1
8286313407d45d2fcb94462495cd4eec79c69b42

SHA256
004f196aafee1e90d7ab3db3182d14a96bd2ad5962bf1d44b0a4bb22b235f025

SHA512
d93754b6cc85eab5c0c1df99fa027d3360e8be60b3e857c276a0cc006a7df63af013c17a76ee8980c86f1be06abac61f611573367fd11c8887481f6fdf3f866a

Download Submit
\??\c:\Windows\System32\CSC572C02F5E5594BD5BDBF6DA8838BDB8.TMP

Filesize
1KB

MD5
7bbfaf1199741b237d2493615c95c6d7

SHA1
86d466217c4dc1e0808f83ceda8f4b4df948b5dc

SHA256
e20e4619dbc932a216fd93f86fe0af2e915f4c2ba6177fc3581da59885094476

SHA512
2eda9bf71dc4a4583b7b8e9a6aab0f91d98cca68ee4309df1a4d26541917678da09a15d712397ae4b95fe95b65c8aa6eeab94d7620a5546b3df6c00306ef4a5c

Download Submit
memory/1872-39-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/1872-123-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2152-93-0x00000000029C0000-0x00000000029D8000-memory.dmp

Filesize
96KB

Download
memory/2152-103-0x000000001B4F0000-0x000000001B4FC000-memory.dmp

Filesize
48KB

Download
memory/2152-105-0x000000001B500000-0x000000001B50E000-memory.dmp

Filesize
56KB

Download
memory/2152-107-0x000000001B8A0000-0x000000001B8AC000-memory.dmp

Filesize
48KB

Download
memory/2152-101-0x00000000029F0000-0x00000000029FC000-memory.dmp

Filesize
48KB

Download
memory/2152-99-0x00000000029E0000-0x00000000029EE000-memory.dmp

Filesize
56KB

Download
memory/2152-97-0x0000000002990000-0x000000000299C000-memory.dmp

Filesize
48KB

Download
memory/2152-95-0x0000000002980000-0x000000000298E000-memory.dmp

Filesize
56KB

Download
memory/2152-91-0x000000001B8B0000-0x000000001B900000-memory.dmp

Filesize
320KB

Download
memory/2152-90-0x00000000029A0000-0x00000000029BC000-memory.dmp

Filesize
112KB

Download
memory/2152-88-0x0000000002970000-0x000000000297E000-memory.dmp

Filesize
56KB

Download
memory/2152-86-0x000000001B2F0000-0x000000001B3F4000-memory.dmp

Filesize
1.0MB

Download
memory/2152-85-0x00000000007F0000-0x00000000007F8000-memory.dmp

Filesize
32KB

Download
memory/2188-167-0x00000241709F0000-0x0000024170A12000-memory.dmp

Filesize
136KB

Download
memory/3184-70-0x00000000725D0000-0x0000000072D80000-memory.dmp

Filesize
7.7MB

Download
memory/3184-28-0x00000000725DE000-0x00000000725DF000-memory.dmp

Filesize
4KB

Download
memory/3184-29-0x0000000000E80000-0x000000000117E000-memory.dmp

Filesize
3.0MB

Download
memory/3184-40-0x0000000005A20000-0x0000000005A2E000-memory.dmp

Filesize
56KB

Download
memory/3184-48-0x0000000005CE0000-0x0000000005D3C000-memory.dmp

Filesize
368KB

Download
memory/3184-47-0x00000000725D0000-0x0000000072D80000-memory.dmp

Filesize
7.7MB

Download
memory/3184-51-0x00000000063E0000-0x0000000006984000-memory.dmp

Filesize
5.6MB

Download
memory/3184-52-0x0000000005ED0000-0x0000000005F62000-memory.dmp

Filesize
584KB

Download
memory/3184-54-0x0000000005CC0000-0x0000000005CD2000-memory.dmp

Filesize
72KB

Download
memory/4808-72-0x0000000005980000-0x00000000059CE000-memory.dmp

Filesize
312KB

Download
memory/4808-71-0x00000000053A0000-0x00000000053B2000-memory.dmp

Filesize
72KB

Download
memory/4808-73-0x00000000062E0000-0x000000000637C000-memory.dmp

Filesize
624KB

Download
memory/4924-78-0x0000000005D20000-0x0000000005D38000-memory.dmp

Filesize
96KB

Download
memory/4924-79-0x0000000005D50000-0x0000000005D60000-memory.dmp

Filesize
64KB

Download
memory/4924-80-0x0000000005DF0000-0x0000000005DFA000-memory.dmp

Filesize
40KB

Download
memory/4948-140-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/4948-137-0x0000000000790000-0x00000000008EA000-memory.dmp

Filesize
1.4MB

Download
memory/4948-138-0x00000000010E0000-0x00000000010FC000-memory.dmp

Filesize
112KB

Download
memory/4948-139-0x000000001BA30000-0x000000001BA46000-memory.dmp

Filesize
88KB

Download
memory/4948-141-0x000000001BA50000-0x000000001BA5E000-memory.dmp

Filesize
56KB

Download
memory/4948-142-0x000000001BA60000-0x000000001BA6C000-memory.dmp

Filesize
48KB

Download