dcrat | e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d06917a4f1ce19595f45d652cc3f5f1.exe
Size

161KB
MD5

6d06917a4f1ce19595f45d652cc3f5f1
SHA1

f12921fead53f540793ae3ceec9ddd9d2cbf576b
SHA256

e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964
SHA512

ea79f414aadc75c78e0de7956909ccc5a95b350aeb72846c6df6869a0249ed763f839b56ebc86f8087b56dbe3ef5943a45e8e37e273319816f1f6ca3611fba31
SSDEEP

3072:diZUCzlE+mKEYsBqbVj0Mx96KuuW58v7gyCXLO2Vf:d6UCz3SWVP96KM5CIO2F

Score

10^/10

dcrat djvu glupteba smokeloader zgrat tfd5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat rootkit trojan upx

Malware Config

Extracted

Family

smokeloader

Botnet

tfd5

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.wisz
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
payload_url
http://sdfjhuz.com/dl/build2.exe

http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS

rsa_pubkey.plain

Signatures

DcRat 5 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		876	schtasks.exe
		3164	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI		6d06917a4f1ce19595f45d652cc3f5f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5ecfdb52-4d9a-4e61-a05c-abd6deea6cf1\\B0C3.exe\" --AutoStart"		B0C3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""		5EF7.exe

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233d0-292.dat	family_zgrat_v1

Detected Djvu ransomware 9 IoCs

resource	yara_rule
behavioral2/memory/2708-21-0x0000000003CA0000-0x0000000003DBB000-memory.dmp	family_djvu
behavioral2/memory/4800-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4800-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4800-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4800-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4800-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4576-42-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4576-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4576-45-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 11 IoCs

resource	yara_rule
behavioral2/memory/1828-58-0x00000000043D0000-0x0000000004CBB000-memory.dmp	family_glupteba
behavioral2/memory/1828-59-0x0000000000400000-0x00000000022EA000-memory.dmp	family_glupteba
behavioral2/memory/1828-107-0x0000000000400000-0x00000000022EA000-memory.dmp	family_glupteba
behavioral2/memory/1828-110-0x00000000043D0000-0x0000000004CBB000-memory.dmp	family_glupteba
behavioral2/memory/1576-111-0x0000000000400000-0x00000000022EA000-memory.dmp	family_glupteba
behavioral2/memory/1576-151-0x0000000000400000-0x00000000022EA000-memory.dmp	family_glupteba
behavioral2/memory/1576-215-0x0000000000400000-0x00000000022EA000-memory.dmp	family_glupteba
behavioral2/memory/1572-236-0x0000000000400000-0x00000000022EA000-memory.dmp	family_glupteba
behavioral2/memory/1572-288-0x0000000000400000-0x00000000022EA000-memory.dmp	family_glupteba
behavioral2/memory/1572-307-0x0000000000400000-0x00000000022EA000-memory.dmp	family_glupteba
behavioral2/memory/1572-310-0x0000000000400000-0x00000000022EA000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
408	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	B0C3.exe

Deletes itself 1 IoCs

pid	Process
3460	Process not Found

Executes dropped EXE 12 IoCs

pid	Process
2708	B0C3.exe
4800	B0C3.exe
4504	B0C3.exe
4576	B0C3.exe
1828	5EF7.exe
3844	77CF.exe
1576	5EF7.exe
1572	csrss.exe
4544	injector.exe
4696	2B70.exe
4364	windefender.exe
2324	windefender.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1212	icacls.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000233d1-300.dat	upx
behavioral2/memory/4364-305-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2324-308-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5ecfdb52-4d9a-4e61-a05c-abd6deea6cf1\\B0C3.exe\" --AutoStart"	B0C3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	5EF7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
133	api.2ip.ua
134	api.2ip.ua

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 4800	2708	B0C3.exe	107
PID 4504 set thread context of 4576	4504	B0C3.exe	111

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	5EF7.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	5EF7.exe
File created	C:\Windows\rss\csrss.exe	5EF7.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4912	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2536	4576	WerFault.exe	111
4908	4916	WerFault.exe	121
2996	1828	WerFault.exe	120

