dcrat | b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c

Analysis

max time kernel
80s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
Size

303KB
MD5

91971721b53c791bd1e4bef7ae44c4fc
SHA1

ffd271ebad1b0afae61b36a62d63352d38c703bd
SHA256

b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c
SHA512

25675855e0f4bb9727a1b7ffe63488f3a3a8bc85120bfd8be3187913dfd03d0db13f9f25fc79d06d3ee871b9e92b979df3a2a11b8e52812fcec858813d81a0ad
SSDEEP

3072:oQciUCwAoPh+BYYCEXWHbbk9B/armuE/1K8nD2ey7AOD65xL4dK:kOIhmhbL/uER2ey752L44

Score

10^/10

dcrat djvu glupteba lumma smokeloader pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.vook
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS

rsa_pubkey.plain

Extracted

Family

lumma

https://resergvearyinitiani.shop/api

https://associationokeo.shop/api

Signatures

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exeC351.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\15825811-1459-4ac2-b0bb-72052832438e\\C351.exe\" --AutoStart"	C351.exe
1848	schtasks.exe
4572	schtasks.exe

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3172-22-0x0000000004AF0000-0x0000000004C0B000-memory.dmp	family_djvu
behavioral1/memory/2168-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2168-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2168-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2168-27-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2168-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3580-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3580-44-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3580-46-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4160-103-0x00000000051E0000-0x0000000005ACB000-memory.dmp	family_glupteba
behavioral1/memory/4160-104-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral1/memory/4160-127-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral1/memory/4160-173-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral1/memory/3180-175-0x00000000052D0000-0x0000000005BBB000-memory.dmp	family_glupteba
behavioral1/memory/3180-177-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral1/memory/3180-256-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral1/memory/3180-312-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral1/memory/3180-344-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral1/memory/956-418-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral1/memory/956-480-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2784 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

C351.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C351.exe
Deletes itself 1 IoCs

Processes:

pid process

3456
Executes dropped EXE 7 IoCs

Processes:

C351.exeC351.exeC351.exeC351.exe1923.exe38F1.exe4B42.exe

pid process

3172 C351.exe
2168 C351.exe
4632 C351.exe
3580 C351.exe
4548 1923.exe
4796 38F1.exe
4160 4B42.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

524 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2784	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	C351.exe

pid	process
3456

pid	process
3172	C351.exe
2168	C351.exe
4632	C351.exe
3580	C351.exe
4548	1923.exe
4796	38F1.exe
4160	4B42.exe

pid	process
524	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

C351.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\15825811-1459-4ac2-b0bb-72052832438e\\C351.exe\" --AutoStart"	C351.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
File opened (read-only) \??\F: explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

97 drive.google.com
98 drive.google.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

44 api.2ip.ua
45 api.2ip.ua
120 ip-api.com

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

flow	ioc
97	drive.google.com
98	drive.google.com

flow	ioc
44	api.2ip.ua
45	api.2ip.ua
120	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

C351.exeC351.exe38F1.exe

description	pid	process	target process
PID 3172 set thread context of 2168	3172	C351.exe	C351.exe
PID 4632 set thread context of 3580	4632	C351.exe	C351.exe
PID 4796 set thread context of 5056	4796	38F1.exe	RegAsm.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1324 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

208 3580 WerFault.exe C351.exe
2556 4548 WerFault.exe 1923.exe

pid	process
1324	sc.exe

pid	pid_target	process	target process
208	3580	WerFault.exe	C351.exe
2556	4548	WerFault.exe	1923.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1848 schtasks.exe
4572 schtasks.exe

pid	process
1848	schtasks.exe
4572	schtasks.exe

Modifies registry class 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3045580317-3728985860-206385570-1000\{0B5C418E-6859-44F3-A1F8-9F0B21507100}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe

pid	process
4920	b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
4920	b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe

pid process

4920 b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

RegAsm.exepowershell.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeDebugPrivilege	5056	RegAsm.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe
Token: SeShutdownPrivilege	4112	explorer.exe
Token: SeCreatePagefilePrivilege	4112	explorer.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

explorer.exe

pid process

4112 explorer.exe
4112 explorer.exe
4112 explorer.exe
4112 explorer.exe
4112 explorer.exe
4112 explorer.exe
4112 explorer.exe
4112 explorer.exe

