Analysis Overview
SHA256
221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d
Threat Level: Known bad
The file 221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
Dcrat family
Process spawned unexpected child process
Orcus family
Orcus
Orcus main payload
Modifies WinLogon for persistence
Orcurs Rat Executable
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetWindowsHookEx
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-14 02:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-14 02:13
Reported
2025-01-14 02:16
Platform
win7-20240903-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
DcRat
Dcrat family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Common Files\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\runtimesvc.exe\", \"C:\\Users\\Default\\Cookies\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\System.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Common Files\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\runtimesvc.exe\", \"C:\\Users\\Default\\Cookies\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\System.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\smss.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Common Files\\audiodg.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Common Files\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\runtimesvc.exe\", \"C:\\Users\\Default\\Cookies\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Users\\All Users\\Idle.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Common Files\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\runtimesvc.exe\", \"C:\\Users\\Default\\Cookies\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Common Files\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Common Files\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\runtimesvc.exe\", \"C:\\Users\\Default\\Cookies\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Common Files\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\runtimesvc.exe\", \"C:\\Users\\Default\\Cookies\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Common Files\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\runtimesvc.exe\", \"C:\\Users\\Default\\Cookies\\lsass.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
Orcus
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| N/A | N/A | C:\Users\Default\Cookies\lsass.exe | N/A |
| N/A | N/A | C:\Users\Default User\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Cookies\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Cookies\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Default User\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\System.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Common Files\\audiodg.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Default User\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\smss.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Common Files\\audiodg.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Idle.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\smss.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Idle.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\System.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Windows\System32\CSC842B41524054433789E9C773241214.TMP | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | \??\c:\Windows\System32\3kmwe8.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2996 set thread context of 1900 | N/A | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\audiodg.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\Common Files\42af1c969fbb7b | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe
"C:\Users\Admin\AppData\Local\Temp\221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe"
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe"
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe"
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe"
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {A9CEB069-CE3B-4756-A35E-CC9C890DB11B} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" "
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat" "
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
"C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Common Files\audiodg.exe'" /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qve4w4xb\qve4w4xb.cmdline"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\runtimesvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\runtimesvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\runtimesvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Cookies\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Cookies\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\lsass.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\runtimesvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\lsass.exe'
C:\Users\Default\Cookies\lsass.exe