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6d06917a4f1ce19595f45d652cc3f5f1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6d06917a4f1ce19595f45d652cc3f5f1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6d06917a4f1ce19595f45d652cc3f5f1.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3164	schtasks.exe
876	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	5EF7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	5EF7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	5EF7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	5EF7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	5EF7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	5EF7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	5EF7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	5EF7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	5EF7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	5EF7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	5EF7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	5EF7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	5EF7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	5EF7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	5EF7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	5EF7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	5EF7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	5EF7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	5EF7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	5EF7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	5EF7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	5EF7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	5EF7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	5EF7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	5EF7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	5EF7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	5EF7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3244	6d06917a4f1ce19595f45d652cc3f5f1.exe
3244	6d06917a4f1ce19595f45d652cc3f5f1.exe
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3244	6d06917a4f1ce19595f45d652cc3f5f1.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeDebugPrivilege	1828	5EF7.exe
Token: SeImpersonatePrivilege	1828	5EF7.exe
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeDebugPrivilege	864	powershell.exe
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeSystemEnvironmentPrivilege	1572	csrss.exe
Token: SeSecurityPrivilege	4912	sc.exe
Token: SeSecurityPrivilege	4912	sc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3460	Process not Found
3460	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 220	3460	Process not Found	101
PID 3460 wrote to memory of 220	3460	Process not Found	101
PID 220 wrote to memory of 4804	220	cmd.exe	103
PID 220 wrote to memory of 4804	220	cmd.exe	103
PID 3460 wrote to memory of 2708	3460	Process not Found	106
PID 3460 wrote to memory of 2708	3460	Process not Found	106
PID 3460 wrote to memory of 2708	3460	Process not Found	106
PID 2708 wrote to memory of 4800	2708	B0C3.exe	107
PID 2708 wrote to memory of 4800	2708	B0C3.exe	107
PID 2708 wrote to memory of 4800	2708	B0C3.exe	107
PID 2708 wrote to memory of 4800	2708	B0C3.exe	107
PID 2708 wrote to memory of 4800	2708	B0C3.exe	107
PID 2708 wrote to memory of 4800	2708	B0C3.exe	107
PID 2708 wrote to memory of 4800	2708	B0C3.exe	107
PID 2708 wrote to memory of 4800	2708	B0C3.exe	107
PID 2708 wrote to memory of 4800	2708	B0C3.exe	107
PID 2708 wrote to memory of 4800	2708	B0C3.exe	107
PID 4800 wrote to memory of 1212	4800	B0C3.exe	108
PID 4800 wrote to memory of 1212	4800	B0C3.exe	108
PID 4800 wrote to memory of 1212	4800	B0C3.exe	108
PID 4800 wrote to memory of 4504	4800	B0C3.exe	109
PID 4800 wrote to memory of 4504	4800	B0C3.exe	109
PID 4800 wrote to memory of 4504	4800	B0C3.exe	109
PID 4504 wrote to memory of 4576	4504	B0C3.exe	111
PID 4504 wrote to memory of 4576	4504	B0C3.exe	111
PID 4504 wrote to memory of 4576	4504	B0C3.exe	111
PID 4504 wrote to memory of 4576	4504	B0C3.exe	111
PID 4504 wrote to memory of 4576	4504	B0C3.exe	111
PID 4504 wrote to memory of 4576	4504	B0C3.exe	111
PID 4504 wrote to memory of 4576	4504	B0C3.exe	111
PID 4504 wrote to memory of 4576	4504	B0C3.exe	111
PID 4504 wrote to memory of 4576	4504	B0C3.exe	111
PID 4504 wrote to memory of 4576	4504	B0C3.exe	111
PID 3460 wrote to memory of 3664	3460	Process not Found	117
PID 3460 wrote to memory of 3664	3460	Process not Found	117
PID 3664 wrote to memory of 1460	3664	cmd.exe	119
PID 3664 wrote to memory of 1460	3664	cmd.exe	119
PID 3460 wrote to memory of 1828	3460	Process not Found	120
PID 3460 wrote to memory of 1828	3460	Process not Found	120
PID 3460 wrote to memory of 1828	3460	Process not Found	120
PID 1828 wrote to memory of 4916	1828	5EF7.exe	121
PID 1828 wrote to memory of 4916	1828	5EF7.exe	121
PID 1828 wrote to memory of 4916	1828	5EF7.exe	121
PID 3460 wrote to memory of 3844	3460	Process not Found	123
PID 3460 wrote to memory of 3844	3460	Process not Found	123
PID 1576 wrote to memory of 4892	1576	5EF7.exe	130
PID 1576 wrote to memory of 4892	1576	5EF7.exe	130
PID 1576 wrote to memory of 4892	1576	5EF7.exe	130
PID 1576 wrote to memory of 3648	1576	5EF7.exe	133
PID 1576 wrote to memory of 3648	1576	5EF7.exe	133
PID 3648 wrote to memory of 408	3648	cmd.exe	135
PID 3648 wrote to memory of 408	3648	cmd.exe	135
PID 1576 wrote to memory of 1892	1576	5EF7.exe	136
PID 1576 wrote to memory of 1892	1576	5EF7.exe	136
PID 1576 wrote to memory of 1892	1576	5EF7.exe	136
PID 1576 wrote to memory of 4284	1576	5EF7.exe	139
PID 1576 wrote to memory of 4284	1576	5EF7.exe	139
PID 1576 wrote to memory of 4284	1576	5EF7.exe	139
PID 1576 wrote to memory of 1572	1576	5EF7.exe	141
PID 1576 wrote to memory of 1572	1576	5EF7.exe	141
PID 1576 wrote to memory of 1572	1576	5EF7.exe	141
PID 1572 wrote to memory of 4824	1572	csrss.exe	142
PID 1572 wrote to memory of 4824	1572	csrss.exe	142
PID 1572 wrote to memory of 4824	1572	csrss.exe	142

