dcrat | e955d22f7b9ab797366ccbdfb14eba049d69965446b263d31a5834157055ea70

Analysis

max time kernel
15s
max time network
25s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
07-11-2024 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GameHackBuild(1).exe
Size

9.0MB
MD5

8e11d095b7c613ca3ef9c31f4221d45e
SHA1

f0a59086724a33139528f40a8fcae4cfb9e73d68
SHA256

e955d22f7b9ab797366ccbdfb14eba049d69965446b263d31a5834157055ea70
SHA512

94b6e5b0291ad727aebfc42d48b160f0ef9377259d7bb0d7e59ca092454744a035ac7d23cb84e2d6e02857e4040fbc5eed148abb81f7492990498384f7266351
SSDEEP

196608:uek5oFaEPX2GgYCCUDQ4yA8/vWOCFidWo+QOovFFoJXz0Bt99OGvFLuyNjA9UCN:Rk5/EP2Gac4yHndWo+bodFgXz29OGNpU

Score

10^/10

dcrat orcus gamehack discovery execution infostealer persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

GameHack

31.44.184.52:25350

Mutex

sudo_06kkh814g4vz7sfklrh1emcow75dz383

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\Windows\Defender\MpDefenderCoreProtion.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

runtimesvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\MpDefenderCoreProtion.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\MpDefenderCoreProtion.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\spoolsv.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\MpDefenderCoreProtion.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\MpDefenderCoreProtion.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\MpDefenderCoreProtion.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\lsass.exe\""	runtimesvc.exe

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe	family_orcus

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	3864	schtasks.exe

DCRat payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2424-56-0x000000001BB90000-0x000000001BC94000-memory.dmp	family_dcrat_v2

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe	orcus
behavioral2/memory/2344-31-0x0000000000E00000-0x00000000010FE000-memory.dmp	orcus

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4644 powershell.exe
2964 powershell.exe
440 powershell.exe
2644 powershell.exe
4056 powershell.exe
2028 powershell.exe

pid	process
4644	powershell.exe
2964	powershell.exe
440	powershell.exe
2644	powershell.exe
4056	powershell.exe
2028	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MpDefenderProtector.exeWScript.exeruntimesvc.exeGameHackBuild(1).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	MpDefenderProtector.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	runtimesvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	GameHackBuild(1).exe

Executes dropped EXE 5 IoCs

Processes:

MpDefenderProtector.exeMpDefenderCoreProtion.exeMpDefenderCoreProtion.exeruntimesvc.exeSolara.exe

pid process

2344 MpDefenderProtector.exe
1088 MpDefenderCoreProtion.exe
1520 MpDefenderCoreProtion.exe
2424 runtimesvc.exe
2608 Solara.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

runtimesvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MpDefenderCoreProtion = "\"C:\\Program Files\\Mozilla Firefox\\uninstall\\MpDefenderCoreProtion.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\spoolsv.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\spoolsv.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MpDefenderCoreProtion = "\"C:\\Program Files\\Mozilla Firefox\\uninstall\\MpDefenderCoreProtion.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Windows Portable Devices\\SearchApp.exe\""	runtimesvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimesvc = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinRuntimePerfMonitor\\runtimesvc.exe\""	runtimesvc.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSC6BFF8C6988D74C1F99FF1C146273C14F.TMP	csc.exe
File created	\??\c:\Windows\System32\dnk2o1.exe	csc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

MpDefenderCoreProtion.exe

description pid process target process

PID 1088 set thread context of 1348 1088 MpDefenderCoreProtion.exe msbuild.exe

description	pid	process	target process
PID 1088 set thread context of 1348	1088	MpDefenderCoreProtion.exe	msbuild.exe

Drops file in Program Files directory 6 IoCs

Processes:

runtimesvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Portable Devices\38384e6a620884	runtimesvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe	runtimesvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\f3b6ecef712a24	runtimesvc.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\MpDefenderCoreProtion.exe	runtimesvc.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\6127aafe535d1c	runtimesvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe	runtimesvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

msbuild.execmd.exeGameHackBuild(1).exeWScript.exeMpDefenderProtector.exeMpDefenderCoreProtion.exeMpDefenderCoreProtion.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GameHackBuild(1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpDefenderProtector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpDefenderCoreProtion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpDefenderCoreProtion.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