Suspicious use of SendNotifyMessage 10 IoCs

Processes:

explorer.exe

pid	process
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe
4112	explorer.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

cmd.exeC351.exeC351.exeC351.execmd.exe38F1.exe4B42.exe

description	pid	process	target process
PID 3456 wrote to memory of 3972	3456		cmd.exe
PID 3456 wrote to memory of 3972	3456		cmd.exe
PID 3972 wrote to memory of 3212	3972	cmd.exe	reg.exe
PID 3972 wrote to memory of 3212	3972	cmd.exe	reg.exe
PID 3456 wrote to memory of 3172	3456		C351.exe
PID 3456 wrote to memory of 3172	3456		C351.exe
PID 3456 wrote to memory of 3172	3456		C351.exe
PID 3172 wrote to memory of 2168	3172	C351.exe	C351.exe
PID 3172 wrote to memory of 2168	3172	C351.exe	C351.exe
PID 3172 wrote to memory of 2168	3172	C351.exe	C351.exe
PID 3172 wrote to memory of 2168	3172	C351.exe	C351.exe
PID 3172 wrote to memory of 2168	3172	C351.exe	C351.exe
PID 3172 wrote to memory of 2168	3172	C351.exe	C351.exe
PID 3172 wrote to memory of 2168	3172	C351.exe	C351.exe
PID 3172 wrote to memory of 2168	3172	C351.exe	C351.exe
PID 3172 wrote to memory of 2168	3172	C351.exe	C351.exe
PID 3172 wrote to memory of 2168	3172	C351.exe	C351.exe
PID 2168 wrote to memory of 524	2168	C351.exe	icacls.exe
PID 2168 wrote to memory of 524	2168	C351.exe	icacls.exe
PID 2168 wrote to memory of 524	2168	C351.exe	icacls.exe
PID 2168 wrote to memory of 4632	2168	C351.exe	C351.exe
PID 2168 wrote to memory of 4632	2168	C351.exe	C351.exe
PID 2168 wrote to memory of 4632	2168	C351.exe	C351.exe
PID 4632 wrote to memory of 3580	4632	C351.exe	C351.exe
PID 4632 wrote to memory of 3580	4632	C351.exe	C351.exe
PID 4632 wrote to memory of 3580	4632	C351.exe	C351.exe
PID 4632 wrote to memory of 3580	4632	C351.exe	C351.exe
PID 4632 wrote to memory of 3580	4632	C351.exe	C351.exe
PID 4632 wrote to memory of 3580	4632	C351.exe	C351.exe
PID 4632 wrote to memory of 3580	4632	C351.exe	C351.exe
PID 4632 wrote to memory of 3580	4632	C351.exe	C351.exe
PID 4632 wrote to memory of 3580	4632	C351.exe	C351.exe
PID 4632 wrote to memory of 3580	4632	C351.exe	C351.exe
PID 3456 wrote to memory of 4548	3456		1923.exe
PID 3456 wrote to memory of 4548	3456		1923.exe
PID 3456 wrote to memory of 4548	3456		1923.exe
PID 3456 wrote to memory of 396	3456		cmd.exe
PID 3456 wrote to memory of 396	3456		cmd.exe
PID 396 wrote to memory of 5100	396	cmd.exe	reg.exe
PID 396 wrote to memory of 5100	396	cmd.exe	reg.exe
PID 3456 wrote to memory of 4796	3456		38F1.exe
PID 3456 wrote to memory of 4796	3456		38F1.exe
PID 3456 wrote to memory of 4796	3456		38F1.exe
PID 4796 wrote to memory of 5056	4796	38F1.exe	RegAsm.exe
PID 4796 wrote to memory of 5056	4796	38F1.exe	RegAsm.exe
PID 4796 wrote to memory of 5056	4796	38F1.exe	RegAsm.exe
PID 4796 wrote to memory of 5056	4796	38F1.exe	RegAsm.exe
PID 4796 wrote to memory of 5056	4796	38F1.exe	RegAsm.exe
PID 4796 wrote to memory of 5056	4796	38F1.exe	RegAsm.exe
PID 4796 wrote to memory of 5056	4796	38F1.exe	RegAsm.exe
PID 4796 wrote to memory of 5056	4796	38F1.exe	RegAsm.exe
PID 3456 wrote to memory of 4160	3456		4B42.exe
PID 3456 wrote to memory of 4160	3456		4B42.exe
PID 3456 wrote to memory of 4160	3456		4B42.exe
PID 4160 wrote to memory of 1240	4160	4B42.exe	powershell.exe
PID 4160 wrote to memory of 1240	4160	4B42.exe	powershell.exe
PID 4160 wrote to memory of 1240	4160	4B42.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
"C:\Users\Admin\AppData\Local\Temp\b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AFA9.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\C351.exe
C:\Users\Admin\AppData\Local\Temp\C351.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3172