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6d06917a4f1ce19595f45d652cc3f5f1.exe
"C:\Users\Admin\AppData\Local\Temp\6d06917a4f1ce19595f45d652cc3f5f1.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9654.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:4804

C:\Users\Admin\AppData\Local\Temp\B0C3.exe
C:\Users\Admin\AppData\Local\Temp\B0C3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\B0C3.exe
  C:\Users\Admin\AppData\Local\Temp\B0C3.exe
  2⤵
  - DcRat
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\5ecfdb52-4d9a-4e61-a05c-abd6deea6cf1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1212
- - C:\Users\Admin\AppData\Local\Temp\B0C3.exe
    "C:\Users\Admin\AppData\Local\Temp\B0C3.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Users\Admin\AppData\Local\Temp\B0C3.exe
      "C:\Users\Admin\AppData\Local\Temp\B0C3.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      PID:4576
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 568
        5⤵
        Program crash
        
        PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4576 -ip 4576
1⤵
PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\469B.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:1460

C:\Users\Admin\AppData\Local\Temp\5EF7.exe
C:\Users\Admin\AppData\Local\Temp\5EF7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 2512
    3⤵
    - Program crash
    PID:4908
- C:\Users\Admin\AppData\Local\Temp\5EF7.exe
  "C:\Users\Admin\AppData\Local\Temp\5EF7.exe"
  2⤵
  - DcRat
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:4892
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:408
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:4284
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Modifies data under HKEY_USERS
      PID:4824
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:876
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:796
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:864
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      PID:4544
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:3164
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      PID:4364
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:4444
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:4912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 804
  2⤵
  - Program crash
  PID:2996

C:\Users\Admin\AppData\Local\Temp\77CF.exe
C:\Users\Admin\AppData\Local\Temp\77CF.exe
1⤵
- Executes dropped EXE
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4916 -ip 4916
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1828 -ip 1828
1⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\2B70.exe
C:\Users\Admin\AppData\Local\Temp\2B70.exe
1⤵
- Executes dropped EXE
PID:4696