"C:\Users\Default\Cookies\lsass.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC311.tmp" "c:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\CSC682ACEE1636E45D1B935829061461FE.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cibxvhjt\cibxvhjt.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC477.tmp" "c:\Windows\System32\CSC842B41524054433789E9C773241214.TMP"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qowOLEDHcw.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Default User\WmiPrvSE.exe
"C:\Users\Default User\WmiPrvSE.exe"
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 25350.client.sudorat.top | udp |
| RU | 185.37.62.158:25350 | 25350.client.sudorat.top | tcp |
| N/A | 127.0.0.1:1111 | tcp | |
| US | 8.8.8.8:53 | 25350.client.sudorat.ru | udp |
| US | 8.8.8.8:53 | 729231cm.n9shteam1.top | udp |
| FR | 37.44.238.250:80 | 729231cm.n9shteam1.top | tcp |
| US | 8.8.8.8:53 | 117813cm.n9shteam.in | udp |
| FR | 37.44.238.250:80 | 117813cm.n9shteam.in | tcp |
| RU | 31.44.184.52:25350 | tcp | |
| RU | 185.37.62.158:25350 | 25350.client.sudorat.top | tcp |
| RU | 31.44.184.52:25350 | tcp | |
| RU | 185.37.62.158:25350 | 25350.client.sudorat.top | tcp |
| RU | 31.44.184.52:25350 | tcp | |
| RU | 185.37.62.158:25350 | 25350.client.sudorat.top | tcp |
| RU | 31.44.184.52:25350 | tcp | |
| RU | 185.37.62.158:25350 | 25350.client.sudorat.top | tcp |
Files
\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
| MD5 | 10e817a4d5e216279a8de8ed71c91044 |
| SHA1 | 97c6fb42791be24d12bd74819ef67fa8f3d21724 |
| SHA256 | c60f74f6e164049e683a5f01b8cfea24aa85cbf6c7b31b765cbad16d8ab0d7b2 |
| SHA512 | 34421a517f5f1909afd694d24e22cafad9930725df964ba9c80666e9f0f2dcfdd2a254dcf6699e5797296ec3ae611593563779df05e3a617c7f8679a154dfd37 |
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe
| MD5 | a05e26d89c5be7e2c6408b09cd05cf74 |
| SHA1 | c24231c6301f499b35441615b63db6969a1762fd |
| SHA256 | 05628dfff22e15b219a711cf52a2c87521170853979f00fcd014cf164656418e |
| SHA512 | 8c8733f12dd71cfafd2edbfad487279d6ed971eb119b1cde92a905f4658a9b090f831f42ef2228a4f6c64071a1f54fb74708438b4361e317e36016897577913d |
\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
| MD5 | bc7804fca6dd09b4f16e86d80b8d28fa |
| SHA1 | a04800b90db1f435dd1ac723c054b14d6dd16c8a |
| SHA256 | 1628864ab0bafe8afea2ad70956b653550dab3db7c4cdf6f405e93a6c2441dce |
| SHA512 | 7534ac0a215f02af85bdf2b414e23face0570943f8820e7bfe97ea274ccd1a01618556e93b7465c2d9fbb0bcde5e97fab9e9b6bddd366554277ef308cde3a83c |
\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
| MD5 | e8c32cc88db9fef57fd9e2bb6d20f70b |
| SHA1 | e732b91cd8ac16fa4ce8ad9e639bf21d69f6bb45 |
| SHA256 | f787ce198538b1c0b2bfce8ce5297e34152cf6deebe559df6887f65c72a081a4 |
| SHA512 | 077307d42438f2b72d62ce9e35c67c09e1375c2e203e6d6d455c6c8861c6442b3d82f1345b6c76940f5e8015fe93491158a59b102fabd139c742d75c2c42ba7a |
memory/2496-47-0x0000000004790000-0x0000000005184000-memory.dmp
memory/2908-48-0x0000000000400000-0x0000000000DF4000-memory.dmp
memory/2480-57-0x0000000000900000-0x0000000000BFE000-memory.dmp
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe
| MD5 | d47062c8738a534fc931c0f341a61773 |
| SHA1 | c1175037a0e96363da56bc9d8abdb726cddc74fc |
| SHA256 | 484cc22b88e1eaae619f948e96812ebf70275f9e6408e2e3dbd8af827ac5199a |
| SHA512 | 9de6dcf7944ec9f2ff44c8fdbe562a6755c2af9800028b01fb0969921e6ef969c1ecc6e2ab129f191ac5feeaa9aa30cf436489dfee8e94433d6678a9942ffe39 |
memory/2480-60-0x0000000000270000-0x000000000027E000-memory.dmp
memory/2480-61-0x0000000000880000-0x00000000008DC000-memory.dmp
memory/2908-62-0x0000000000400000-0x0000000000DF4000-memory.dmp
memory/2480-63-0x00000000005B0000-0x00000000005C2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/2996-74-0x00000000013B0000-0x00000000016AE000-memory.dmp
memory/2996-75-0x00000000006F0000-0x0000000000702000-memory.dmp
memory/2996-76-0x0000000000CC0000-0x0000000000D0E000-memory.dmp
memory/1900-77-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/1900-83-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/1900-81-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/1900-85-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1900-88-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/1900-87-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/1900-86-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/1900-80-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/1900-90-0x00000000007A0000-0x00000000007B8000-memory.dmp
memory/1900-91-0x0000000000900000-0x0000000000910000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat
| MD5 | fbef3b76368e503dca520965bb79565f |
| SHA1 | 9a1a27526b8b9bdaae81c5301cd23eb613ea62ba |
| SHA256 | bcb2af67a4ea1e6aa341cf3141941dbe7b17f1911e7f20aba46552571f99c9f3 |
| SHA512 | 2b99bc9a945b6d9a2c0d3206dce9221eb7f4a2040c5096909d60c3278254c52b39a28dd18dd4e005eff0ebd7e7cba6dd3a6a94ea8a7d7598da3001da174db3f5 |
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
| MD5 | 00c4245522082b7f87721f9a26e96ba4 |
| SHA1 | 993a8aa88436b6c62b74bb399c09b8d45d9fb85b |
| SHA256 | a728f531427d89c5b7691f989e886df57d46f90d934448e6dabf29d64d0662bf |