C:\Users\Admin\AppData\Local\Temp\C351.exe
C:\Users\Admin\AppData\Local\Temp\C351.exe
2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\15825811-1459-4ac2-b0bb-72052832438e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:524

C:\Users\Admin\AppData\Local\Temp\C351.exe
"C:\Users\Admin\AppData\Local\Temp\C351.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4632

C:\Users\Admin\AppData\Local\Temp\C351.exe
"C:\Users\Admin\AppData\Local\Temp\C351.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 568
5⤵
- Program crash
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3580 -ip 3580
1⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\1923.exe
C:\Users\Admin\AppData\Local\Temp\1923.exe
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1084
2⤵
- Program crash
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4548 -ip 4548
1⤵
PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2C3E.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\38F1.exe
C:\Users\Admin\AppData\Local\Temp\38F1.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Users\Admin\AppData\Local\Temp\4B42.exe
C:\Users\Admin\AppData\Local\Temp\4B42.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Users\Admin\AppData\Local\Temp\4B42.exe
"C:\Users\Admin\AppData\Local\Temp\4B42.exe"
2⤵
PID:3180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:4636

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:4364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:4544

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
PID:956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2488

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:1848

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:3252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
PID:1680

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:4572

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:1276

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:1324

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4112

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4832

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4592

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1360

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3568

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:864

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3228

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2604

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1532

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3876

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4304

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3492

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4848

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1596

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1104

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4080

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2292

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2088

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2484

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:780

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1972

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4592

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1772

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4584

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:392

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2288

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1084

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1136

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1840

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4764

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
e045d58509ea9ccf58a7c9da04faf233

SHA1
8cd270922bc0ba71e36e0925b5927dd5360792c2

SHA256
9b3de31ff941c8b17a390481df65b96e177fa9865b83414aea64d1113b655a85

SHA512
9b37b37f9c136b941fbbf7c7e53aa48c0e0d421daca792523e5221116dbda2bd48ab64be527903bb210a76802f1176e6e01ab873a79e0f3f414d77ef66f01902

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
341aa95bdc46e40b1230f03b9f4c8b2d

SHA1
426ca999cc7eb3fef6bf5a0e4f4755e56f6425c6

SHA256
32f7d527879afddd4d2c3ba5c8e59db5938e5abc0c8bdb12cf81ba553df501c0

SHA512
a6a6254df5700cf445d4edd211185745cdeccd28f1117beac844f4541dbfc7eb3b51346df8757e7889dc3cb751f3ca8e14b9717104a8a05d7581f16b42292b4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
1022B

