Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    31-03-2024 20:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9af684e1af60439245790f0cc4e0ac4017f3e295f0a22bac869b70551b89f15.exe

  • Size

    269KB

  • MD5

    b4daa1e2cbed5b1208728306f7009a80

  • SHA1

    50fa36b4d785ea212a8341062bebcd379a7d4224

  • SHA256

    d9af684e1af60439245790f0cc4e0ac4017f3e295f0a22bac869b70551b89f15

  • SHA512

    a86370bbd9a0367f287a1e952eda34d3bf23589b4b1f79d7fc94c0686619dbab51c959353c76e0869d7f043404cf0394cb26931da42aaafd42a1bc3de19c526d

  • SSDEEP

    3072:ZIG169wfIDD+lwZXhdqEgO6Co3b/f7hxUot7rDhmg/E4Kw6SmBlVa:ZILUEDJedz7D9tUgew6RB

Score
10/10
dcratdjvugluptebasmokeloaderpub1backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwareratrootkitspywarestealertrojanupx

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://sajdfue.com/test1/get.php

Attributes
  • extension

    .vook

  • offline_id

    1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1

  • payload_url

    http://sdfjhuz.com/dl/build2.exe

    http://sajdfue.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS

rsa_pubkey.plain

Signatures

  • DcRat 4 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detected Djvu ransomware 9 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 10 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 61 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 12 IoCs
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9af684e1af60439245790f0cc4e0ac4017f3e295f0a22bac869b70551b89f15.exe
    "C:\Users\Admin\AppData\Local\Temp\d9af684e1af60439245790f0cc4e0ac4017f3e295f0a22bac869b70551b89f15.exe"
    1⤵
    • DcRat
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1376
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A4DB.bat" "
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
      2⤵
        PID:2348
    • C:\Users\Admin\AppData\Local\Temp\C554.exe
      C:\Users\Admin\AppData\Local\Temp\C554.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3640
      • C:\Users\Admin\AppData\Local\Temp\C554.exe
        C:\Users\Admin\AppData\Local\Temp\C554.exe
        2⤵
        • DcRat
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3396
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Users\Admin\AppData\Local\7d3fbc50-fc48-4d7e-bd38-3e3e29f3dac1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
          3⤵
          • Modifies file permissions
          PID:4384
        • C:\Users\Admin\AppData\Local\Temp\C554.exe
          "C:\Users\Admin\AppData\Local\Temp\C554.exe" --Admin IsNotAutoStart IsNotTask
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4976
          • C:\Users\Admin\AppData\Local\Temp\C554.exe
            "C:\Users\Admin\AppData\Local\Temp\C554.exe" --Admin IsNotAutoStart IsNotTask
            4⤵
            • Executes dropped EXE
            PID:4052
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 624
              5⤵
              • Program crash
              PID:1804
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4052 -ip 4052
      1⤵
        PID:3696
      • C:\Users\Admin\AppData\Local\Temp\EB7B.exe
        C:\Users\Admin\AppData\Local\Temp\EB7B.exe
        1⤵
        • Executes dropped EXE
        PID:4236
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EE4B.bat" "
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4040
        • C:\Windows\system32\reg.exe
          reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
          2⤵
            PID:4912
        • C:\Users\Admin\AppData\Local\Temp\399.exe
          C:\Users\Admin\AppData\Local\Temp\399.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3844
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4488
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 2524
              3⤵
              • Program crash
              PID:1380
          • C:\Users\Admin\AppData\Local\Temp\399.exe
            "C:\Users\Admin\AppData\Local\Temp\399.exe"
            2⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks for VirtualBox DLLs, possible anti-VM trick
            • Drops file in Windows directory
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:3780
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              3⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              PID:2000
            • C:\Windows\system32\cmd.exe
              C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4292
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                4⤵
                • Modifies Windows Firewall
                PID:3084
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              3⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              PID:2312
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              3⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              PID:4752
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Manipulates WinMonFS driver.
              • Drops file in Windows directory
              • Suspicious use of WriteProcessMemory
              PID:1648
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                4⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                PID:1504
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                4⤵
                • DcRat
                • Creates scheduled task(s)
                PID:4292
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /delete /tn ScheduledUpdate /f
                4⤵
                  PID:2772
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  4⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  PID:4252
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  4⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  PID:3444
                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                  C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                  4⤵
                  • Executes dropped EXE
                  PID:1524
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  4⤵
                  • DcRat
                  • Creates scheduled task(s)
                  PID:3584
                • C:\Windows\windefender.exe
                  "C:\Windows\windefender.exe"
                  4⤵
                  • Executes dropped EXE
                  PID:5112
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                    5⤵
                      PID:4888
                      • C:\Windows\SysWOW64\sc.exe
                        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                        6⤵
                        • Launches sc.exe
                        PID:3360
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Modifies Installed Components in the registry
              • Enumerates connected drives
              • Checks SCSI registry key(s)
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              PID:432
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
              • Suspicious use of SetWindowsHookEx
              PID:2428
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4488 -ip 4488
              1⤵
                PID:1440
              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                1⤵
                • Enumerates system info in registry
                • Modifies Internet Explorer settings
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:388
              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                1⤵
                • Enumerates system info in registry
                • Modifies Internet Explorer settings
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:4684
              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                1⤵
                • Enumerates system info in registry
                • Modifies Internet Explorer settings
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:3508
              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                1⤵
                • Enumerates system info in registry
                • Modifies Internet Explorer settings
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:3156
              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                1⤵
                • Enumerates system info in registry
                • Modifies Internet Explorer settings
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:3024
              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                1⤵
                • Enumerates system info in registry
                • Modifies Internet Explorer settings
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:2368
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 2368 -s 4956
                  2⤵
                    PID:2312
                • C:\Windows\windefender.exe
                  C:\Windows\windefender.exe
                  1⤵
                  • Executes dropped EXE
                  • Modifies data under HKEY_USERS
                  PID:1720