| SHA512 | fdd8d2444b28883face793f6ea77913c2096a425e6101202536ea001c3df5e76a60a01673ee7a52eae827a12299b2727002895395315db190ec82ae11a68559f |
memory/1644-97-0x00000000012B0000-0x00000000012B8000-memory.dmp
memory/1644-98-0x000000001AEA0000-0x000000001AFA4000-memory.dmp
memory/1644-100-0x0000000000340000-0x000000000034E000-memory.dmp
memory/1644-102-0x0000000000420000-0x000000000043C000-memory.dmp
memory/1644-104-0x0000000000440000-0x0000000000458000-memory.dmp
memory/1644-106-0x0000000000370000-0x000000000037E000-memory.dmp
memory/1644-108-0x0000000000410000-0x000000000041C000-memory.dmp
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat
| MD5 | 2fa8decc3dafe6f196f6c28769192e7c |
| SHA1 | 69f4e0cf41b927634a38b77a8816ca58c0bfb2de |
| SHA256 | 7e40eb542d164397c0bf17a47c8f0db79e7028299e9f180d38505220fd2cfb30 |
| SHA512 | c9fb6c2ac2441ff14673ccaa3f1d5e703356c093353992d302d34df6c9e26a85aba6760c3b98f0cd0ada45183c55b2e5cabc09978ca084077dd71743ca9fdbc1 |
memory/1644-111-0x0000000000460000-0x000000000046E000-memory.dmp
memory/1644-115-0x0000000000480000-0x000000000048C000-memory.dmp
memory/1644-113-0x0000000000470000-0x000000000047C000-memory.dmp
memory/1644-117-0x0000000000490000-0x000000000049E000-memory.dmp
memory/1644-119-0x00000000004A0000-0x00000000004AC000-memory.dmp
\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
| MD5 | 52c95032ff8b8c3d4dfd98e51d8f6f58 |
| SHA1 | e841a32cb07adaad4db35b1f87b5df6e019eb9af |
| SHA256 | 39b35293e7efaa4cb94028e59872013bef4065788fef9fe3cd3206a8aee711e4 |
| SHA512 | a1177740ffbb476fb11f8112d98cabe3012ee3d54f2f848bb22ea99b53bd3526bf59065951fb6ef29f29408ab2fd90c942de65fe16d66a098abce8ba5d7d4e00 |
memory/1208-124-0x0000000000290000-0x00000000003EA000-memory.dmp
memory/1208-138-0x0000000000280000-0x0000000000290000-memory.dmp
memory/1208-137-0x0000000000260000-0x0000000000276000-memory.dmp
memory/1208-136-0x0000000000240000-0x000000000025C000-memory.dmp
memory/1208-140-0x0000000000610000-0x000000000061C000-memory.dmp
memory/1208-139-0x0000000000600000-0x000000000060E000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\qve4w4xb\qve4w4xb.cmdline
| MD5 | 47af0ffc52a6e7b8c13167ff8e451d10 |
| SHA1 | dbea4aa6846797d0a37414255581e2869b8c60ae |
| SHA256 | b2797bada38f8f24720e7dcca4a413a9f2e31c2d3aed89e0c9c79304f8a90eaf |
| SHA512 | b4593248d6b91477765d2ebd6f2caa3ff2bed7c20a8f83caf741d103df1c08a1b9a3217432fe4c63e2687774ab6b139333a3f03617397c7f6f208fd5bae2f49c |
\??\c:\Users\Admin\AppData\Local\Temp\qve4w4xb\qve4w4xb.0.cs
| MD5 | 4e822b550486d4d709d1df2796309950 |
| SHA1 | 76a5b84e932c38389389c5105b57fee148240073 |
| SHA256 | e8c90fddfdba981a92b5b8c28d70fda356a8f28f83c224e3b37492aeff3bbf61 |
| SHA512 | 5c8407ac540582aa7d1b98262860d5de85da60d4bf2402e0a9b01e214ef027bf637cd53a83910bf2a660d38c3e998791f3954ec6071781600ec18a2fdd67a305 |
C:\Users\Admin\AppData\Local\Temp\RESC311.tmp
| MD5 | 837aa56e06bd0a85791dddb333ea77b5 |
| SHA1 | dd950a9f0c3aff977720d9e1770a2b4f2c84c5e9 |
| SHA256 | 4a6d5b0745a5faaa20edf412ddeee035979f3a357b7dc2c52d2d80610029b927 |
| SHA512 | c27d9de8e13c0a52ca50d48ee1e7ecea4ea3131be200d02da4b03f089a9a9236ff817df775835f3e8d7e1f96e0d7f53beb5f2c3883ac41e066218f09655e37c6 |
\??\c:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\CSC682ACEE1636E45D1B935829061461FE.TMP
| MD5 | 70ebd87a449c83d0645ba22e10ab83e5 |
| SHA1 | 5980251d5a46d81e6f48fe53ee04e87a28219015 |
| SHA256 | b4713f585dbd4185833afeb466a2fbaa5c9d17071f9de2a1f0dfeec01b346c01 |
| SHA512 | b44a0154a6c4b1f2af61046a0357b8018a5095262f0ec54e701f4bd46adcaad3e88bafe23567e49b845bd83578d0291bcff6a43351d6027ea02c9e1ead96ca66 |
memory/2412-171-0x0000000000BC0000-0x0000000000D1A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0RODQNOH5AO4BDMKK9D8.temp
| MD5 | eb6019cb60f3b62525f81b8fcfbeeb77 |
| SHA1 | c5062bed5f7d1534696d3784629b7d1043768ea1 |
| SHA256 | 2995cf7aeb9cfaa7c9f94fca5d11cb64a943cda9bdf4e894b2affedbb0faf66a |
| SHA512 | dcbb2553170d4899f621c2cc33389fafe4a375f2bc328e8fbdfa32c9e107302cbe6e6dd6afe407e52082e6dd5be2c962d586bdd9c9e3add6726879f69def4782 |
memory/2196-182-0x000000001B840000-0x000000001BB22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RESC477.tmp
| MD5 | 388cdc9e362ec83d1e31af87147f6175 |
| SHA1 | aeca3be28f64a148e5df4e3e5b45b74e0214a04a |
| SHA256 | ab2d35fe2839482d16c03106df7439d1b1141cc3ef79548e25393b0607e3c434 |
| SHA512 | 4e1b4147f1941dd921e972860422e820eb2a797183d91d7ae74941a89d48b8736c8a10153d06577cc5439666e205c1f013f2567a0fb2a1da487a6b05a6326212 |
\??\c:\Windows\System32\CSC842B41524054433789E9C773241214.TMP
| MD5 | 8c85ef91c6071d33745325a8fa351c3e |
| SHA1 | e3311ceef28823eec99699cc35be27c94eca52d2 |
| SHA256 | 8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41 |
| SHA512 | 2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d |
\??\c:\Users\Admin\AppData\Local\Temp\cibxvhjt\cibxvhjt.cmdline
| MD5 | 41ed59b666be285ae98cfe4e515e09cf |
| SHA1 | 1ed94e467e9c1aacb167a4b657f34f8a5c360111 |
| SHA256 | ad2280a8e955377aca47671b135a6fed67309efa20cb5988466c28c1f7f05d49 |