MD5
5438399e35344fd436c4a134915d34a6

SHA1
2c58d8229bebd3d97e7e7bec125da4caebcd461b

SHA256
d0831327b04aa49d3744d248a66ece8b5be5279064d543f6a3e376fd50037865

SHA512
cc011d1b255cf6eadcecd5e5345569aee96bdb4ac4cb9ac4af0521798f0d85cb0bf3d33ef51b6ceafa8b4045d5d3242d5b5b2e242b8bc2cf6c96c4b387a2c2f0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\N3A1GXDL\microsoft.windows[1].xml
Filesize
97B

MD5
2a048584ff1532f817c94dc91dcd1288

SHA1
a8feaa50ff20598096757253f961ed62cc8e2569

SHA256
ac0e9ccd0c2a91247d80d72c35930928c1da245701ca832072bd977c61d3901a

SHA512
b6e50c342123202657e524ce15e02851da3b8573494e0ba98f7b70c6438fcbee100df4eac302d1dcbd3d3123bdf14a11d232c96d998c569431887317419c1d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\1923.exe
Filesize
6.5MB

MD5
9e52aa572f0afc888c098db4c0f687ff

SHA1
ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

SHA256
4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

SHA512
d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\38F1.exe
Filesize
124KB

MD5
15e99fef6ef1009225f7c4c6e150be76

SHA1
89bc8a468138da2fac12db6a0fb7b93ffd8703c3

SHA256
11d03ca1f0e3a488cd6ce3b2db917f470218473ed7cbbe75b1e7bf301ea23269

SHA512
3b8ef63d2f08ef6dc0d74e596c23afaa701b22d8dbf52fc1d073b0d285256f340587d9a933d7eb664f2a79df9e0576fa6737a9919304e67150e39e3d51c10480

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B42.exe
Filesize
2.3MB

MD5
e5d1e00be8367df28a4a3ecc969285ab

SHA1
9c195f436b76e7ae38ab1f407a555fbb5c92a049

SHA256
1889e8898f400406a796b5b90e593bf106dc23d1b57116787c45fc4da3b6cc16

SHA512
b90f2fa692267eb5fe6c67582f02b6abeb164661384fb0e2a3b429c691c081a7c4e0791259c0c14e41e4d7d4b904433cf43964a2a4f7a2b144c1815cc15be0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B42.exe
Filesize
4.2MB

MD5
08f205bd4c626acf46c5729beb091469

SHA1
cf7adac27660b03ee0cb844006bbfd9fe2460ce9

SHA256
2b885200e0b4089f256041e61431678cc4cf64c417fedfef219fcda756e5b7f2

SHA512
1c1a2c3e40a97c376cded93b9e11df9f696499ad1ea6848ebc703121aad20e296337033d09bb1a4faffb0a133d2298936189ebf081525465ac95fc2f0d53ad87

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFA9.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\C351.exe
Filesize
802KB

MD5
b7f8d4ff366d2f244f3473c15209eb57

SHA1
b3b17090c8920ef0b9218f6c22319189da7700f8

SHA256
04af6919d8273c5f76e4e7fc88a0b7ce74c3bcbe8e26348268f19d6dff1d1ee7

SHA512
2bab537580010644831ad212bbd72e6de2304abc7ca990db02b6c5c7f5e46bff08a4b13a78eb7156246815bd66c44c920c27fc5bac48be7405ec2920e6bb9cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_13p3yfsb.giv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
a129eabcc6f5c0074e1a6067f9aff62d

SHA1
25c0670e1c5a5038c44ceb6ca4009501bbec5b51

SHA256
c6c724995a488ba12dfbf55874ec71cc5e977ce8d572d9663a3a77c38a74e223

SHA512
1d54172b0170dc79099421ddafbda6e54e451661ee9a70459dda200c39c35e390f3e684ba7d2e32ce81b1f790afabb56f1786d16f2f668cb368f709a5bfb7f5b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
ba80ebb354bcb836c1f679f81e717ac1

