File name:	Extremeinjector.exe
Full analysis:	https://app.any.run/tasks/5b4a4d8c-e278-445d-b4ff-d7bf63af1921
Verdict:	Malicious activity
Threats:	DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 26, 2025, 14:09:58
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	github dcrat rat api-base64 remote darkcrystal stealer netreactor
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	23DE5C2C4DE1AF322B48D8FB54F52082
SHA1:	BACE8711338A1C79605866759FADD2C7ADBB2630
SHA256:	CC92C665E4E26F4BF880E69666F019F9D568533510D8CA3D5E4651C1E121231E
SSDEEP:	98304:TBgnTDT0s+HC4UwA+F2MeQLTKoChDNTAW+LLk7KNyaeR23tBy1WUDL424ZjuqfkV:gWeB2YJ

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe	\|	Win64 Executable (generic) (23.8)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)
.exe	\|	Generic Win/DOS Executable (1.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:01:26 12:58:42+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	3928064
InitializedDataSize:	17408
UninitializedDataSize:	-
EntryPoint:	0x3c0f4e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	1.0.0.0
InternalName:	Ext injector.exe
LegalCopyright:
OriginalFileName:	Ext injector.exe
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(6672) Extreme Injector v3.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extreme Injector v3_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6672) Extreme Injector v3.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extreme Injector v3_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6672) Extreme Injector v3.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extreme Injector v3_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6672) Extreme Injector v3.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extreme Injector v3_RASMANCS
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6672) Extreme Injector v3.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extreme Injector v3_RASMANCS
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6672) Extreme Injector v3.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extreme Injector v3_RASMANCS
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(6672) Extreme Injector v3.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extreme Injector v3_RASMANCS
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(6672) Extreme Injector v3.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extreme Injector v3_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6672) Extreme Injector v3.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extreme Injector v3_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6672) Extreme Injector v3.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extreme Injector v3_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Filename		Type
6436	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nmnah1f4.2s1.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6884	Injector.exe	C:\ChaincomponentWebCrt\TyN1beQAOk.vbe		binary
		MD5:DDBF10D9165A769A6D20FCD2E118BD0D	SHA256:69A84572C197B52B3BEB9EC67145C4C1D198936BCC5846A1439DA09015790401
6436	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_c3ldxkjo.4b4.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6348	Extremeinjector.exe	C:\Users\admin\AppData\Local\Temp\Injector.exe		executable
		MD5:CDC73A31577A496FC31045AB14C36068	SHA256:B5BC765BB2A46B9A737EA217CF2A12E50D0B56D27C42A78AF873BB970B18FCD3
6884	Injector.exe	C:\ChaincomponentWebCrt\MPvPPnEP8ql73Oq.bat		text
		MD5:12C9BBFF6C5B9CCF2998EAD53EB4A7A1	SHA256:09FD9ED68963FA1404292B9FA84D51B57CD3BFFFC73808DC20A1807947BD70F8
7076	Componentmonitor.exe	C:\ChaincomponentWebCrt\MoUsoCoreWorker.exe		executable
		MD5:15745DCD5FC0FCFEA4F0F0B1EAF81AD6	SHA256:015CC3F392CB4C3B3D705A3EDEF3ED94031E8CD6B2D4A80B4123CE60319F1CE1
6436	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:06C95B7901171E33E1F41B32B261A962	SHA256:ABBA7484FD8706F7AF8F7036AF53AD96201C5428AF4FAD32EE2189B6F22A8142
7076	Componentmonitor.exe	C:\Users\admin\ApplicationFrameHost.exe		executable
		MD5:15745DCD5FC0FCFEA4F0F0B1EAF81AD6	SHA256:015CC3F392CB4C3B3D705A3EDEF3ED94031E8CD6B2D4A80B4123CE60319F1CE1
6884	Injector.exe	C:\ChaincomponentWebCrt\Componentmonitor.exe		executable
		MD5:15745DCD5FC0FCFEA4F0F0B1EAF81AD6	SHA256:015CC3F392CB4C3B3D705A3EDEF3ED94031E8CD6B2D4A80B4123CE60319F1CE1
7076	Componentmonitor.exe	C:\ChaincomponentWebCrt\ctfmon.exe		executable
		MD5:15745DCD5FC0FCFEA4F0F0B1EAF81AD6	SHA256:015CC3F392CB4C3B3D705A3EDEF3ED94031E8CD6B2D4A80B4123CE60319F1CE1