| SHA512 | 8eb395dacbda69ae3d672264950ff04486fdbbdea8448b498acd843e472f1fcbda353ae2da689713b2c4baf79b5acfa44c83bd037f586b03537c59d90fb8747e |
\??\c:\Users\Admin\AppData\Local\Temp\cibxvhjt\cibxvhjt.0.cs
| MD5 | 3893688590f0dd7daeda3267c927911e |
| SHA1 | bb26a9b11885f6aa3cf3d047cd5da7b7a8e812d6 |
| SHA256 | 4774d765e6d810568b2370efb980a1fe4d4907373e8eb7bf89d3ed07604fd97c |
| SHA512 | 59e20a44522754052b456f75ecaa74a83110a402c10b4953751909a653f6f4be577612f0624ea13bcf94f18b7f1bab0be1f99dd13b984cabf5f7e001be53414e |
memory/2196-192-0x0000000001D00000-0x0000000001D08000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2856-223-0x000000001B570000-0x000000001B852000-memory.dmp
memory/1904-234-0x0000000002230000-0x0000000002238000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qowOLEDHcw.bat
| MD5 | 9426f0c15f72620a0e79092a4cc73ecc |
| SHA1 | e534eda25af53544f4766d3daa7ac38f30c861e0 |
| SHA256 | 961dc8f909403843f605829b1c1e4b22f6f66f58a003863e9e533386a20f67de |
| SHA512 | 114195c8ac941a8d2329b9793bca41acbe5b9737a4d8e0a8cca55461ca6eb2edd758e9882c5841ec07ff8edb9defcd2fb772ea42b17b987277cde86e2d997d83 |
memory/2668-247-0x0000000000AB0000-0x0000000000AB8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-14 02:13
Reported
2025-01-14 02:16
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
DcRat
Dcrat family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WaaSMedicAgent.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\services.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\services.exe\", \"C:\\Program Files\\Windows Defender\\dllhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\SearchApp.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\services.exe\", \"C:\\Program Files\\Windows Defender\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\", \"C:\\Windows\\Migration\\WTR\\winlogon.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\services.exe\", \"C:\\Program Files\\Windows Defender\\dllhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\", \"C:\\Windows\\Speech\\containerRuntime.exe\", \"C:\\Windows\\Tasks\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\Migration\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Users\\All Users\\Desktop\\cmd.exe\", \"C:\\Users\\Public\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\MSBuild\\runtimesvc.exe\", \"C:\\Recovery\\WindowsRE\\containerRuntime.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
Orcus
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Migration\\WTR\\winlogon.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Windows\\Tasks\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\SearchApp.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\All Users\\Desktop\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Public\\sysmon.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Windows\\Tasks\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\dotnet\\sysmon.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WaaSMedicAgent.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\services.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\All Users\\Desktop\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Uninstall Information\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\dotnet\\sysmon.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Public\\sysmon.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Defender\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Mail\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\Recovery\\WindowsRE\\containerRuntime.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Migration\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\services.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\Registry.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\Recovery\\WindowsRE\\containerRuntime.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\SearchApp.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\TextInputHost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\services.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Program Files\\MSBuild\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Adobe\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\Program Files\\Mozilla Firefox\\browser\\features\\containerRuntime.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\sppsvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Defender\\en-US\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\WaaSMedicAgent.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Program Files\\MSBuild\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Microsoft.NET\\Registry.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\Windows\\Speech\\containerRuntime.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Uninstall Information\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Defender\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Migration\\WTR\\winlogon.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\unsecapp.