5020 PING.EXE

pid	process
5020	PING.EXE

Modifies registry class 2 IoCs

Processes:

runtimesvc.exeGameHackBuild(1).exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings	runtimesvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings	GameHackBuild(1).exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5020 PING.EXE

pid	process
5020	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1808	schtasks.exe
2652	schtasks.exe
712	schtasks.exe
1672	schtasks.exe
4524	schtasks.exe
3596	schtasks.exe
3056	schtasks.exe
2632	schtasks.exe
3588	schtasks.exe
2880	schtasks.exe
4476	schtasks.exe
5060	schtasks.exe
5028	schtasks.exe
1504	schtasks.exe
1576	schtasks.exe
3528	schtasks.exe
1940	schtasks.exe
636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MpDefenderProtector.exeMpDefenderCoreProtion.exemsbuild.exeruntimesvc.exe

pid	process
2344	MpDefenderProtector.exe
1088	MpDefenderCoreProtion.exe
1088	MpDefenderCoreProtion.exe
1088	MpDefenderCoreProtion.exe
1088	MpDefenderCoreProtion.exe
1348	msbuild.exe
1348	msbuild.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe
2424	runtimesvc.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

MpDefenderProtector.exeMpDefenderCoreProtion.exemsbuild.exeruntimesvc.exeSolara.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2344	MpDefenderProtector.exe
Token: SeDebugPrivilege	1088	MpDefenderCoreProtion.exe
Token: SeDebugPrivilege	1348	msbuild.exe
Token: SeDebugPrivilege	2424	runtimesvc.exe
Token: SeDebugPrivilege	2608	Solara.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	440	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

GameHackBuild(1).exeMpDefenderProtector.exeMpDefenderCoreProtion.exeWScript.execmd.exeruntimesvc.execsc.execmd.exe

description	pid	process	target process
PID 2480 wrote to memory of 1684	2480	GameHackBuild(1).exe	WScript.exe
PID 2480 wrote to memory of 1684	2480	GameHackBuild(1).exe	WScript.exe
PID 2480 wrote to memory of 1684	2480	GameHackBuild(1).exe	WScript.exe
PID 2480 wrote to memory of 2344	2480	GameHackBuild(1).exe	MpDefenderProtector.exe
PID 2480 wrote to memory of 2344	2480	GameHackBuild(1).exe	MpDefenderProtector.exe
PID 2480 wrote to memory of 2344	2480	GameHackBuild(1).exe	MpDefenderProtector.exe
PID 2344 wrote to memory of 1088	2344	MpDefenderProtector.exe	MpDefenderCoreProtion.exe
PID 2344 wrote to memory of 1088	2344	MpDefenderProtector.exe	MpDefenderCoreProtion.exe
PID 2344 wrote to memory of 1088	2344	MpDefenderProtector.exe	MpDefenderCoreProtion.exe
PID 1088 wrote to memory of 2964	1088	MpDefenderCoreProtion.exe	msbuild.exe
PID 1088 wrote to memory of 2964	1088	MpDefenderCoreProtion.exe	msbuild.exe
PID 1088 wrote to memory of 2964	1088	MpDefenderCoreProtion.exe	msbuild.exe
PID 1088 wrote to memory of 1348	1088	MpDefenderCoreProtion.exe	msbuild.exe
PID 1088 wrote to memory of 1348	1088	MpDefenderCoreProtion.exe	msbuild.exe
PID 1088 wrote to memory of 1348	1088	MpDefenderCoreProtion.exe	msbuild.exe
PID 1088 wrote to memory of 1348	1088	MpDefenderCoreProtion.exe	msbuild.exe
PID 1088 wrote to memory of 1348	1088	MpDefenderCoreProtion.exe	msbuild.exe
PID 1088 wrote to memory of 1348	1088	MpDefenderCoreProtion.exe	msbuild.exe
PID 1088 wrote to memory of 1348	1088	MpDefenderCoreProtion.exe	msbuild.exe
PID 1088 wrote to memory of 1348	1088	MpDefenderCoreProtion.exe	msbuild.exe
PID 1684 wrote to memory of 1256	1684	WScript.exe	cmd.exe
PID 1684 wrote to memory of 1256	1684	WScript.exe	cmd.exe
PID 1684 wrote to memory of 1256	1684	WScript.exe	cmd.exe
PID 1256 wrote to memory of 2424	1256	cmd.exe	runtimesvc.exe
PID 1256 wrote to memory of 2424	1256	cmd.exe	runtimesvc.exe
PID 2480 wrote to memory of 2608	2480	GameHackBuild(1).exe	Solara.exe
PID 2480 wrote to memory of 2608	2480	GameHackBuild(1).exe	Solara.exe
PID 2424 wrote to memory of 4772	2424	runtimesvc.exe	csc.exe
PID 2424 wrote to memory of 4772	2424	runtimesvc.exe	csc.exe
PID 4772 wrote to memory of 560	4772	csc.exe	cvtres.exe
PID 4772 wrote to memory of 560	4772	csc.exe	cvtres.exe
PID 2424 wrote to memory of 2964	2424	runtimesvc.exe	powershell.exe
PID 2424 wrote to memory of 2964	2424	runtimesvc.exe	powershell.exe
PID 2424 wrote to memory of 4644	2424	runtimesvc.exe	powershell.exe
PID 2424 wrote to memory of 4644	2424	runtimesvc.exe	powershell.exe
PID 2424 wrote to memory of 2028	2424	runtimesvc.exe	powershell.exe
PID 2424 wrote to memory of 2028	2424	runtimesvc.exe	powershell.exe
PID 2424 wrote to memory of 4056	2424	runtimesvc.exe	powershell.exe
PID 2424 wrote to memory of 4056	2424	runtimesvc.exe	powershell.exe
PID 2424 wrote to memory of 2644	2424	runtimesvc.exe	powershell.exe
PID 2424 wrote to memory of 2644	2424	runtimesvc.exe	powershell.exe
PID 2424 wrote to memory of 440	2424	runtimesvc.exe	powershell.exe
PID 2424 wrote to memory of 440	2424	runtimesvc.exe	powershell.exe
PID 2424 wrote to memory of 928	2424	runtimesvc.exe	cmd.exe
PID 2424 wrote to memory of 928	2424	runtimesvc.exe	cmd.exe
PID 928 wrote to memory of 1932	928	cmd.exe	chcp.com
PID 928 wrote to memory of 1932	928	cmd.exe	chcp.com

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\GameHackBuild(1).exe
"C:\Users\Admin\AppData\Local\Temp\GameHackBuild(1).exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
      "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ptfvecle\ptfvecle.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4772
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65AD.tmp" "c:\Windows\System32\CSC6BFF8C6988D74C1F99FF1C146273C14F.TMP"
        6⤵
        
        PID:560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\uninstall\MpDefenderCoreProtion.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XrgU68PImm.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:928
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1932
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5020
- C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
  "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
    "C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      PID:2964
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1348
- C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
  "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- - C:\Windows\System32\Wbem\wmic.exe
    wmic diskdrive get model,serialnumber
    3⤵
    PID:1100
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path Win32_Keyboard get Description,DeviceID
    3⤵
    PID:1064
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path Win32_PointingDevice get Description,PNPDeviceID
    3⤵
    PID:3456
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path Win32_PointingDevice get Description,PNPDeviceID
    3⤵
    PID:4524
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path Win32_DesktopMonitor get Description,PNPDeviceID
    3⤵
    PID:3056
- - C:\Windows\System32\Wbem\wmic.exe
    wmic get name
    3⤵
    PID:2912

C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MpDefenderCoreProtionM" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\uninstall\MpDefenderCoreProtion.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MpDefenderCoreProtion" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\MpDefenderCoreProtion.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MpDefenderCoreProtionM" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\uninstall\MpDefenderCoreProtion.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MpDefenderCoreProtion.exe.log

Filesize
1KB

MD5
c68a2e976c1f2f378d322b9a73864ae9

SHA1
c5fcbe5512f04aef44e3003965525b11b19d090b

SHA256
7d1eb548705640194f5dd9935645dedfdf928a365d6131273ca1f0e85fb860e5

SHA512
e978e1281c015597d9b6616a3216ff3597219915e990b0d080a41f6218d7f2fb470d016591fd7a9d4833e3ac31a2855320899af3b4204d175d5a3be012808f1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6d1b8bb34838ccf42d5f69e919b1612

SHA1
20e9df1f5dd5908ce1b537d158961e0b1674949e

SHA256
8a4e7eae00df2e789c958a38e78ac0b53f439afe2d5bfe8a81fb8c6e232b6491

SHA512
ff3ba5dc3cb548018747a315f098e01c5a6f8aee029223ef4080b3db76b0ecaa6a01a1c79e1434bdf2aa5b2ae66ec85d33e760064282411c7712fba890a0309d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES65AD.tmp

Filesize
1KB

MD5
c2cb53e265ae22398d7f0aea658b8dc0

SHA1
becf15b0940a86088b5206fbc33c9e9dbfc1f235

SHA256
8fa67805b274842c1f92e102e87561bfbdf6fef4810c49761656a9bb8b9fabfa

SHA512
d8599f25ec39ebb9fd896ef0fdbb082d517f52d34f3c65e3d3a0b6cf8cc9e686c31bb4964638b9aed09f0cc2451b31b469273a92a7fc1ad98ede694122c7bda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XrgU68PImm.bat