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6356	MoUsoCoreWorker.exe	GET	—	5.101.153.201:80	http://konsolxq.beget.tech/5115a3c5.php?NXQ1bdJT2Ei9=3CcMlcmo1Q1fbS4zCH34Y&pUhHpv9dAtzr2y0WzN=qVGZVA&d5064acea7a9436805ff4e532d82a72b=gY1UmY4gDZhRTN2MTM2kjM0kjZzITM3czY3YTZiFGNxMWN1Q2Y3ATN4QDOxMTNzQTNxQTM2kDO&08ee1e3e2cbdfd05831b12572c6b3c97=AMlRWY2kTNjNDMmNjMxQmZxczN1cTMidjMihDOjJjYyIWNzUWM1AzN&31982f01560e8d01d7d8fc7d6f4e7d69=d1nI2YTZ3QjYxMWOilDMlRGM4QzYwQDOzIWMkJTZ5YTZkNTM1YWYiFTY1IiOiEGZxYWO1cjN5UmY1QGO4IjY1kjYhZGMxU2Y3IWO5ITYiwiIiJGZxQDOzMDNyUzN5EmNyI2YxIWYiVWMkVWZyYmNjN2Y0UDMmRGZ1IiOiYDZyUTZxY2NzQWNxYmZ3IzNxImMzIzMlZWMiZTZ0AjMis3W	unknown	—	—	whitelisted
6356	MoUsoCoreWorker.exe	GET	200	5.101.153.201:80	http://konsolxq.beget.tech/5115a3c5.php?NXQ1bdJT2Ei9=3CcMlcmo1Q1fbS4zCH34Y&pUhHpv9dAtzr2y0WzN=qVGZVA&d5064acea7a9436805ff4e532d82a72b=gY1UmY4gDZhRTN2MTM2kjM0kjZzITM3czY3YTZiFGNxMWN1Q2Y3ATN4QDOxMTNzQTNxQTM2kDO&08ee1e3e2cbdfd05831b12572c6b3c97=AMlRWY2kTNjNDMmNjMxQmZxczN1cTMidjMihDOjJjYyIWNzUWM1AzN&0cb93f2ce0c7f57542b33f848aeff4d8=0VfiIiOiM2N0UTMhVDN3YjN2ImMhRDM4AzYlhDO1QzNkZDNmJTYiwiI0kzNhVzM3E2Y2MWNhNzYmhTZ0cTNiFDMxkjYzkTY1ETZlVzN0EWM0IiOiEGZxYWO1cjN5UmY1QGO4IjY1kjYhZGMxU2Y3IWO5ITYiwiIiJGZxQDOzMDNyUzN5EmNyI2YxIWYiVWMkVWZyYmNjN2Y0UDMmRGZ1IiOiYDZyUTZxY2NzQWNxYmZ3IzNxImMzIzMlZWMiZTZ0AjMis3W	unknown	—	—	whitelisted
6356	MoUsoCoreWorker.exe	GET	200	5.101.153.201:80	http://konsolxq.beget.tech/5115a3c5.php?d06oFQWXH=ex1oYQHqtZG9qRqvsLi5M&69f20f09b42bc01d8f287a2d37fd4032=71c39fcad182d6430d190787d1696bdc&08ee1e3e2cbdfd05831b12572c6b3c97=QOxgjMmRTOiJDOxE2YyYzNjJTNwkDNmZmY2czM3MTYhFGOllTMlVzN&d06oFQWXH=ex1oYQHqtZG9qRqvsLi5M	unknown	—	—	whitelisted
6356	MoUsoCoreWorker.exe	GET	200	5.101.153.201:80	http://konsolxq.beget.tech/5115a3c5.php?NXQ1bdJT2Ei9=3CcMlcmo1Q1fbS4zCH34Y&pUhHpv9dAtzr2y0WzN=qVGZVA&d5064acea7a9436805ff4e532d82a72b=gY1UmY4gDZhRTN2MTM2kjM0kjZzITM3czY3YTZiFGNxMWN1Q2Y3ATN4QDOxMTNzQTNxQTM2kDO&08ee1e3e2cbdfd05831b12572c6b3c97=AMlRWY2kTNjNDMmNjMxQmZxczN1cTMidjMihDOjJjYyIWNzUWM1AzN&0cb93f2ce0c7f57542b33f848aeff4d8=0VfiIiOiM2N0UTMhVDN3YjN2ImMhRDM4AzYlhDO1QzNkZDNmJTYiwiI5gDO2EWYyITY3MjY4U2NhFGOkNWNzcTNxUjZiBDOxkjM4EmNwgDNjJiOiEGZxYWO1cjN5UmY1QGO4IjY1kjYhZGMxU2Y3IWO5ITYiwiIiJGZxQDOzMDNyUzN5EmNyI2YxIWYiVWMkVWZyYmNjN2Y0UDMmRGZ1IiOiYDZyUTZxY2NzQWNxYmZ3IzNxImMzIzMlZWMiZTZ0AjMis3W	unknown	—	—	whitelisted