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\"" | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Migration\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\sppsvc.exe\"" | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Windows\System32\CSC572C02F5E5594BD5BDBF6DA8838BDB8.TMP | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | \??\c:\Windows\System32\kpkopw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4808 set thread context of 4924 | N/A | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\de-DE\SearchApp.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\de-DE\38384e6a620884 | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24 | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\Windows Defender\en-US\9e8d7a4ca61bd9 | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\29c1c3cc0f7685 | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\RuntimeBroker.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\conhost.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\088424020bedd6 | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\MSBuild\97e9b57c6296f0 | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\ee2ad38f3d4382 | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\SppExtComObj.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\it-IT\0a1fd5f707cd16 | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\e1ef82546f0b02 | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\WindowsApps\fontdrvhost.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\Uninstall Information\ebf1f9fa8afd6d | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\en-US\c82b8037eab33d | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\Windows Defender\dllhost.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\dotnet\121e5b5079f7c0 | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\it-IT\sppsvc.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MSBuild\RuntimeBroker.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\9e8d7a4ca61bd9 | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\Uninstall Information\cmd.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TextInputHost.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\containerRuntime.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\Windows Defender\5940a34987c991 | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\dotnet\sysmon.exe | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| File created | C:\Program Files\MSBuild\runtimesvc.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\ee2ad38f3d4382 | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\Registry.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\Windows Defender\en-US\RuntimeBroker.exe | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\22eafd247d37c3 | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\12549c30660286 | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe
"C:\Users\Admin\AppData\Local\Temp\221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe"
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe"
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe"
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe"
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic diskdrive get model,serialnumber
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic path Win32_Keyboard get Description,DeviceID
C:\Windows\System32\Wbem\wmic.exe
wmic path Win32_PointingDevice get Description,PNPDeviceID
C:\Windows\System32\Wbem\wmic.exe
wmic path Win32_PointingDevice get Description,PNPDeviceID
C:\Windows\System32\Wbem\wmic.exe
wmic path Win32_DesktopMonitor get Description,PNPDeviceID
C:\Windows\System32\Wbem\wmic.exe
wmic get name
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" "
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
"C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\dotnet\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\sysmon.exe'" /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wbdhqn2r\wbdhqn2r.cmdline"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat" "
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD561.tmp" "c:\Windows\System32\CSC572C02F5E5594BD5BDBF6DA8838BDB8.TMP"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\cmd.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
"C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Public\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Public\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\runtimesvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\runtimesvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\runtimesvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\containerRuntime.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntime" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\containerRuntime.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\containerRuntime.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Registry.exe'" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\sysmon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\sysmon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Registry.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o6GueKAs7f.bat"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\SppExtComObj.exe'" /f