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2B70.exe

Filesize
7.4MB

MD5
c96c8f6bb68d339098dbc8885d27007a

SHA1
880ab4e7a89e9a58056a6a6650fc3bca6beb8b77

SHA256
e132abb3e01c827c071cdcc5493929c49afa801198697e7539e42e8d05f06aa5

SHA512
c99de85da1ae9d460d0630f789325e40d49a9cd78fa150a61e72bd4185ec979b4a969332a46c2d994bbf1b0361f7cbc5bb0071a6a58ea3bd09f18b5ed5619758

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EF7.exe

Filesize
4.1MB

MD5
78a0319eb132805c6655ac5a6e40b324

SHA1
a9f9849294c770da0e18dd9d4f1a0b94ea2c3712

SHA256
5477d23273fe750e15448485b9ab55d76706faceddd798ca05c0294e5a7a0974

SHA512
b7cb4168980f3aa60acea871f4c63b1b821be5e9e0aced720dc16af05eef079b7f7e2bb7680e66b381e4a8fa4a2a9bd1ce1b0f372369839d40f2c79beea65244

Download Submit
C:\Users\Admin\AppData\Local\Temp\77CF.exe

Filesize
11.8MB

MD5
450039a02217c53bd983eaf1fd34505a

SHA1
930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda

SHA256
d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0

SHA512
cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080

Download Submit
C:\Users\Admin\AppData\Local\Temp\9654.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0C3.exe

Filesize
690KB

MD5
7cf84d06a29104c6f89d44273274f50d

SHA1
d34b7c3d8d41ba180d6101a328bd2692c7bb8748

SHA256
f06023caca13c3a5515a9a1e1e7f525361bf2336c8b127e479a1b90206d8c6da

SHA512
f4b701a738cc694192870eeebc102be13ae3b081ba5a6d00d8e6f70a56dfc122feff8f4a4602f44948cd6e925291160cb884e82e9ebf45fd2151ba3bfec67853

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rk0jqmcp.lob.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
8968d793836d3811767b0b9c4ab5da20

SHA1
094e590415563783061257f61219cbeadbfd3656

SHA256
7c4692617ba304e0051afc462a798c179c598dc4bd979ce3014f3b00e0278595

SHA512
ea91825576ebd2359adb2ae7234de4a677d8c4a11d3329662f4deebe1ed0997d1a478ce04bc1875be45db44210ce0e663a8ccf3ec99b4bb5644e2acfe05cc182

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
3ae9a307aae6b9f0ec2e461780079709

SHA1
73a3c7fb2e63c7a44ad1925954a18d77ab6650c1

SHA256
d2df3ba537239cf4a4467b3bcda6a980cff1a3331e6693052ec072dac766d0be

SHA512
d60ff9f8ce9bcac038e0671e8179a02e97d600c4c009d8842ee96d1db43cd773f75e0d4726d8f990b243ed077c5fa8bee4e5a7ab8d5588508bc977d15db54b8c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
1d0e34d38ca1a6da2322e06adec40cce

SHA1
914b081c0b41c1a68bca12bfffb377f5befbd00d

SHA256
3b166ded158d89287a8d86c3c70ad5fe696ef6815233e02fb570cdefb9a915a1

SHA512
a42d5e53c0311656ec2db3dd57703000dbbdd97f330907d22ef8720529fa74e0279016f34a54fd35b7099c28768a54dde89045a305310b79e3174e66cd55043b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b78e0b508997ac7d504778a1b599cd9d

SHA1
6744165b8616c83b0a16501a91e93b9955b16da3

SHA256
172f78b8cdb657d98929311de0314564eef2feae41c1e22f99d53ed4c0be4c41

SHA512
a4b72457e616ff74b5317dcd98cad58f1b53e64f114608a9073e6ae475cda4633a4a259ff24849ac2635b5df431dde80f71a3902067791d71deb39ffc1e56512

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/1572-307-0x0000000000400000-0x00000000022EA000-memory.dmp