SHA1
740f0a007f8bdb5fe8ce7087fab896505c5a12f9

SHA256
55266c8e53e1c0215798e086234722c525f5165437902b1004ee5c627ef0b0c7

SHA512
af41c31ed76d1365930820b1ca8d01c3a80b08ca86ac79cfd96a1ecb8cffed18f39e02d75046ae9bfe221ce5418e3fd8566809e07badeb60ca0d2ea2c10c038e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
afd3089dc896ed3a8562c13be0493363

SHA1
08a9875b5ee10b19a8e42e7f7a9f1b422ad7bf96

SHA256
510599da64d82ea697dc36a6a2e17c42fbe059bf8eba6498f7b149ee067f9261

SHA512
aa2d92ce992122e61f58b07099603278c7055f08bb04fc7a728f38fe915759b2f21e91381d39530a431b95f6b6aba81e750196bbdc45fcffbd46f17c5c659ae6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
6f509f230ca828998c8098561f46115a

SHA1
b8f75b65f4db8769dff2c2fd5f058263fb82d1fd

SHA256
050c4270540246f8ee3c24dc748ef60d911551082b73d78aec304d350061c153

SHA512
2465829be79f2b88baaa8b8345547ec487a0b703c1f435501a4a5adfe3e1aba5e17f05b62f6a5bbe1da4585b4fe8c5230962c0d450f71eb2eb1a21871f06b399

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
fb2ae9cf6dbd4ad7e5eefacedfae059b

SHA1
ea1c6bc13200efcbf2d17f545de9b8685083305e

SHA256
bdd503af62f7b776f63987f0c0a2788c488baa15cf95a35b642dbc6673ad6241

SHA512
c975175bf989c8ff01d48829436ce8218269221d729d2a0348ebef60f4a33726cba89c2f335735841105fca0bb5cc760ca4b603b8df5325eeeaf22853bdb8896

Download Submit
C:\Windows\rss\csrss.exe
Filesize
128KB

MD5
1230cec1a36a097ab6a416f28a543696

SHA1
3e2361e8847b8e377eeb06f985def1d6e98a3355

SHA256
2271d3fb9c0b586320cfad1ff0033270b2342662414b486c5d73ff431c125ab7

SHA512
fc64637869ce0e7c08cbcd068a0a21509e9f83442f47fbc52acef42ffdb642cf49a52c567aa971844a654261276417c072000cd7e8fced6ee30a5480359d9d6f

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
abb372731f3c3c0163b5518e74eae4d6

SHA1
86d45573d6a038722834dd0a11567fc61ade65e4

SHA256
42a0192d24cdcb2da87e035f059b2a3715737278cc24bb275fe2d38d7a3eac50

SHA512
9fb8382d8dbf457df4d645eeb98185ac447e4eecc5d5eb1c1a04b369ed046bc6d85aaab1d9bc62d669e5f21a05038a8696987df10e6c90d1715bfd920f7cc227

Download Submit
memory/956-418-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/956-480-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/1156-299-0x0000021AEF120000-0x0000021AEF140000-memory.dmp