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech\containerRuntime.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntime" /sc ONLOGON /tr "'C:\Windows\Speech\containerRuntime.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech\containerRuntime.exe'" /rl HIGHEST /f
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\runtimesvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Windows\Tasks\runtimesvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\runtimesvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Migration\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\runtimesvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\containerRuntime.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Registry.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\SppExtComObj.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\containerRuntime.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\runtimesvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Hx5oYWlBQw.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\Desktop\cmd.exe
"C:\Users\All Users\Desktop\cmd.exe"
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
"C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\en-US\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\browser\features\containerRuntime.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntime" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\containerRuntime.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\browser\features\containerRuntime.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Microsoft\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TextInputHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\features\containerRuntime.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\unsecapp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\Microsoft\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\SearchApp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
C:\Program Files (x86)\Internet Explorer\de-DE\SearchApp.exe
"C:\Program Files (x86)\Internet Explorer\de-DE\SearchApp.exe"
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25350.client.sudorat.top | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| RU | 185.37.62.158:25350 | 25350.client.sudorat.top | tcp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:1111 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25350.client.sudorat.ru | udp |
| US | 8.8.8.8:53 | 117813cm.n9shteam.in | udp |
| FR | 37.44.238.250:80 | 117813cm.n9shteam.in | tcp |
| US | 8.8.8.8:53 | 250.238.44.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 729231cm.n9shteam1.top | udp |
| FR | 37.44.238.250:80 | 729231cm.n9shteam1.top | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 31.44.184.52:25350 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| RU | 185.37.62.158:25350 | 25350.client.sudorat.top | tcp |
| US | 8.8.8.8:53 | 25350.client.sudorat.ru | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 31.44.184.52:25350 | tcp | |
| RU | 185.37.62.158:25350 | 25350.client.sudorat.top | tcp |
| US | 8.8.8.8:53 | 25350.client.sudorat.ru | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 31.44.184.52:25350 | tcp | |
| RU | 185.37.62.158:25350 | 25350.client.sudorat.top | tcp |
| US | 8.8.8.8:53 | 25350.client.sudorat.ru | udp |
| RU | 31.44.184.52:25350 | tcp |
Files
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
| MD5 | 10e817a4d5e216279a8de8ed71c91044 |
| SHA1 | 97c6fb42791be24d12bd74819ef67fa8f3d21724 |
| SHA256 | c60f74f6e164049e683a5f01b8cfea24aa85cbf6c7b31b765cbad16d8ab0d7b2 |
| SHA512 | 34421a517f5f1909afd694d24e22cafad9930725df964ba9c80666e9f0f2dcfdd2a254dcf6699e5797296ec3ae611593563779df05e3a617c7f8679a154dfd37 |
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe
| MD5 | a05e26d89c5be7e2c6408b09cd05cf74 |
| SHA1 | c24231c6301f499b35441615b63db6969a1762fd |
| SHA256 | 05628dfff22e15b219a711cf52a2c87521170853979f00fcd014cf164656418e |
| SHA512 | 8c8733f12dd71cfafd2edbfad487279d6ed971eb119b1cde92a905f4658a9b090f831f42ef2228a4f6c64071a1f54fb74708438b4361e317e36016897577913d |
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
| MD5 | bc7804fca6dd09b4f16e86d80b8d28fa |
| SHA1 | a04800b90db1f435dd1ac723c054b14d6dd16c8a |
| SHA256 | 1628864ab0bafe8afea2ad70956b653550dab3db7c4cdf6f405e93a6c2441dce |
| SHA512 | 7534ac0a215f02af85bdf2b414e23face0570943f8820e7bfe97ea274ccd1a01618556e93b7465c2d9fbb0bcde5e97fab9e9b6bddd366554277ef308cde3a83c |
memory/3184-28-0x00000000725DE000-0x00000000725DF000-memory.dmp
memory/3184-29-0x0000000000E80000-0x000000000117E000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