Filesize
30.9MB

Download
memory/1572-288-0x0000000000400000-0x00000000022EA000-memory.dmp

Filesize
30.9MB

Download
memory/1572-236-0x0000000000400000-0x00000000022EA000-memory.dmp

Filesize
30.9MB

Download
memory/1572-310-0x0000000000400000-0x00000000022EA000-memory.dmp

Filesize
30.9MB

Download
memory/1576-151-0x0000000000400000-0x00000000022EA000-memory.dmp

Filesize
30.9MB

Download
memory/1576-111-0x0000000000400000-0x00000000022EA000-memory.dmp

Filesize
30.9MB

Download
memory/1576-109-0x0000000004090000-0x0000000004493000-memory.dmp

Filesize
4.0MB

Download
memory/1576-215-0x0000000000400000-0x00000000022EA000-memory.dmp

Filesize
30.9MB

Download
memory/1828-57-0x0000000003FC0000-0x00000000043C2000-memory.dmp

Filesize
4.0MB

Download
memory/1828-58-0x00000000043D0000-0x0000000004CBB000-memory.dmp

Filesize
8.9MB

Download
memory/1828-59-0x0000000000400000-0x00000000022EA000-memory.dmp

Filesize
30.9MB

Download
memory/1828-110-0x00000000043D0000-0x0000000004CBB000-memory.dmp

Filesize
8.9MB

Download
memory/1828-107-0x0000000000400000-0x00000000022EA000-memory.dmp

Filesize
30.9MB

Download
memory/1892-155-0x0000000005610000-0x0000000005964000-memory.dmp

Filesize
3.3MB

Download
memory/1892-154-0x00000000046C0000-0x00000000046D0000-memory.dmp

Filesize
64KB

Download
memory/1892-152-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/1892-153-0x00000000046C0000-0x00000000046D0000-memory.dmp

Filesize
64KB

Download
memory/1892-166-0x000000007F540000-0x000000007F550000-memory.dmp

Filesize
64KB

Download
memory/1892-167-0x0000000070470000-0x00000000704BC000-memory.dmp

Filesize
304KB

Download
memory/1892-168-0x0000000070C10000-0x0000000070F64000-memory.dmp

Filesize
3.3MB

Download
memory/1892-178-0x00000000046C0000-0x00000000046D0000-memory.dmp

Filesize
64KB

Download
memory/1892-180-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2324-308-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2708-21-0x0000000003CA0000-0x0000000003DBB000-memory.dmp

Filesize
1.1MB

Download
memory/2708-20-0x0000000003BD0000-0x0000000003C70000-memory.dmp

Filesize
640KB

Download
memory/3244-5-0x0000000000400000-0x0000000001F00000-memory.dmp

Filesize
27.0MB

Download
memory/3244-3-0x0000000000400000-0x0000000001F00000-memory.dmp

Filesize
27.0MB

Download
memory/3244-2-0x0000000001F80000-0x0000000001F8B000-memory.dmp

Filesize
44KB

Download
memory/3244-1-0x0000000002100000-0x0000000002200000-memory.dmp

Filesize
1024KB

Download
memory/3460-4-0x0000000001520000-0x0000000001536000-memory.dmp

Filesize
88KB

Download
memory/3844-126-0x00007FF628D10000-0x00007FF629972000-memory.dmp

Filesize
12.4MB

Download
memory/3844-194-0x00007FF628D10000-0x00007FF629972000-memory.dmp

Filesize
12.4MB

Download
memory/3844-286-0x00007FF628D10000-0x00007FF629972000-memory.dmp

Filesize
12.4MB

Download
memory/3844-220-0x00007FF628D10000-0x00007FF629972000-memory.dmp

Filesize
12.4MB

Download
memory/3844-306-0x00007FF628D10000-0x00007FF629972000-memory.dmp

Filesize
12.4MB

Download
memory/3844-309-0x00007FF628D10000-0x00007FF629972000-memory.dmp

Filesize
12.4MB

Download
memory/4284-181-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/4284-182-0x0000000003360000-0x0000000003370000-memory.dmp