6356	MoUsoCoreWorker.exe	GET	200	5.101.153.201:80	http://konsolxq.beget.tech/5115a3c5.php?NXQ1bdJT2Ei9=3CcMlcmo1Q1fbS4zCH34Y&pUhHpv9dAtzr2y0WzN=qVGZVA&d5064acea7a9436805ff4e532d82a72b=gY1UmY4gDZhRTN2MTM2kjM0kjZzITM3czY3YTZiFGNxMWN1Q2Y3ATN4QDOxMTNzQTNxQTM2kDO&08ee1e3e2cbdfd05831b12572c6b3c97=AMlRWY2kTNjNDMmNjMxQmZxczN1cTMidjMihDOjJjYyIWNzUWM1AzN&a9ab273a1d11bacaf5985e916c2ce6ba=d1nIkJ1VaBjSYlFMOhUS1xmMaFDeHV1ZwMUSOJkRJlXQq9EeFp2T5F0UOlXQq1kdZpWT2VkeXJiOiM2N0UTMhVDN3YjN2ImMhRDM4AzYlhDO1QzNkZDNmJTYiwiI0kzNhVzM3E2Y2MWNhNzYmhTZ0cTNiFDMxkjYzkTY1ETZlVzN0EWM0IiOiEGZxYWO1cjN5UmY1QGO4IjY1kjYhZGMxU2Y3IWO5ITYiwiIiJGZxQDOzMDNyUzN5EmNyI2YxIWYiVWMkVWZyYmNjN2Y0UDMmRGZ1IiOiYDZyUTZxY2NzQWNxYmZ3IzNxImMzIzMlZWMiZTZ0AjMis3W	unknown	—	—	whitelisted
6356	MoUsoCoreWorker.exe	GET	200	5.101.153.201:80	http://konsolxq.beget.tech/5115a3c5.php?NXQ1bdJT2Ei9=3CcMlcmo1Q1fbS4zCH34Y&pUhHpv9dAtzr2y0WzN=qVGZVA&d5064acea7a9436805ff4e532d82a72b=gY1UmY4gDZhRTN2MTM2kjM0kjZzITM3czY3YTZiFGNxMWN1Q2Y3ATN4QDOxMTNzQTNxQTM2kDO&08ee1e3e2cbdfd05831b12572c6b3c97=AMlRWY2kTNjNDMmNjMxQmZxczN1cTMidjMihDOjJjYyIWNzUWM1AzN&a9ab273a1d11bacaf5985e916c2ce6ba=0VfiElZpFlbjRkSXpFWS5mYsVjMidXMyIma1cVYohmMRNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzlUeiBnUXRmQClnT1MWeRJkQ5FGbShkYoZVbVdGMp10bBlmYKJ0UaVHbHRVd4x2YjZFWRd2YU9kbNVVUnN3VaBDeXlFbKZUS0lERLdWVtJmdod0Y2p0MZBXMrlkNJl3YsVjMi9mQzIWeOdVYOp0QMlWSp9UaNhlYo5UbZxGZsl0cJlmYjpESYh3aWFVTCFTVKJVRYNWNDh1Y4ZEWp9maJpXNXpFbKNTWUp0QMlGNyQmd1ITY1ZFbJZTSDVlS1UVUNp0QMlWSwI1ZrR1T11kaJZTSTRlQKxWSzlUaiNTOtJmc1clVp9maJNHeXl1MW12Ywp1aJNXSpNGbS1mYsp1VaVkQ5N2M5ckW1xmMWl2bqlkeW52YwpFWhBTNXFVa3lWS4F0UMdWQDRVTWVkUp9maJVXOXFmeKhlWX5UMUpkSrl0cJNUTwQzURl2bqlEbxcVWP5UMUpkSrl0cJlmYzkTbiJXNXZVavpWSFxWRalnRyIWaKhlWvJ1Mi5kSDxUa0IDZ2VjMhVnVslkNJl2YspEWkBjTXlVbW5mYoFTRalnRyIWaKhlWvJ1Mi5kSDxUa0IDZ2VjMhVnVslkNJNlW0ZUbUtmSYlldK12Ysh2RkZXMrl0cJNVT5Z1RiNXOtNGM1IjYElzVatGbtZVavpWSrxWVapGbtRGbSVlVRR2aJNXSpVWSCNkTykUaPlWVHRGaKZUY6ZVbj1mVtVFNGdFVWJUMSl2dplkeKNjYzljMZdWWU9UejpmT1EFVPlXUElENCNUT5NGRJRjQD1ENJRVTp9maJVXOXFGMChVY55kMjxmUVp1a5cFV2Z1RaBnWWZVUktWSzlUaRdWQqlkNJNVZ5lzVixWMwIGbSdVYXZlRVhkSDxUaJl2Tpl0MipnTYpla502YRlzVatGbtZlVCFjUpdXaJFTSp9UaV12YxI1MZxmUYF2bO12YClzVatGbtZlVCFjUpdXaJlnVHR2dGdkWCJ0UlhGeHNmesdkUn10VhpnRtF1ZR5mW250MilnTXFmTKl2TpV1VihWNVZVUktWSzlUeNZkWE1UMBRUT3l1aSNkWrFFNjRUTp9maJtGbrNmdONzYs5kMilnQWZVUOtWSzl0QNZlQxEVavpWSrxWVapGbtRGbSVlVR50aJN3YE9UMNp2TpRjMiBnTYFmMW1WVWJUMRl2dplkNoVFVnFFVPdXTqlkNJNkWsZ1RjRFdykld4JTUwUzValnSYRGRWZUVEp0QMlWRww0TKl2TpF1VaxmQzUlcOJjYz5URihWNtNGbShUZGZlRVRkSDxUaJVVYMJ0QNl2bqlEbwhVYUZ1RhpmRyEle3VlVR50aJNXSTFld0sWS2k0UaZDbyUFboJTWo50aN1kVGVFRKNETptmaJZTSTpVeWhEZqZ1RkBHaykVeGVlVR50aJNXUq9UaN52Y250MjxmTyIWeCZkYo50Vh5WOHRlVCFTUpd3QOZTS5NGbKNjYEZlRVRkSDxUaNRUSuVzVhdnQYpFMOZUSwUERJNnVHpldxUUSyE0UlNHbXJGaaVUSwkFRS5kRrlkNJlmY2x2RkdHbtNmaOhlWFZlRVRkSDxUavh0UIJkeOVXSElUQCNlVR5URJdXQE5kMwMlTwJ0UL5kUGtEbKNjYEJ0ULNFaDJGbS5mYKpUaPlWVXJGa1UlVR50aJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiM2N0UTMhVDN3YjN2ImMhRDM4AzYlhDO1QzNkZDNmJTYiwiI5gDO2EWYyITY3MjY4U2NhFGOkNWNzcTNxUjZiBDOxkjM4EmNwgDNjJiOiEGZxYWO1cjN5UmY1QGO4IjY1kjYhZGMxU2Y3IWO5ITYiwiIiJGZxQDOzMDNyUzN5EmNyI2YxIWYiVWMkVWZyYmNjN2Y0UDMmRGZ1IiOiYDZyUTZxY2NzQWNxYmZ3IzNxImMzIzMlZWMiZTZ0AjMis3W	unknown	—	—	whitelisted
6356	MoUsoCoreWorker.exe	GET	200	5.101.153.201:80	http://konsolxq.beget.tech/5115a3c5.php?NXQ1bdJT2Ei9=3CcMlcmo1Q1fbS4zCH34Y&pUhHpv9dAtzr2y0WzN=qVGZVA&d5064acea7a9436805ff4e532d82a72b=gY1UmY4gDZhRTN2MTM2kjM0kjZzITM3czY3YTZiFGNxMWN1Q2Y3ATN4QDOxMTNzQTNxQTM2kDO&08ee1e3e2cbdfd05831b12572c6b3c97=AMlRWY2kTNjNDMmNjMxQmZxczN1cTMidjMihDOjJjYyIWNzUWM1AzN&31982f01560e8d01d7d8fc7d6f4e7d69=d1nI0UmNkZTY5QjZwYjMkFWO2MmZ5QzNmVjYhZWOkF2NwQjZ3E2YzcTOlJiOiEGZxYWO1cjN5UmY1QGO4IjY1kjYhZGMxU2Y3IWO5ITYiwiIiJGZxQDOzMDNyUzN5EmNyI2YxIWYiVWMkVWZyYmNjN2Y0UDMmRGZ1IiOiYDZyUTZxY2NzQWNxYmZ3IzNxImMzIzMlZWMiZTZ0AjMis3W&0cb93f2ce0c7f57542b33f848aeff4d8=0VfiIiOiM2N0UTMhVDN3YjN2ImMhRDM4AzYlhDO1QzNkZDNmJTYiwiI0UmNkZTY5QjZwYjMkFWO2MmZ5QzNmVjYhZWOkF2NwQjZ3E2YzcTOlJiOiEGZxYWO1cjN5UmY1QGO4IjY1kjYhZGMxU2Y3IWO5ITYiwiIiJGZxQDOzMDNyUzN5EmNyI2YxIWYiVWMkVWZyYmNjN2Y0UDMmRGZ1IiOiYDZyUTZxY2NzQWNxYmZ3IzNxImMzIzMlZWMiZTZ0AjMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWR61EeJhlWw4EWZRnQTVWaClXT1NmaMpXWIlUe5cEZqZVbhVHbFlEbxclW5JFSlZkSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S6FUeaVHbHN2dWdEZUJ0QOhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJTUVRlQoNUS2gGMSd3YqxUeBNUUnVlRVRkQD10dRpmT0VFVhd2aTRVVoNlW5ljMRd2apV1b3dlWwUzVTl2bqlEbxcVWPZlRVRkSDxUarlWUnFERLdWSYpFMChVWrZURJVjRHJ2dOhVYFJUeZBnTYl1QCNEZtljMjZnSzkFcxsWS2k0UaRnRtRlVCFjUpdXaJ9kSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3UmlWRHRGa0dkY2RHMMhGbyMmQKl2