Filesize
128KB

Download
memory/1156-301-0x0000021AEF5B0000-0x0000021AEF5D0000-memory.dmp

Filesize
128KB

Download
memory/1156-296-0x0000021AEF160000-0x0000021AEF180000-memory.dmp

Filesize
128KB

Download
memory/1240-129-0x00000000060F0000-0x0000000006134000-memory.dmp

Filesize
272KB

Download
memory/1240-144-0x0000000007100000-0x0000000007132000-memory.dmp

Filesize
200KB

Download
memory/1240-164-0x00000000072E0000-0x00000000072E8000-memory.dmp

Filesize
32KB

Download
memory/1240-163-0x0000000007390000-0x00000000073AA000-memory.dmp

Filesize
104KB

Download
memory/1240-162-0x00000000072A0000-0x00000000072B4000-memory.dmp

Filesize
80KB

Download
memory/1240-161-0x0000000007290000-0x000000000729E000-memory.dmp

Filesize
56KB

Download
memory/1240-160-0x0000000007250000-0x0000000007261000-memory.dmp

Filesize
68KB

Download
memory/1240-159-0x00000000072F0000-0x0000000007386000-memory.dmp

Filesize
600KB

Download
memory/1240-158-0x0000000007230000-0x000000000723A000-memory.dmp

Filesize
40KB

Download
memory/1240-157-0x0000000007140000-0x00000000071E3000-memory.dmp

Filesize
652KB

Download
memory/1240-143-0x000000007F320000-0x000000007F330000-memory.dmp

Filesize
64KB

Download
memory/1240-146-0x0000000070190000-0x00000000704E4000-memory.dmp

Filesize
3.3MB

Download
memory/1240-156-0x00000000070E0000-0x00000000070FE000-memory.dmp

Filesize
120KB

Download
memory/1240-145-0x000000006FB30000-0x000000006FB7C000-memory.dmp

Filesize
304KB

Download
memory/1240-142-0x0000000006F50000-0x0000000006F6A000-memory.dmp

Filesize
104KB

Download
memory/1240-141-0x00000000075B0000-0x0000000007C2A000-memory.dmp

Filesize
6.5MB

Download
memory/1240-135-0x0000000006EB0000-0x0000000006F26000-memory.dmp

Filesize
472KB

Download
memory/1240-131-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/1240-170-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/1240-122-0x0000000005BC0000-0x0000000005C0C000-memory.dmp

Filesize
304KB

Download
memory/1240-121-0x0000000005B80000-0x0000000005B9E000-memory.dmp

Filesize
120KB

Download
memory/1240-120-0x0000000005580000-0x00000000058D4000-memory.dmp

Filesize
3.3MB

Download
memory/1240-110-0x00000000054A0000-0x0000000005506000-memory.dmp

Filesize
408KB

Download
memory/1240-109-0x0000000004B80000-0x0000000004BA2000-memory.dmp

Filesize
136KB

Download
memory/1240-105-0x00000000025A0000-0x00000000025D6000-memory.dmp

Filesize
216KB

Download
memory/1240-106-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/1240-107-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/1240-108-0x0000000004E70000-0x0000000005498000-memory.dmp

Filesize
6.2MB

Download
memory/1360-185-0x000001F7BB9E0000-0x000001F7BBA00000-memory.dmp

Filesize
128KB

Download
memory/1360-195-0x000001F7BBD90000-0x000001F7BBDB0000-memory.dmp

Filesize
128KB

Download
memory/1360-188-0x000001F7BBDB0000-0x000001F7BBDD0000-memory.dmp

Filesize
128KB

Download
memory/1360-187-0x000001F7BB9A0000-0x000001F7BB9C0000-memory.dmp

Filesize
128KB

Download
memory/1596-397-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/2168-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2168-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2168-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2168-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2168-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2484-476-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/2604-289-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/3172-22-0x0000000004AF0000-0x0000000004C0B000-memory.dmp

Filesize
1.1MB

Download
memory/3172-21-0x0000000004A50000-0x0000000004AE5000-memory.dmp

Filesize
596KB

Download
memory/3180-312-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/3180-344-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/3180-177-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/3180-174-0x0000000004ED0000-0x00000000052CC000-memory.dmp

Filesize
4.0MB

Download
memory/3180-175-0x00000000052D0000-0x0000000005BBB000-memory.dmp

Filesize
8.9MB

Download
memory/3180-256-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/3228-243-0x00000265380C0000-0x00000265380E0000-memory.dmp

Filesize
128KB

Download
memory/3228-241-0x00000265379A0000-0x00000265379C0000-memory.dmp

Filesize
128KB

Download
memory/3228-239-0x00000265379E0000-0x0000026537A00000-memory.dmp

Filesize
128KB

Download
memory/3456-126-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/3456-4-0x0000000002B60000-0x0000000002B76000-memory.dmp