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Scheduled Task/Job

                1
                T1053

                Persistence

                Boot or Logon Autostart Execution

                2
                T1547

                Registry Run Keys / Startup Folder

                2
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Scheduled Task/Job

                1
                T1053

                Privilege Escalation

                Boot or Logon Autostart Execution

                2
                T1547

                Registry Run Keys / Startup Folder

                2
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Scheduled Task/Job

                1
                T1053

                Defense Evasion

                File and Directory Permissions Modification

                1
                T1222

                Impair Defenses

                1
                T1562

                Disable or Modify System Firewall

                1
                T1562.004

                Modify Registry

                3
                T1112

                Credential Access

                Unsecured Credentials

                3
                T1552

                Credentials In Files

                3
                T1552.001

                Discovery

                Peripheral Device Discovery

                2
                T1120

                Query Registry

                5
                T1012

                System Information Discovery

                5
                T1082

                Lateral Movement

                Collection

                Data from Local System

                3
                T1005

                Command and Control

                Web Service

                1
                T1102

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\311Q95T3\www.bing[1].xml
                  Filesize

                  2KB

                  MD5

                  19210c31faa8098cf5d6f1d6f67251b6

                  SHA1

                  00957b243d8d491e3cae095ca670398a37bd7707

                  SHA256

                  5301a6eb8bfd487d595bf053996e0ae808a55d5c8428baaed46ad810e2e7f963

                  SHA512

                  a642ab2b8fe414a117d9b0d2bc6601322255bb8fabb8c29009674fdbeae08f3922e446e3e039dff19a4ba1b6ed2ade5d7e1b80d4a45fd47cf4d2b4ef021ef117

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\399.exe
                  Filesize

                  4.2MB

                  MD5

                  f20545112aac4d388966aa18162768b2

                  SHA1

                  9d2c872f30d402e467128dbcada3c69361a2909b

                  SHA256

                  0958e59de7186b792e95f1f2c727317fe901cec23b17ec77704092572315f57c

                  SHA512

                  f558402740241801ef3ab00ca8e84686743836d0ae6787d5e9b09000d4417e44b6b35181a0c57e85533f404d1720fc73f8a9b34a0653337f03e53ac5f7ad43ad

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\A4DB.bat
                  Filesize

                  77B

                  MD5

                  55cc761bf3429324e5a0095cab002113

                  SHA1

                  2cc1ef4542a4e92d4158ab3978425d517fafd16d

                  SHA256

                  d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

                  SHA512

                  33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\C554.exe
                  Filesize

                  768KB

                  MD5

                  1d12763b9095b1d14607833deae59b2b

                  SHA1

                  0acf80ed680a678f49f5bfddb14cafd96544fbcb

                  SHA256

                  74ea265a9044414b3318c2f3a0893a1faf11da8538196740c3880a6a2cf87a1c

                  SHA512

                  f18ea8e5304a286178b2bd54ce494ee6034f87976f0668e45737e547638658d323d50aa5ba9756bcfbe6089825f81529e5a65a0b03eac63712f118212f028d15

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\EB7B.exe
                  Filesize

                  6.5MB

                  MD5

                  9e52aa572f0afc888c098db4c0f687ff

                  SHA1

                  ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

                  SHA256

                  4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

                  SHA512

                  d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xfwwclzz.5xa.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                  Filesize

                  281KB

                  MD5

                  d98e33b66343e7c96158444127a117f6

                  SHA1

                  bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                  SHA256

                  5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                  SHA512

                  705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                  Download Submit
                • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                  Filesize

                  2KB

                  MD5

                  ac4917a885cf6050b1a483e4bc4d2ea5

                  SHA1

                  b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

                  SHA256

                  e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

                  SHA512

                  092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

                  Download Submit
                • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                  Filesize