TpVVbiZHcYpFdsdEZpdXaJdXQE10dBRUTp9maJNnRHRme5c0YpdXaJhGbHpVdsVUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplkMVR0T0QTaNNzdD9EMjRUT1tGVNl2bqlka5ckYpdXaJ9EbrlkNJNVZ5JlbiFTOykVa3lWSopESk9mTYlVeGdUYoFzaJZTSpJmdsJjWspkbJNXSTFGaKdlYxEzaJZTSTVGMsJTWpdXaJJTTq1UdBpmT4RzQOdXSqxkeBRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiM2N0UTMhVDN3YjN2ImMhRDM4AzYlhDO1QzNkZDNmJTYiwiIzMTNxU2YlVGO3Y2MkJjM2M2NyImZhZzYmRDOjNTNxMWM2YWYiNTNjJiOiEGZxYWO1cjN5UmY1QGO4IjY1kjYhZGMxU2Y3IWO5ITYiwiIiJGZxQDOzMDNyUzN5EmNyI2YxIWYiVWMkVWZyYmNjN2Y0UDMmRGZ1IiOiYDZyUTZxY2NzQWNxYmZ3IzNxImMzIzMlZWMiZTZ0AjMis3W	unknown	—	—	whitelisted
6356	MoUsoCoreWorker.exe	GET	200	5.101.153.201:80	http://konsolxq.beget.tech/5115a3c5.php?NXQ1bdJT2Ei9=3CcMlcmo1Q1fbS4zCH34Y&pUhHpv9dAtzr2y0WzN=qVGZVA&d5064acea7a9436805ff4e532d82a72b=gY1UmY4gDZhRTN2MTM2kjM0kjZzITM3czY3YTZiFGNxMWN1Q2Y3ATN4QDOxMTNzQTNxQTM2kDO&08ee1e3e2cbdfd05831b12572c6b3c97=AMlRWY2kTNjNDMmNjMxQmZxczN1cTMidjMihDOjJjYyIWNzUWM1AzN&31982f01560e8d01d7d8fc7d6f4e7d69=d1nI0UmNkZTY5QjZwYjMkFWO2MmZ5QzNmVjYhZWOkF2NwQjZ3E2YzcTOlJiOiEGZxYWO1cjN5UmY1QGO4IjY1kjYhZGMxU2Y3IWO5ITYiwiIiJGZxQDOzMDNyUzN5EmNyI2YxIWYiVWMkVWZyYmNjN2Y0UDMmRGZ1IiOiYDZyUTZxY2NzQWNxYmZ3IzNxImMzIzMlZWMiZTZ0AjMis3W&0cb93f2ce0c7f57542b33f848aeff4d8=0VfiIiOiM2N0UTMhVDN3YjN2ImMhRDM4AzYlhDO1QzNkZDNmJTYiwiI0UmNkZTY5QjZwYjMkFWO2MmZ5QzNmVjYhZWOkF2NwQjZ3E2YzcTOlJiOiEGZxYWO1cjN5UmY1QGO4IjY1kjYhZGMxU2Y3IWO5ITYiwiIiJGZxQDOzMDNyUzN5EmNyI2YxIWYiVWMkVWZyYmNjN2Y0UDMmRGZ1IiOiYDZyUTZxY2NzQWNxYmZ3IzNxImMzIzMlZWMiZTZ0AjMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWR61EeJhlWw4EWZRnQTVWaClXT1NmaMpXWIlUe5cEZqZVbhVHbFlEbxclW5JFSlZkSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S6FUeaVHbHN2dWdEZUJ0QOhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJTUVRlQoNUS2gGMSd3YqxUeBNUUnVlRVRkQD10dRpmT0VFVhd2aTRVVoNlW5ljMRd2apV1b3dlWwUzVTl2bqlEbxcVWPZlRVRkSDxUarlWUnFERLdWSYpFMChVWrZURJVjRHJ2dOhVYFJUeZBnTYl1QCNEZtljMjZnSzkFcxsWS2k0UaRnRtRlVCFjUpdXaJ9kSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3UmlWRHRGa0dkY2RHMMhGbyMmQKl2TpVVbiZHcYpFdsdEZpdXaJdXQE10dBRUTp9maJNnRHRme5c0YpdXaJhGbHpVdsVUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplkMVR0T0QTaNNzdD9EMjRUT1tGVNl2bqlka5ckYpdXaJ9EbrlkNJNVZ5JlbiFTOykVa3lWSopESk9mTYlVeGdUYoFzaJZTSpJmdsJjWspkbJNXSTFGaKdlYxEzaJZTSTVGMsJTWpdXaJJTTq1UdBpmT4RzQOdXSqxkeBRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiM2N0UTMhVDN3YjN2ImMhRDM4AzYlhDO1QzNkZDNmJTYiwiIzMTNxU2YlVGO3Y2MkJjM2M2NyImZhZzYmRDOjNTNxMWM2YWYiNTNjJiOiEGZxYWO1cjN5UmY1QGO4IjY1kjYhZGMxU2Y3IWO5ITYiwiIiJGZxQDOzMDNyUzN5EmNyI2YxIWYiVWMkVWZyYmNjN2Y0UDMmRGZ1IiOiYDZyUTZxY2NzQWNxYmZ3IzNxImMzIzMlZWMiZTZ0AjMis3W	unknown	—	—	whitelisted