Filesize
88KB

Download
memory/3568-231-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/3580-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3580-44-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3580-46-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3708-178-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/3748-200-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/3748-201-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/3748-212-0x0000000005C80000-0x0000000005FD4000-memory.dmp

Filesize
3.3MB

Download
memory/3748-202-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4080-409-0x000001B93F240000-0x000001B93F260000-memory.dmp

Filesize
128KB

Download
memory/4080-406-0x000001B93ED90000-0x000001B93EDB0000-memory.dmp

Filesize
128KB

Download
memory/4080-404-0x000001B93EDD0000-0x000001B93EDF0000-memory.dmp

Filesize
128KB

Download
memory/4160-173-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/4160-127-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/4160-104-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/4160-103-0x00000000051E0000-0x0000000005ACB000-memory.dmp

Filesize
8.9MB

Download
memory/4160-102-0x0000000004DD0000-0x00000000051D3000-memory.dmp

Filesize
4.0MB

Download
memory/4160-179-0x0000000004DD0000-0x00000000051D3000-memory.dmp

Filesize
4.0MB

Download
memory/4548-60-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4548-59-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/4548-53-0x0000000000360000-0x0000000001045000-memory.dmp

Filesize
12.9MB

Download
memory/4548-61-0x0000000000360000-0x0000000001045000-memory.dmp

Filesize
12.9MB

Download
memory/4548-92-0x0000000000360000-0x0000000001045000-memory.dmp

Filesize
12.9MB

Download
memory/4548-62-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/4548-58-0x0000000003050000-0x0000000003051000-memory.dmp

Filesize
4KB

Download
memory/4548-64-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/4548-63-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/4548-65-0x0000000000360000-0x0000000001045000-memory.dmp

Filesize
12.9MB

Download
memory/4548-70-0x00000000031F0000-0x0000000003222000-memory.dmp

Filesize
200KB

Download
memory/4548-69-0x00000000031F0000-0x0000000003222000-memory.dmp

Filesize
200KB

Download
memory/4548-68-0x00000000031F0000-0x0000000003222000-memory.dmp

Filesize
200KB

Download
memory/4548-67-0x00000000031F0000-0x0000000003222000-memory.dmp

Filesize
200KB

Download
memory/4548-66-0x0000000003370000-0x00000000033B0000-memory.dmp

Filesize
256KB

Download
memory/4592-482-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/4632-40-0x0000000004A10000-0x0000000004AA3000-memory.dmp

Filesize
588KB

Download
memory/4796-90-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/4796-86-0x0000000002500000-0x0000000004500000-memory.dmp

Filesize
32.0MB

Download
memory/4796-82-0x0000000000100000-0x0000000000126000-memory.dmp

Filesize
152KB

Download
memory/4796-83-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/4920-1-0x00000000030F0000-0x00000000031F0000-memory.dmp

Filesize
1024KB

Download
memory/4920-3-0x0000000000400000-0x0000000002D4A000-memory.dmp

Filesize
41.3MB

Download
memory/4920-5-0x0000000000400000-0x0000000002D4A000-memory.dmp

Filesize
41.3MB

Download
memory/4920-8-0x0000000002EE0000-0x0000000002EEB000-memory.dmp

Filesize
44KB

Download
memory/4920-2-0x0000000002EE0000-0x0000000002EEB000-memory.dmp

Filesize
44KB

Download
memory/5056-136-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/5056-91-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/5056-96-0x00000000066C0000-0x0000000006726000-memory.dmp

Filesize
408KB

Download
memory/5056-95-0x00000000060D0000-0x0000000006162000-memory.dmp

Filesize
584KB

Download
memory/5056-94-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/5056-87-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5056-93-0x0000000005280000-0x0000000005824000-memory.dmp

Filesize
5.6MB

Download