Filesize
159B

MD5
c5097460862a9555c15595a3456de9b9

SHA1
c0772408ad9bb9286b52aed5f3e56952f806d1ff

SHA256
ba7289ea63a9f2f374d7432f832e9ebe8c1da14215db7629e1e24bb4829e9024

SHA512
7a021925c5e037c6b5c1480aa00380f84682dd735c64ee168de86b54ef6d098207a3165d3394be8cc534c581f1619908231a7894c5fb0cb353e7aa3254cc83b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ixj5jzzy.mea.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat

Filesize
104B

MD5
fbef3b76368e503dca520965bb79565f

SHA1
9a1a27526b8b9bdaae81c5301cd23eb613ea62ba

SHA256
bcb2af67a4ea1e6aa341cf3141941dbe7b17f1911e7f20aba46552571f99c9f3

SHA512
2b99bc9a945b6d9a2c0d3206dce9221eb7f4a2040c5096909d60c3278254c52b39a28dd18dd4e005eff0ebd7e7cba6dd3a6a94ea8a7d7598da3001da174db3f5

Download Submit
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe

Filesize
3.0MB

MD5
10e817a4d5e216279a8de8ed71c91044

SHA1
97c6fb42791be24d12bd74819ef67fa8f3d21724

SHA256
c60f74f6e164049e683a5f01b8cfea24aa85cbf6c7b31b765cbad16d8ab0d7b2

SHA512
34421a517f5f1909afd694d24e22cafad9930725df964ba9c80666e9f0f2dcfdd2a254dcf6699e5797296ec3ae611593563779df05e3a617c7f8679a154dfd37

Download Submit
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe

Filesize
4.6MB

MD5
e8c32cc88db9fef57fd9e2bb6d20f70b

SHA1
e732b91cd8ac16fa4ce8ad9e639bf21d69f6bb45

SHA256
f787ce198538b1c0b2bfce8ce5297e34152cf6deebe559df6887f65c72a081a4

SHA512
077307d42438f2b72d62ce9e35c67c09e1375c2e203e6d6d455c6c8861c6442b3d82f1345b6c76940f5e8015fe93491158a59b102fabd139c742d75c2c42ba7a

Download Submit
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe

Filesize
263B

MD5
a05e26d89c5be7e2c6408b09cd05cf74

SHA1
c24231c6301f499b35441615b63db6969a1762fd

SHA256
05628dfff22e15b219a711cf52a2c87521170853979f00fcd014cf164656418e

SHA512
8c8733f12dd71cfafd2edbfad487279d6ed971eb119b1cde92a905f4658a9b090f831f42ef2228a4f6c64071a1f54fb74708438b4361e317e36016897577913d

Download Submit
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe

Filesize
556KB

MD5
00c4245522082b7f87721f9a26e96ba4

SHA1
993a8aa88436b6c62b74bb399c09b8d45d9fb85b

SHA256
a728f531427d89c5b7691f989e886df57d46f90d934448e6dabf29d64d0662bf

SHA512
fdd8d2444b28883face793f6ea77913c2096a425e6101202536ea001c3df5e76a60a01673ee7a52eae827a12299b2727002895395315db190ec82ae11a68559f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ptfvecle\ptfvecle.0.cs

Filesize
363B

MD5
b99166b400ee8022c3cd3f6814af9066

SHA1
a5b501ccfcc7b18e74ea1cd5b748653c0ed9a34c

SHA256
c58f20514353558217db487f859c22f8fa1ddb7427e6fb03dc1685e49fe85ded

SHA512
33ca1c2400509b29b9dde2d3bdf87df80196cce8d7ad68201ec374412e85b52fcd459c48c8af42ec59ee2771e74361b08849cab7bb83178980e8588054df7504

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ptfvecle\ptfvecle.cmdline

Filesize
235B

MD5
90af80860a614c28a50e324864f15e7a

SHA1
6a790f0a63a22e960f0b30fedbe0918116770e1e

SHA256
50c76a94eaee2b8b9ef3de76c5588430e93497b7d585ca1493c08a970f5e13c6

SHA512
2b3c914edd62ff0fedda919af4918dd2d8a58cd5e223ac04535340d341b465894f6a87d6a254686315595610b226b97ef419f023599c4d281bb540620712fda7

Download Submit
\??\c:\Windows\System32\CSC6BFF8C6988D74C1F99FF1C146273C14F.TMP

Filesize
1KB

MD5
775561cb0fd5f100b42ac5758ae200bb

SHA1
05987ff3a389d36f7cc66f0906afd470803520e2

SHA256
821d62917f13490566a3cff08a261328a0954dbb3d96cec18025763de74cb2d5

SHA512
6fc136ba28b0c822a00989a1df46c7629c7d1b820fee96fc2d24efe6d0ef2ee521f446637830978d9369d6d92ce11848170ac24a9e618aa5a78518cb011b27b9