| MD5 | e8c32cc88db9fef57fd9e2bb6d20f70b |
| SHA1 | e732b91cd8ac16fa4ce8ad9e639bf21d69f6bb45 |
| SHA256 | f787ce198538b1c0b2bfce8ce5297e34152cf6deebe559df6887f65c72a081a4 |
| SHA512 | 077307d42438f2b72d62ce9e35c67c09e1375c2e203e6d6d455c6c8861c6442b3d82f1345b6c76940f5e8015fe93491158a59b102fabd139c742d75c2c42ba7a |
memory/1872-39-0x0000000000400000-0x0000000000DF4000-memory.dmp
memory/3184-40-0x0000000005A20000-0x0000000005A2E000-memory.dmp
memory/3184-48-0x0000000005CE0000-0x0000000005D3C000-memory.dmp
memory/3184-47-0x00000000725D0000-0x0000000072D80000-memory.dmp
memory/3184-51-0x00000000063E0000-0x0000000006984000-memory.dmp
memory/3184-52-0x0000000005ED0000-0x0000000005F62000-memory.dmp
memory/3184-54-0x0000000005CC0000-0x0000000005CD2000-memory.dmp
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe
| MD5 | d47062c8738a534fc931c0f341a61773 |
| SHA1 | c1175037a0e96363da56bc9d8abdb726cddc74fc |
| SHA256 | 484cc22b88e1eaae619f948e96812ebf70275f9e6408e2e3dbd8af827ac5199a |
| SHA512 | 9de6dcf7944ec9f2ff44c8fdbe562a6755c2af9800028b01fb0969921e6ef969c1ecc6e2ab129f191ac5feeaa9aa30cf436489dfee8e94433d6678a9942ffe39 |
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/3184-70-0x00000000725D0000-0x0000000072D80000-memory.dmp
memory/4808-71-0x00000000053A0000-0x00000000053B2000-memory.dmp
memory/4808-72-0x0000000005980000-0x00000000059CE000-memory.dmp
memory/4808-73-0x00000000062E0000-0x000000000637C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MpDefenderCoreProtion.exe.log
| MD5 | 663b8d5469caa4489d463aa9bc18124f |
| SHA1 | e57123a7d969115853ea631a3b33826335025d28 |
| SHA256 | 7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8 |
| SHA512 | 45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55 |
memory/4924-78-0x0000000005D20000-0x0000000005D38000-memory.dmp
memory/4924-79-0x0000000005D50000-0x0000000005D60000-memory.dmp
memory/4924-80-0x0000000005DF0000-0x0000000005DFA000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat
| MD5 | fbef3b76368e503dca520965bb79565f |
| SHA1 | 9a1a27526b8b9bdaae81c5301cd23eb613ea62ba |
| SHA256 | bcb2af67a4ea1e6aa341cf3141941dbe7b17f1911e7f20aba46552571f99c9f3 |
| SHA512 | 2b99bc9a945b6d9a2c0d3206dce9221eb7f4a2040c5096909d60c3278254c52b39a28dd18dd4e005eff0ebd7e7cba6dd3a6a94ea8a7d7598da3001da174db3f5 |
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
| MD5 | 00c4245522082b7f87721f9a26e96ba4 |
| SHA1 | 993a8aa88436b6c62b74bb399c09b8d45d9fb85b |
| SHA256 | a728f531427d89c5b7691f989e886df57d46f90d934448e6dabf29d64d0662bf |
| SHA512 | fdd8d2444b28883face793f6ea77913c2096a425e6101202536ea001c3df5e76a60a01673ee7a52eae827a12299b2727002895395315db190ec82ae11a68559f |
memory/2152-85-0x00000000007F0000-0x00000000007F8000-memory.dmp
memory/2152-86-0x000000001B2F0000-0x000000001B3F4000-memory.dmp
memory/2152-88-0x0000000002970000-0x000000000297E000-memory.dmp
memory/2152-90-0x00000000029A0000-0x00000000029BC000-memory.dmp
memory/2152-91-0x000000001B8B0000-0x000000001B900000-memory.dmp
memory/2152-93-0x00000000029C0000-0x00000000029D8000-memory.dmp
memory/2152-95-0x0000000002980000-0x000000000298E000-memory.dmp
memory/2152-97-0x0000000002990000-0x000000000299C000-memory.dmp
memory/2152-99-0x00000000029E0000-0x00000000029EE000-memory.dmp
memory/2152-101-0x00000000029F0000-0x00000000029FC000-memory.dmp
memory/2152-103-0x000000001B4F0000-0x000000001B4FC000-memory.dmp
memory/2152-105-0x000000001B500000-0x000000001B50E000-memory.dmp
memory/2152-107-0x000000001B8A0000-0x000000001B8AC000-memory.dmp
memory/1872-123-0x0000000000400000-0x0000000000DF4000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\wbdhqn2r\wbdhqn2r.cmdline
| MD5 | 80cff285d8b4b4ba15ccbd1d5232cc8a |
| SHA1 | 8286313407d45d2fcb94462495cd4eec79c69b42 |
| SHA256 | 004f196aafee1e90d7ab3db3182d14a96bd2ad5962bf1d44b0a4bb22b235f025 |
| SHA512 | d93754b6cc85eab5c0c1df99fa027d3360e8be60b3e857c276a0cc006a7df63af013c17a76ee8980c86f1be06abac61f611573367fd11c8887481f6fdf3f866a |
\??\c:\Users\Admin\AppData\Local\Temp\wbdhqn2r\wbdhqn2r.0.cs
| MD5 | a0251e479d557bba18a71d9e4e30bf65 |
| SHA1 | d3b177d8f8bcec460a50728dc0122264f54dd25c |
| SHA256 | f5d0da5147f50c8b65509a7b86e2106fbfb4776803a3910096343b2869d3c6e9 |
| SHA512 | be1e3695f060dc1d4e8f7246b82b60b2b49c1ab1410b4875b0f0825fe0ce8b67e332182881b066896ea9cb188f5ef516cd8ee8882a45b5d34cb0a694ca247b87 |
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat
| MD5 | 2fa8decc3dafe6f196f6c28769192e7c |
| SHA1 | 69f4e0cf41b927634a38b77a8816ca58c0bfb2de |
| SHA256 | 7e40eb542d164397c0bf17a47c8f0db79e7028299e9f180d38505220fd2cfb30 |
| SHA512 | c9fb6c2ac2441ff14673ccaa3f1d5e703356c093353992d302d34df6c9e26a85aba6760c3b98f0cd0ada45183c55b2e5cabc09978ca084077dd71743ca9fdbc1 |
\??\c:\Windows\System32\CSC572C02F5E5594BD5BDBF6DA8838BDB8.TMP
| MD5 | 7bbfaf1199741b237d2493615c95c6d7 |
| SHA1 | 86d466217c4dc1e0808f83ceda8f4b4df948b5dc |
| SHA256 | e20e4619dbc932a216fd93f86fe0af2e915f4c2ba6177fc3581da59885094476 |
| SHA512 | 2eda9bf71dc4a4583b7b8e9a6aab0f91d98cca68ee4309df1a4d26541917678da09a15d712397ae4b95fe95b65c8aa6eeab94d7620a5546b3df6c00306ef4a5c |