                  19KB

                  MD5

                  c0e3b576fdbcc34c379d7132c6a2c4bc

                  SHA1

                  3fdb1b3eab3f2ef55cde55cc2705bd2dc2534a86

                  SHA256

                  507c9ec0ce5926efd2b2002a3b5e45c4ee713ae95424be38d8629d12f0a4bdd6

                  SHA512

                  f0fb1af8067999dea9c0538c3b93073bc0f82f0fd6d415bf49d511ab895b5bbc90fcb89de6e4c0cfd343e044ec8de3d2842de12b69b48537b40608b794e8da5d

                  Download Submit
                • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                  Filesize

                  19KB

                  MD5

                  935bcaf27fa547be1db8726856c076fd

                  SHA1

                  63fa11c06bc460ff2c23eb73d60a8eccdcfecb07

                  SHA256

                  6416191e14e3bafb1141623f3eaff924bd0457d46943f41d33de1ebbb9160a4b

                  SHA512

                  2825f2c6c33666efe3612cefd0fa7dd00b86fd0ee54bdd5ad7358220e1fb7d59c18ca3bea3b6388c0b059a1504b630780877ddf9b509a2b54f6b0cc2f9714551

                  Download Submit
                • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                  Filesize

                  19KB

                  MD5

                  0cc7f459124f68f02612ee4c7888731b

                  SHA1

                  1e306a74752a04494e65966066f8e8a21a8d0b17

                  SHA256

                  871a205701b96488a87e91e49670a896735971c712069d21ca778de0e73239dc

                  SHA512

                  b5a7263e3d228a551ddbc29e9974c2edae4ec72c91f349a68bd61960acfe543a1bb8b38c02abf65d85701b0702d8d19c35d8cfcffc8d2a8950a640b0f25c93bf

                  Download Submit
                • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                  Filesize

                  19KB

                  MD5

                  21d4b717894e5ed4a7320dd045334297

                  SHA1

                  61268295cb03fd727d8764ccec8dcd1adb798a64

                  SHA256

                  fc723789d9a5de4e054a65fe6a14efa0cf426af412d5f0c869a8d5a07f04908d

                  SHA512

                  71c1552e3256ed4fec02659243b0c2034f18b3ff1b60ad9f3b6dd647d8cbbd6fed42c463eeef889a83da9d2fbe6e5727e2817c8880aff9bcb0079558d0b5a3b6

                  Download Submit
                • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                  Filesize

                  19KB

                  MD5

                  9d4d7a854d9f1ba8bb242b5b66633149

                  SHA1

                  ddc32137d1bf70a25112c368f6b5e0b9e88e548b

                  SHA256

                  a04882d69971d681d3991b5c6a44f78594de9599e9e23bfed2a95e03600ac388

                  SHA512

                  fa0681cbbe42a9836e338292f1b35fd3711a379d2c28f4cd6685828f34f2486eed582c6e264afa270263bd59943e7af5a9ef3fd21afa426301c9dabe7ea0a211

                  Download Submit
                • C:\Windows\windefender.exe
                  Filesize

                  2.0MB

                  MD5

                  8e67f58837092385dcf01e8a2b4f5783

                  SHA1

                  012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                  SHA256

                  166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                  SHA512

                  40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                  Download Submit
                • memory/388-267-0x000001D7A51D0000-0x000001D7A51F0000-memory.dmp
                  Filesize

                  128KB

                  Download
                • memory/1376-1-0x0000000002F00000-0x0000000003000000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/1376-3-0x0000000000400000-0x0000000002D42000-memory.dmp
                  Filesize

                  41.3MB

                  Download
                • memory/1376-2-0x0000000002EE0000-0x0000000002EEB000-memory.dmp
                  Filesize

                  44KB

                  Download
                • memory/1376-5-0x0000000000400000-0x0000000002D42000-memory.dmp
                  Filesize

                  41.3MB

                  Download
                • memory/1648-511-0x0000000000400000-0x0000000003125000-memory.dmp
                  Filesize

                  45.1MB

                  Download
                • memory/1648-544-0x0000000000400000-0x0000000003125000-memory.dmp
                  Filesize

                  45.1MB

                  Download
                • memory/1648-566-0x0000000000400000-0x0000000003125000-memory.dmp
                  Filesize

                  45.1MB

                  Download
                • memory/1648-569-0x0000000000400000-0x0000000003125000-memory.dmp
                  Filesize

                  45.1MB

                  Download
                • memory/1648-563-0x0000000000400000-0x0000000003125000-memory.dmp
                  Filesize

                  45.1MB

                  Download
                • memory/1648-560-0x0000000000400000-0x0000000003125000-memory.dmp
                  Filesize