Download Submit
memory/1088-43-0x0000000005690000-0x00000000056DE000-memory.dmp

Filesize
312KB

Download
memory/1088-45-0x0000000005FF0000-0x000000000608C000-memory.dmp

Filesize
624KB

Download
memory/1348-48-0x0000000005CC0000-0x0000000005CD8000-memory.dmp

Filesize
96KB

Download
memory/1348-49-0x0000000005D90000-0x0000000005DA0000-memory.dmp

Filesize
64KB

Download
memory/1348-193-0x00000000072A0000-0x00000000072EC000-memory.dmp

Filesize
304KB

Download
memory/1348-192-0x0000000007260000-0x000000000729C000-memory.dmp

Filesize
240KB

Download
memory/1348-191-0x0000000007200000-0x0000000007212000-memory.dmp

Filesize
72KB

Download
memory/1348-50-0x0000000006980000-0x000000000698A000-memory.dmp

Filesize
40KB

Download
memory/1348-190-0x0000000007800000-0x0000000007E18000-memory.dmp

Filesize
6.1MB

Download
memory/1348-195-0x0000000007E20000-0x0000000007FE2000-memory.dmp

Filesize
1.8MB

Download
memory/1348-196-0x0000000006A00000-0x0000000006A0E000-memory.dmp

Filesize
56KB

Download
memory/1348-194-0x0000000007420000-0x000000000752A000-memory.dmp

Filesize
1.0MB

Download
memory/1348-174-0x0000000006E90000-0x0000000006EF6000-memory.dmp

Filesize
408KB

Download
memory/1348-197-0x00000000080F0000-0x0000000008140000-memory.dmp

Filesize
320KB

Download
memory/2344-32-0x0000000003460000-0x000000000346E000-memory.dmp

Filesize
56KB

Download
memory/2344-33-0x0000000072340000-0x0000000072AF1000-memory.dmp

Filesize
7.7MB

Download
memory/2344-30-0x000000007234E000-0x000000007234F000-memory.dmp

Filesize
4KB

Download
memory/2344-31-0x0000000000E00000-0x00000000010FE000-memory.dmp

Filesize
3.0MB

Download
memory/2344-34-0x0000000005E20000-0x0000000005E7C000-memory.dmp

Filesize
368KB

Download
memory/2344-42-0x0000000072340000-0x0000000072AF1000-memory.dmp

Filesize
7.7MB

Download
memory/2344-37-0x0000000005E00000-0x0000000005E12000-memory.dmp

Filesize
72KB

Download
memory/2344-36-0x0000000005F60000-0x0000000005FF2000-memory.dmp

Filesize
584KB

Download
memory/2344-35-0x0000000006510000-0x0000000006AB6000-memory.dmp

Filesize
5.6MB

Download
memory/2424-76-0x0000000002FE0000-0x0000000002FEC000-memory.dmp

Filesize
48KB

Download
memory/2424-85-0x000000001CB70000-0x000000001CB7E000-memory.dmp

Filesize
56KB

Download
memory/2424-81-0x00000000030A0000-0x00000000030AC000-memory.dmp

Filesize
48KB

Download
memory/2424-55-0x0000000000F50000-0x0000000000F58000-memory.dmp

Filesize
32KB

Download
memory/2424-79-0x0000000002FF0000-0x0000000002FFE000-memory.dmp

Filesize
56KB

Download
memory/2424-87-0x000000001CB80000-0x000000001CB8C000-memory.dmp

Filesize
48KB

Download
memory/2424-83-0x000000001CB60000-0x000000001CB6C000-memory.dmp

Filesize
48KB

Download
memory/2424-74-0x0000000002FD0000-0x0000000002FDE000-memory.dmp

Filesize
56KB

Download
memory/2424-72-0x0000000003030000-0x0000000003048000-memory.dmp

Filesize
96KB

Download
memory/2424-68-0x000000001CB10000-0x000000001CB60000-memory.dmp

Filesize
320KB

Download
memory/2424-64-0x0000000003010000-0x000000000302C000-memory.dmp

Filesize
112KB

Download
memory/2424-58-0x0000000001710000-0x000000000171E000-memory.dmp

Filesize
56KB

Download
memory/2424-56-0x000000001BB90000-0x000000001BC94000-memory.dmp

Filesize
1.0MB

Download
memory/2608-77-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2608-189-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2608-188-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2608-199-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/4056-118-0x0000017630180000-0x00000176301A2000-memory.dmp

Filesize
136KB

Download