6356	MoUsoCoreWorker.exe	GET	200	5.101.153.201:80	http://konsolxq.beget.tech/5115a3c5.php?NXQ1bdJT2Ei9=3CcMlcmo1Q1fbS4zCH34Y&pUhHpv9dAtzr2y0WzN=qVGZVA&d5064acea7a9436805ff4e532d82a72b=gY1UmY4gDZhRTN2MTM2kjM0kjZzITM3czY3YTZiFGNxMWN1Q2Y3ATN4QDOxMTNzQTNxQTM2kDO&08ee1e3e2cbdfd05831b12572c6b3c97=AMlRWY2kTNjNDMmNjMxQmZxczN1cTMidjMihDOjJjYyIWNzUWM1AzN&31982f01560e8d01d7d8fc7d6f4e7d69=d1nI0UmNkZTY5QjZwYjMkFWO2MmZ5QzNmVjYhZWOkF2NwQjZ3E2YzcTOlJiOiEGZxYWO1cjN5UmY1QGO4IjY1kjYhZGMxU2Y3IWO5ITYiwiIiJGZxQDOzMDNyUzN5EmNyI2YxIWYiVWMkVWZyYmNjN2Y0UDMmRGZ1IiOiYDZyUTZxY2NzQWNxYmZ3IzNxImMzIzMlZWMiZTZ0AjMis3W&0cb93f2ce0c7f57542b33f848aeff4d8=0VfiIiOiM2N0UTMhVDN3YjN2ImMhRDM4AzYlhDO1QzNkZDNmJTYiwiI0UmNkZTY5QjZwYjMkFWO2MmZ5QzNmVjYhZWOkF2NwQjZ3E2YzcTOlJiOiEGZxYWO1cjN5UmY1QGO4IjY1kjYhZGMxU2Y3IWO5ITYiwiIiJGZxQDOzMDNyUzN5EmNyI2YxIWYiVWMkVWZyYmNjN2Y0UDMmRGZ1IiOiYDZyUTZxY2NzQWNxYmZ3IzNxImMzIzMlZWMiZTZ0AjMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWR61EeJhlWw4EWZRnQTVWaClXT1NmaMpXWIlUe5cEZqZVbhVHbFlEbxclW5JFSlZkSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S6FUeaVHbHN2dWdEZUJ0QOhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJTUVRlQoNUS2gGMSd3YqxUeBNUUnVlRVRkQD10dRpmT0VFVhd2aTRVVoNlW5ljMRd2apV1b3dlWwUzVTl2bqlEbxcVWPZlRVRkSDxUarlWUnFERLdWSYpFMChVWrZURJVjRHJ2dOhVYFJUeZBnTYl1QCNEZtljMjZnSzkFcxsWS2k0UaRnRtRlVCFjUpdXaJ9kSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3UmlWRHRGa0dkY2RHMMhGbyMmQKl2TpVVbiZHcYpFdsdEZpdXaJdXQE10dBRUTp9maJNnRHRme5c0YpdXaJhGbHpVdsVUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplkMVR0T0QTaNNzdD9EMjRUT1tGVNl2bqlka5ckYpdXaJ9EbrlkNJNVZ5JlbiFTOykVa3lWSopESk9mTYlVeGdUYoFzaJZTSpJmdsJjWspkbJNXSTFGaKdlYxEzaJZTSTVGMsJTWpdXaJJTTq1UdBpmT4RzQOdXSqxkeBRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiM2N0UTMhVDN3YjN2ImMhRDM4AzYlhDO1QzNkZDNmJTYiwiIzMTNxU2YlVGO3Y2MkJjM2M2NyImZhZzYmRDOjNTNxMWM2YWYiNTNjJiOiEGZxYWO1cjN5UmY1QGO4IjY1kjYhZGMxU2Y3IWO5ITYiwiIiJGZxQDOzMDNyUzN5EmNyI2YxIWYiVWMkVWZyYmNjN2Y0UDMmRGZ1IiOiYDZyUTZxY2NzQWNxYmZ3IzNxImMzIzMlZWMiZTZ0AjMis3W	unknown	—	—	whitelisted