C:\Users\Admin\AppData\Local\Temp\RESD561.tmp
| MD5 | 66a7d8d8ea0f369b5985958262f31834 |
| SHA1 | 61a6055e8d4fdb5eb66f54d268df096644c5564d |
| SHA256 | 19be7f97c68a69936a88e46ff104411936cb818aa096c22428641bebc7c97893 |
| SHA512 | 286a8d753fa88b464bf4298169c0e70a1d382a283355483a7c594686c09621ec0e010b2a8db6d04546c7bcb09cc14c6dbd851cb0f46b8fe37b776c39fb661f3c |
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
| MD5 | 52c95032ff8b8c3d4dfd98e51d8f6f58 |
| SHA1 | e841a32cb07adaad4db35b1f87b5df6e019eb9af |
| SHA256 | 39b35293e7efaa4cb94028e59872013bef4065788fef9fe3cd3206a8aee711e4 |
| SHA512 | a1177740ffbb476fb11f8112d98cabe3012ee3d54f2f848bb22ea99b53bd3526bf59065951fb6ef29f29408ab2fd90c942de65fe16d66a098abce8ba5d7d4e00 |
memory/4948-137-0x0000000000790000-0x00000000008EA000-memory.dmp
memory/4948-138-0x00000000010E0000-0x00000000010FC000-memory.dmp
memory/4948-139-0x000000001BA30000-0x000000001BA46000-memory.dmp
memory/4948-140-0x0000000001100000-0x0000000001110000-memory.dmp
memory/4948-142-0x000000001BA60000-0x000000001BA6C000-memory.dmp
memory/4948-141-0x000000001BA50000-0x000000001BA5E000-memory.dmp
memory/2188-167-0x00000241709F0000-0x0000024170A12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_445lgbnh.ukz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\o6GueKAs7f.bat
| MD5 | 79ba77cbede825569662909d218c626b |
| SHA1 | 0478a7a2ef46aa2fb6ba316cf9db512e1edb0560 |
| SHA256 | e4cfc40f6bd61d158f4d53eb098791534a2168e14c88d963ddde31030a4a08cf |
| SHA512 | f6d797ade836fc1f6f1a11fdf46c7a096ed9a338c2aa2db4877f834ed8404ddb821588ad2d566bc626259ad7909919c1ee323c1078ca2d86cce43a25c6072082 |
C:\Users\Admin\AppData\Local\Temp\Hx5oYWlBQw.bat
| MD5 | 7b26bbf03c63f067d47eba4f16071425 |
| SHA1 | fb98e4ec76494d44854b85aa4ff023d4ecba56be |
| SHA256 | 1bb7c9c9685e7d534bbc79693fa4af6a7d0d2b4119cab868b5a066def49d060c |
| SHA512 | de7aa77c5355dc4d38c09f5df153a906cc7fcb8abb306bb6cdb2f584117eccce4b9664f50953c8f01cce8debd97a4efec77b6da7a47fbd002523214a76fbf43f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e094d3dd06d66000f1ef728ee6d8e60e |
| SHA1 | 4aa04aa09fc2aee0a44317f7f2a9fdc9325dec63 |
| SHA256 | afa28f5bd38e21db0f71e21be34a6f7932e70ad80e2d3edc26fe1ffab231ce91 |
| SHA512 | 9c7d86abb71d17b992ca5aa474e492e18172068462512c7f4fe542b5e3674577fb48069f217a7f4ec1f2fa6edad64350ec8ddaccfa8200651b4d909c377ef3bb |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d42b6da621e8df5674e26b799c8e2aa |
| SHA1 | ab3ce1327ea1eeedb987ec823d5e0cb146bafa48 |
| SHA256 | 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c |
| SHA512 | 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f0ddc7f3691c81ee14d17b419ba220d |
| SHA1 | f0ef5fde8bab9d17c0b47137e014c91be888ee53 |
| SHA256 | a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5 |
| SHA512 | 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e243a38635ff9a06c87c2a61a2200656 |
| SHA1 | ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc |
| SHA256 | af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f |
| SHA512 | 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\containerRuntime.exe.log
| MD5 | 7800fca2323a4130444c572374a030f4 |
| SHA1 | 40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa |
| SHA256 | 29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e |
| SHA512 | c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ca096cffc72897eef3fabe2d41e832f4 |
| SHA1 | 7845e32bee77b6a04d46d094da98d67751cff3f9 |
| SHA256 | aa0f909402a6b01ac8ad21464f3a28a2afc0f36ba2fd256e5a2e77b81f3c4355 |
| SHA512 | d385bba22c839754f3165e05d0d94b118cacc72a125a424051c9a0c8008b2eaabbd0c361e7d5e2d0d48cbff32beef0dbcf51d77f01bd959d6e6ea6c444ac92c2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 08526e4d8fed0a382c243c9aa8b1fe45 |
| SHA1 | f3da4b97529aaa38230db8bfa34a345bbc211622 |
| SHA256 | b5044625d66b7835745c7c4efa14d21aaf4ee42bf971f8bbc44f04416b91441f |
| SHA512 | cbeb569db60eabd89c13b073f1bdf7ba991b6206e75f548396a150b08a0ffed1962d88d664e069c64ac740afbb69941df2f43e81a3f138e2185934967898941d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 057e7742b25e65a341d1341da25b54a8 |
| SHA1 | 65c874ac4f429a4172bdf89a73922e39873ecab6 |
| SHA256 | f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468 |
| SHA512 | 94b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b22bcc023ccf6782c755f5b743aa3a52 |
| SHA1 | 141150057021a07fa6aa03f46c9f2fd5719b3eeb |
| SHA256 | a977c9d6fc409dbc0abbaa17e306eca391657f1f3c974cf1b004826000b8d1b4 |
| SHA512 | 05c78b755324319a86857f3d249cfc9cc0c6c51a4f8ee94350a1936853e323af668fa8ee224d60eea618f1a7684897c3ce24713365dbeeba02e7718cbe4b3b0e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cfecb4e0f846589c2742fd84d6bbd1db |
| SHA1 | 730c66c99e80f1c7d0fdd1ef7483c9dfb0a770ec |
| SHA256 | 12190c96e9eef24f7ee9a4e19d806f29d4aedab1f2c696478dea5684941824aa |
| SHA512 | 669241f726837dcd3b6c6664e002c4938cf1ccf9be3f3b4a953efb35a2977c6ea9536e1b61b92b1b716991f9801f4516d8e1d53c65ac605174ece553f19da475 |