                  45.1MB

                  Download
                • memory/1648-556-0x0000000000400000-0x0000000003125000-memory.dmp
                  Filesize

                  45.1MB

                  Download
                • memory/1648-553-0x0000000000400000-0x0000000003125000-memory.dmp
                  Filesize

                  45.1MB

                  Download
                • memory/1720-555-0x0000000000400000-0x00000000008DF000-memory.dmp
                  Filesize

                  4.9MB

                  Download
                • memory/1720-565-0x0000000000400000-0x00000000008DF000-memory.dmp
                  Filesize

                  4.9MB

                  Download
                • memory/2368-492-0x00000248C77E0000-0x00000248C78E0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/2368-489-0x00000248B69F0000-0x00000248B6A10000-memory.dmp
                  Filesize

                  128KB

                  Download
                • memory/3024-433-0x00000267CE770000-0x00000267CE790000-memory.dmp
                  Filesize

                  128KB

                  Download
                • memory/3024-447-0x00000267DEB80000-0x00000267DEC80000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/3156-376-0x000001EE63E70000-0x000001EE63E90000-memory.dmp
                  Filesize

                  128KB

                  Download
                • memory/3156-394-0x000001EE514B0000-0x000001EE515B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/3260-4-0x0000000003620000-0x0000000003636000-memory.dmp
                  Filesize

                  88KB

                  Download
                • memory/3260-228-0x0000000003420000-0x0000000003421000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3396-22-0x0000000000400000-0x0000000000537000-memory.dmp
                  Filesize

                  1.2MB

                  Download
                • memory/3396-26-0x0000000000400000-0x0000000000537000-memory.dmp
                  Filesize

                  1.2MB

                  Download
                • memory/3396-25-0x0000000000400000-0x0000000000537000-memory.dmp
                  Filesize

                  1.2MB

                  Download
                • memory/3396-38-0x0000000000400000-0x0000000000537000-memory.dmp
                  Filesize

                  1.2MB

                  Download
                • memory/3396-24-0x0000000000400000-0x0000000000537000-memory.dmp
                  Filesize

                  1.2MB

                  Download
                • memory/3640-21-0x0000000004BA0000-0x0000000004CBB000-memory.dmp
                  Filesize

                  1.1MB

                  Download
                • memory/3640-20-0x0000000004980000-0x0000000004A1E000-memory.dmp
                  Filesize

                  632KB

                  Download
                • memory/3780-412-0x0000000000400000-0x0000000003125000-memory.dmp
                  Filesize

                  45.1MB

                  Download
                • memory/3780-375-0x0000000000400000-0x0000000003125000-memory.dmp
                  Filesize

                  45.1MB

                  Download
                • memory/4052-44-0x0000000000400000-0x0000000000537000-memory.dmp
                  Filesize

                  1.2MB

                  Download
                • memory/4052-45-0x0000000000400000-0x0000000000537000-memory.dmp
                  Filesize

                  1.2MB

                  Download
                • memory/4052-47-0x0000000000400000-0x0000000000537000-memory.dmp
                  Filesize

                  1.2MB

                  Download
                • memory/4236-72-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-125-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-94-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-95-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-98-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-97-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-99-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-100-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-96-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-102-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-101-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-104-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-103-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-105-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-108-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-106-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-107-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-109-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-110-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-112-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-111-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-113-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-114-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-116-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-118-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-115-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-119-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-120-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-117-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-121-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-122-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-123-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-124-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-93-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-126-0x00000000044B0000-0x00000000044F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/4236-92-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-91-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-86-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-90-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-89-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-87-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-88-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-85-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-84-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-83-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-82-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-81-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-79-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-80-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-78-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-77-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-76-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-75-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-74-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-73-0x00000000043B0000-0x00000000044B0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4236-71-0x0000000003650000-0x0000000003651000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4236-70-0x0000000000910000-0x00000000015F5000-memory.dmp
                  Filesize

                  12.9MB

                  Download
                • memory/4236-67-0x0000000003620000-0x0000000003621000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4236-54-0x0000000000910000-0x00000000015F5000-memory.dmp
                  Filesize

                  12.9MB

                  Download
                • memory/4236-68-0x0000000003630000-0x0000000003631000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4236-69-0x0000000003640000-0x0000000003641000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4236-66-0x0000000003610000-0x0000000003611000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4236-62-0x00000000035D0000-0x00000000035D1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4236-64-0x00000000035E0000-0x00000000035E1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4236-63-0x0000000000910000-0x00000000015F5000-memory.dmp
                  Filesize

                  12.9MB

                  Download
                • memory/4976-41-0x00000000049F0000-0x0000000004A8E000-memory.dmp
                  Filesize

                  632KB

                  Download
                • memory/5112-552-0x0000000000400000-0x00000000008DF000-memory.dmp
                  Filesize

                  4.9MB

                  Download