6356	MoUsoCoreWorker.exe	GET	200	5.101.153.201:80	http://konsolxq.beget.tech/5115a3c5.php?NXQ1bdJT2Ei9=3CcMlcmo1Q1fbS4zCH34Y&pUhHpv9dAtzr2y0WzN=qVGZVA&d5064acea7a9436805ff4e532d82a72b=gY1UmY4gDZhRTN2MTM2kjM0kjZzITM3czY3YTZiFGNxMWN1Q2Y3ATN4QDOxMTNzQTNxQTM2kDO&08ee1e3e2cbdfd05831b12572c6b3c97=AMlRWY2kTNjNDMmNjMxQmZxczN1cTMidjMihDOjJjYyIWNzUWM1AzN&31982f01560e8d01d7d8fc7d6f4e7d69=d1nI0UmNkZTY5QjZwYjMkFWO2MmZ5QzNmVjYhZWOkF2NwQjZ3E2YzcTOlJiOiEGZxYWO1cjN5UmY1QGO4IjY1kjYhZGMxU2Y3IWO5ITYiwiIiJGZxQDOzMDNyUzN5EmNyI2YxIWYiVWMkVWZyYmNjN2Y0UDMmRGZ1IiOiYDZyUTZxY2NzQWNxYmZ3IzNxImMzIzMlZWMiZTZ0AjMis3W&0cb93f2ce0c7f57542b33f848aeff4d8=0VfiIiOiM2N0UTMhVDN3YjN2ImMhRDM4AzYlhDO1QzNkZDNmJTYiwiI0UmNkZTY5QjZwYjMkFWO2MmZ5QzNmVjYhZWOkF2NwQjZ3E2YzcTOlJiOiEGZxYWO1cjN5UmY1QGO4IjY1kjYhZGMxU2Y3IWO5ITYiwiIiJGZxQDOzMDNyUzN5EmNyI2YxIWYiVWMkVWZyYmNjN2Y0UDMmRGZ1IiOiYDZyUTZxY2NzQWNxYmZ3IzNxImMzIzMlZWMiZTZ0AjMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWR61EeJhlWw4EWZRnQTVWaClXT1NmaMpXWIlUe5cEZqZVbhVHbFlEbxclW5JFSlZkSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S6FUeaVHbHN2dWdEZUJ0QOhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJTUVRlQoNUS2gGMSd3YqxUeBNUUnVlRVRkQD10dRpmT0VFVhd2aTRVVoNlW5ljMRd2apV1b3dlWwUzVTl2bqlEbxcVWPZlRVRkSDxUarlWUnFERLdWSYpFMChVWrZURJVjRHJ2dOhVYFJUeZBnTYl1QCNEZtljMjZnSzkFcxsWS2k0UaRnRtRlVCFjUpdXaJ9kSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3UmlWRHRGa0dkY2RHMMhGbyMmQKl2TpVVbiZHcYpFdsdEZpdXaJdXQE10dBRUTp9maJNnRHRme5c0YpdXaJhGbHpVdsVUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplkMVR0T0QTaNNzdD9EMjRUT1tGVNl2bqlka5ckYpdXaJ9EbrlkNJNVZ5JlbiFTOykVa3lWSopESk9mTYlVeGdUYoFzaJZTSpJmdsJjWspkbJNXSTFGaKdlYxEzaJZTSTVGMsJTWpdXaJJTTq1UdBpmT4RzQOdXSqxkeBRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiM2N0UTMhVDN3YjN2ImMhRDM4AzYlhDO1QzNkZDNmJTYiwiIzMTNxU2YlVGO3Y2MkJjM2M2NyImZhZzYmRDOjNTNxMWM2YWYiNTNjJiOiEGZxYWO1cjN5UmY1QGO4IjY1kjYhZGMxU2Y3IWO5ITYiwiIiJGZxQDOzMDNyUzN5EmNyI2YxIWYiVWMkVWZyYmNjN2Y0UDMmRGZ1IiOiYDZyUTZxY2NzQWNxYmZ3IzNxImMzIzMlZWMiZTZ0AjMis3W	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	92.123.104.52:443	—	Akamai International B.V.	DE	unknown
6672	Extreme Injector v3.exe	185.199.110.133:443	raw.githubusercontent.com	FASTLY	US	shared
6356	MoUsoCoreWorker.exe	5.101.153.201:80	konsolxq.beget.tech	Beget LLC	RU	whitelisted