Filesize
64KB

Download
memory/4364-305-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4504-40-0x0000000003C40000-0x0000000003CDE000-memory.dmp

Filesize
632KB

Download
memory/4576-45-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4576-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4576-42-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4800-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4800-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4800-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4800-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4800-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4892-142-0x0000000007650000-0x0000000007661000-memory.dmp

Filesize
68KB

Download
memory/4892-113-0x0000000002C70000-0x0000000002C80000-memory.dmp

Filesize
64KB

Download
memory/4892-141-0x0000000007720000-0x00000000077B6000-memory.dmp

Filesize
600KB

Download
memory/4892-143-0x0000000007690000-0x000000000769E000-memory.dmp

Filesize
56KB

Download
memory/4892-144-0x00000000076A0000-0x00000000076B4000-memory.dmp

Filesize
80KB

Download
memory/4892-145-0x00000000076E0000-0x00000000076FA000-memory.dmp

Filesize
104KB

Download
memory/4892-146-0x00000000076D0000-0x00000000076D8000-memory.dmp

Filesize
32KB

Download
memory/4892-149-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/4892-140-0x0000000002C70000-0x0000000002C80000-memory.dmp

Filesize
64KB

Download
memory/4892-139-0x0000000007350000-0x00000000073F3000-memory.dmp

Filesize
652KB

Download
memory/4892-138-0x000000007F820000-0x000000007F830000-memory.dmp

Filesize
64KB

Download
memory/4892-127-0x0000000070470000-0x00000000704BC000-memory.dmp

Filesize
304KB

Download
memory/4892-128-0x00000000705F0000-0x0000000070944000-memory.dmp

Filesize
3.3MB

Download
memory/4892-125-0x0000000006180000-0x00000000061CC000-memory.dmp

Filesize
304KB

Download
memory/4892-124-0x0000000005DF0000-0x0000000006144000-memory.dmp

Filesize
3.3MB

Download
memory/4892-114-0x0000000002C70000-0x0000000002C80000-memory.dmp

Filesize
64KB

Download
memory/4892-112-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/4916-61-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/4916-89-0x000000007F6F0000-0x000000007F700000-memory.dmp

Filesize
64KB

Download
memory/4916-65-0x0000000005440000-0x0000000005462000-memory.dmp

Filesize
136KB

Download
memory/4916-63-0x00000000056B0000-0x0000000005CD8000-memory.dmp

Filesize
6.2MB

Download
memory/4916-104-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/4916-103-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

Filesize
40KB

Download
memory/4916-102-0x00000000079E0000-0x0000000007A83000-memory.dmp

Filesize
652KB

Download
memory/4916-101-0x00000000079C0000-0x00000000079DE000-memory.dmp

Filesize
120KB

Download
memory/4916-90-0x0000000070370000-0x00000000703BC000-memory.dmp

Filesize
304KB

Download
memory/4916-91-0x00000000704F0000-0x0000000070844000-memory.dmp

Filesize
3.3MB

Download
memory/4916-88-0x0000000007980000-0x00000000079B2000-memory.dmp

Filesize
200KB

Download
memory/4916-60-0x0000000002E10000-0x0000000002E46000-memory.dmp

Filesize
216KB

Download
memory/4916-86-0x0000000007E10000-0x000000000848A000-memory.dmp

Filesize
6.5MB

Download
memory/4916-87-0x00000000077C0000-0x00000000077DA000-memory.dmp

Filesize
104KB

Download
memory/4916-62-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/4916-82-0x0000000007510000-0x0000000007586000-memory.dmp

Filesize
472KB

Download
memory/4916-80-0x0000000006960000-0x00000000069A4000-memory.dmp

Filesize
272KB

Download
memory/4916-79-0x0000000006450000-0x000000000649C000-memory.dmp

Filesize
304KB

Download
memory/4916-78-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/4916-77-0x0000000005F30000-0x0000000006284000-memory.dmp

Filesize
3.3MB

Download
memory/4916-64-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/4916-67-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/4916-66-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download