Domain	IP	Reputation
google.com	142.250.185.110	whitelisted
raw.githubusercontent.com	185.199.110.133 185.199.111.133 185.199.108.133 185.199.109.133	shared
konsolxq.beget.tech	5.101.153.201	whitelisted
self.events.data.microsoft.com	20.42.65.94	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
6356	MoUsoCoreWorker.exe	A Network Trojan was detected	ET MALWARE DCRAT Activity (GET)

General Info

Extremeinjector.exe

23DE5C2C4DE1AF322B48D8FB54F52082

BACE8711338A1C79605866759FADD2C7ADBB2630

CC92C665E4E26F4BF880E69666F019F9D568533510D8CA3D5E4651C1E121231E

98304:TBgnTDT0s+HC4UwA+F2MeQLTKoChDNTAW+LLk7KNyaeR23tBy1WUDL424ZjuqfkV:gWeB2YJ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

Adds path to the Windows Defender exclusion list

Changes the autorun value in the registry

Uses sleep, probably for evasion detection (SCRIPT)

DCRAT mutex has been found

DARKCRYSTAL has been detected (SURICATA)

Actions looks like stealing of personal data

DCRAT has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Script adds exclusion path to Windows Defender

Reads the date of Windows installation

Executable content was dropped or overwritten

Starts POWERSHELL.EXE for commands execution

Runs shell command (SCRIPT)

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Executed via WMI

Likely accesses (executes) a file from the Public directory

The process creates files with name similar to system file names

Application launched itself

There is functionality for taking screenshot (YARA)

Probably delay the execution using 'w32tm.exe'

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

Reads the machine GUID from the registry

Script raised an exception (POWERSHELL)

Disables trace logs

Checks proxy server information

Reads Environment values

Reads the software policy settings

Checks if a key exists in the options dictionary (POWERSHELL)

The sample compiled with english language support

Drops encrypted VBS script (Microsoft Script Encoder)

Potential library load (Base64 Encoded 'LoadLibrary')

Potential access to remote process (Base64 Encoded 'OpenProcess')

Failed to create an executable file in Windows directory

.NET Reactor protector has been detected

Found Base64 encoded access to Windows Defender via PowerShell (YARA)

Found Base64 encoded reference to AntiVirus WMI classes (YARA)

Found Base64 encoded reference to WMI classes (YARA)

Malware configuration

DcRat

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules