raccoon | 451b570a7464fabe22a1e96f448f43915bd9bb391ebfe1678968e8e35d6d29bf

Analysis

max time kernel
141s
max time network
141s
platform
windows10_x64
resource
win10-en-20211104
submitted
20-11-2021 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

451b570a7464fabe22a1e96f448f43915bd9bb391ebfe1678968e8e35d6d29bf.exe
Size

406KB
MD5

5f1186983c5d905824f4fcf56d1c7b64
SHA1

9182a08a44dc552a2938b69844e12fc0d7361cbc
SHA256

451b570a7464fabe22a1e96f448f43915bd9bb391ebfe1678968e8e35d6d29bf
SHA512

f68a948a352863916d550e3581a81bc1092c8ff0b5b4882fd72496f616d8feec42e65f13429f8f4ab02f7143accaab9e770110d002857642fa1dcbf24f47594d

Score

10^/10

raccoon redline 34b5c357572382155552cb40207e952f9f95264b xxluchxx1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

194.58.69.100:37026

Extracted

Family

redline

Botnet

xxluchxx1

212.86.102.63:62907

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

34b5c357572382155552cb40207e952f9f95264b

Attributes

url4cnc
http://91.219.236.162/baldandbankrupt1
http://185.163.47.176/baldandbankrupt1
http://193.38.54.238/baldandbankrupt1
http://74.119.192.122/baldandbankrupt1
http://91.219.236.240/baldandbankrupt1
https://t.me/baldandbankrupt1

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2116-124-0x000000000041B56E-mapping.dmp	family_redline
behavioral1/memory/2116-123-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2116-130-0x0000000005090000-0x0000000005696000-memory.dmp	family_redline
behavioral1/memory/2688-155-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2688-156-0x00000000004193EE-mapping.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

Monitor.exeHeno.exeFore.exeservices32.exesihost32.exe

pid process

2184 Monitor.exe
1572 Heno.exe
3260 Fore.exe
2112 services32.exe
3316 sihost32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2184	Monitor.exe
1572	Heno.exe
3260	Fore.exe
2112	services32.exe
3316	sihost32.exe

Drops file in System32 directory 3 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File created	C:\Windows\system32\services32.exe	conhost.exe
File opened for modification	C:\Windows\system32\services32.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	conhost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

451b570a7464fabe22a1e96f448f43915bd9bb391ebfe1678968e8e35d6d29bf.exeFore.exe

description	pid	process	target process
PID 3440 set thread context of 2116	3440	451b570a7464fabe22a1e96f448f43915bd9bb391ebfe1678968e8e35d6d29bf.exe	RegAsm.exe
PID 3260 set thread context of 2688	3260	Fore.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4032 1572 WerFault.exe Heno.exe

pid	pid_target	process	target process
4032	1572	WerFault.exe	Heno.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1488 schtasks.exe

pid	process
1488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

RegAsm.exeWerFault.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exe

pid	process
2116	RegAsm.exe
2116	RegAsm.exe
2116	RegAsm.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
4032	WerFault.exe
512	conhost.exe
3796	powershell.exe
3796	powershell.exe
3796	powershell.exe
3612	powershell.exe
3612	powershell.exe
3612	powershell.exe
3168	conhost.exe
3168	conhost.exe
2148	powershell.exe
2148	powershell.exe
2148	powershell.exe
2068	powershell.exe
2068	powershell.exe
2068	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RegAsm.exeWerFault.exeRegAsm.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2116	RegAsm.exe
Token: SeRestorePrivilege	4032	WerFault.exe
Token: SeBackupPrivilege	4032	WerFault.exe
Token: SeDebugPrivilege	4032	WerFault.exe
Token: SeDebugPrivilege	2688	RegAsm.exe
Token: SeDebugPrivilege	512	conhost.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeIncreaseQuotaPrivilege	3796	powershell.exe
Token: SeSecurityPrivilege	3796	powershell.exe
Token: SeTakeOwnershipPrivilege	3796	powershell.exe
Token: SeLoadDriverPrivilege	3796	powershell.exe
Token: SeSystemProfilePrivilege	3796	powershell.exe
Token: SeSystemtimePrivilege	3796	powershell.exe
Token: SeProfSingleProcessPrivilege	3796	powershell.exe
Token: SeIncBasePriorityPrivilege	3796	powershell.exe
Token: SeCreatePagefilePrivilege	3796	powershell.exe
Token: SeBackupPrivilege	3796	powershell.exe
Token: SeRestorePrivilege	3796	powershell.exe
Token: SeShutdownPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeSystemEnvironmentPrivilege	3796	powershell.exe
Token: SeRemoteShutdownPrivilege	3796	powershell.exe
Token: SeUndockPrivilege	3796	powershell.exe
Token: SeManageVolumePrivilege	3796	powershell.exe
Token: 33	3796	powershell.exe
Token: 34	3796	powershell.exe
Token: 35	3796	powershell.exe
Token: 36	3796	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeIncreaseQuotaPrivilege	3612	powershell.exe
Token: SeSecurityPrivilege	3612	powershell.exe
Token: SeTakeOwnershipPrivilege	3612	powershell.exe
Token: SeLoadDriverPrivilege	3612	powershell.exe
Token: SeSystemProfilePrivilege	3612	powershell.exe
Token: SeSystemtimePrivilege	3612	powershell.exe
Token: SeProfSingleProcessPrivilege	3612	powershell.exe
Token: SeIncBasePriorityPrivilege	3612	powershell.exe
Token: SeCreatePagefilePrivilege	3612	powershell.exe
Token: SeBackupPrivilege	3612	powershell.exe
Token: SeRestorePrivilege	3612	powershell.exe
Token: SeShutdownPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeSystemEnvironmentPrivilege	3612	powershell.exe
Token: SeRemoteShutdownPrivilege	3612	powershell.exe
Token: SeUndockPrivilege	3612	powershell.exe
Token: SeManageVolumePrivilege	3612	powershell.exe
Token: 33	3612	powershell.exe
Token: 34	3612	powershell.exe
Token: 35	3612	powershell.exe
Token: 36	3612	powershell.exe
Token: SeDebugPrivilege	3168	conhost.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeIncreaseQuotaPrivilege	2148	powershell.exe
Token: SeSecurityPrivilege	2148	powershell.exe
Token: SeTakeOwnershipPrivilege	2148	powershell.exe
Token: SeLoadDriverPrivilege	2148	powershell.exe
Token: SeSystemProfilePrivilege	2148	powershell.exe
Token: SeSystemtimePrivilege	2148	powershell.exe
Token: SeProfSingleProcessPrivilege	2148	powershell.exe
Token: SeIncBasePriorityPrivilege	2148	powershell.exe
Token: SeCreatePagefilePrivilege	2148	powershell.exe
Token: SeBackupPrivilege	2148	powershell.exe
Token: SeRestorePrivilege	2148	powershell.exe
Token: SeShutdownPrivilege	2148	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

451b570a7464fabe22a1e96f448f43915bd9bb391ebfe1678968e8e35d6d29bf.exeRegAsm.exeFore.exeMonitor.execonhost.execmd.execmd.execmd.exeservices32.execonhost.execmd.exesihost32.exe

description	pid	process	target process
PID 3440 wrote to memory of 2116	3440	451b570a7464fabe22a1e96f448f43915bd9bb391ebfe1678968e8e35d6d29bf.exe	RegAsm.exe
PID 3440 wrote to memory of 2116	3440	451b570a7464fabe22a1e96f448f43915bd9bb391ebfe1678968e8e35d6d29bf.exe	RegAsm.exe
PID 3440 wrote to memory of 2116	3440	451b570a7464fabe22a1e96f448f43915bd9bb391ebfe1678968e8e35d6d29bf.exe	RegAsm.exe
PID 3440 wrote to memory of 2116	3440	451b570a7464fabe22a1e96f448f43915bd9bb391ebfe1678968e8e35d6d29bf.exe	RegAsm.exe
PID 3440 wrote to memory of 2116	3440	451b570a7464fabe22a1e96f448f43915bd9bb391ebfe1678968e8e35d6d29bf.exe	RegAsm.exe
PID 3440 wrote to memory of 2116	3440	451b570a7464fabe22a1e96f448f43915bd9bb391ebfe1678968e8e35d6d29bf.exe	RegAsm.exe
PID 3440 wrote to memory of 2116	3440	451b570a7464fabe22a1e96f448f43915bd9bb391ebfe1678968e8e35d6d29bf.exe	RegAsm.exe
PID 3440 wrote to memory of 2116	3440	451b570a7464fabe22a1e96f448f43915bd9bb391ebfe1678968e8e35d6d29bf.exe	RegAsm.exe
PID 2116 wrote to memory of 2184	2116	RegAsm.exe	Monitor.exe
PID 2116 wrote to memory of 2184	2116	RegAsm.exe	Monitor.exe
PID 2116 wrote to memory of 1572	2116	RegAsm.exe	Heno.exe
PID 2116 wrote to memory of 1572	2116	RegAsm.exe	Heno.exe
PID 2116 wrote to memory of 1572	2116	RegAsm.exe	Heno.exe
PID 2116 wrote to memory of 3260	2116	RegAsm.exe	Fore.exe
PID 2116 wrote to memory of 3260	2116	RegAsm.exe	Fore.exe
PID 3260 wrote to memory of 2688	3260	Fore.exe	RegAsm.exe
PID 3260 wrote to memory of 2688	3260	Fore.exe	RegAsm.exe
PID 3260 wrote to memory of 2688	3260	Fore.exe	RegAsm.exe
PID 3260 wrote to memory of 2688	3260	Fore.exe	RegAsm.exe
PID 3260 wrote to memory of 2688	3260	Fore.exe	RegAsm.exe
PID 3260 wrote to memory of 2688	3260	Fore.exe	RegAsm.exe
PID 3260 wrote to memory of 2688	3260	Fore.exe	RegAsm.exe
PID 3260 wrote to memory of 2688	3260	Fore.exe	RegAsm.exe
PID 2184 wrote to memory of 512	2184	Monitor.exe	conhost.exe
PID 2184 wrote to memory of 512	2184	Monitor.exe	conhost.exe
PID 2184 wrote to memory of 512	2184	Monitor.exe	conhost.exe
PID 512 wrote to memory of 2176	512	conhost.exe	cmd.exe
PID 512 wrote to memory of 2176	512	conhost.exe	cmd.exe
PID 2176 wrote to memory of 3796	2176	cmd.exe	powershell.exe
PID 2176 wrote to memory of 3796	2176	cmd.exe	powershell.exe
PID 512 wrote to memory of 3992	512	conhost.exe	cmd.exe
PID 512 wrote to memory of 3992	512	conhost.exe	cmd.exe
PID 3992 wrote to memory of 1488	3992	cmd.exe	schtasks.exe
PID 3992 wrote to memory of 1488	3992	cmd.exe	schtasks.exe
PID 2176 wrote to memory of 3612	2176	cmd.exe	powershell.exe
PID 2176 wrote to memory of 3612	2176	cmd.exe	powershell.exe
PID 512 wrote to memory of 1920	512	conhost.exe	cmd.exe
PID 512 wrote to memory of 1920	512	conhost.exe	cmd.exe
PID 1920 wrote to memory of 2112	1920	cmd.exe	services32.exe
PID 1920 wrote to memory of 2112	1920	cmd.exe	services32.exe
PID 2112 wrote to memory of 3168	2112	services32.exe	conhost.exe
PID 2112 wrote to memory of 3168	2112	services32.exe	conhost.exe
PID 2112 wrote to memory of 3168	2112	services32.exe	conhost.exe
PID 3168 wrote to memory of 3960	3168	conhost.exe	cmd.exe
PID 3168 wrote to memory of 3960	3168	conhost.exe	cmd.exe
PID 3960 wrote to memory of 2148	3960	cmd.exe	powershell.exe
PID 3960 wrote to memory of 2148	3960	cmd.exe	powershell.exe
PID 3168 wrote to memory of 3316	3168	conhost.exe	sihost32.exe
PID 3168 wrote to memory of 3316	3168	conhost.exe	sihost32.exe
PID 3960 wrote to memory of 2068	3960	cmd.exe	powershell.exe
PID 3960 wrote to memory of 2068	3960	cmd.exe	powershell.exe
PID 3316 wrote to memory of 2156	3316	sihost32.exe	conhost.exe
PID 3316 wrote to memory of 2156	3316	sihost32.exe	conhost.exe
PID 3316 wrote to memory of 2156	3316	sihost32.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\451b570a7464fabe22a1e96f448f43915bd9bb391ebfe1678968e8e35d6d29bf.exe
"C:\Users\Admin\AppData\Local\Temp\451b570a7464fabe22a1e96f448f43915bd9bb391ebfe1678968e8e35d6d29bf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Roaming\Monitor.exe
"C:\Users\Admin\AppData\Roaming\Monitor.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Monitor.exe"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
6⤵
- Creates scheduled task(s)
PID:1488

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services32.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\system32\services32.exe
C:\Windows\system32\services32.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services32.exe"
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
8⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2068

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost32"
9⤵
PID:2156

C:\Users\Admin\AppData\Roaming\Heno.exe
"C:\Users\Admin\AppData\Roaming\Heno.exe"
3⤵
- Executes dropped EXE
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 312
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Users\Admin\AppData\Roaming\Fore.exe
"C:\Users\Admin\AppData\Roaming\Fore.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
MD5
f4fbdd375701f735eeec0275586b742a

SHA1
ed861677fb4ba06022de709a96739316debfa9cf

SHA256
b7001bf3339586ee1228ef3ef24f5899d135cc7192a7907a55538c5be2ef5fe5

SHA512
fae0e1cb1911d689ee3c8dadf04457ea47f43295768d1f7e27d3a2188a094a2b69f646736f87862398224c5858c3867cb664a2cd49d3423103f08756d71609f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
19a202d7df45b331b1fa556b411f2cbd

SHA1
a34d074ab387188c0241cc996a2babf96a959dc7

SHA256
2a8f9b505215d49107420a04ce717f234be5b5555d0ac85cd1597ded6ca8a77e

SHA512
d74cea0a8b8b9d49cfde526296ddd2257344cf9af9085d91405b9264e89f2bf80a4ea1c29b8cd6e06a6730dd6b2a7215d5ca395b01d19fa3fd6036bdc05d5911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
563ade20d8d38af7181787501a85726e

SHA1
a913849bbb585b47344f38933de0b36c616a9a02

SHA256
26aee363080641fb357c3fe1b53e181a344fefe43c0833e4064638bf717a3394

SHA512
8b1d6ad6fa6f6b0537e93176a3af2cb6077222a75ba6e4415c4c5bb6e4886d5de59fb62755a337ec2a12053b38c7416cdccc452cdffe78381d001caf4a29a928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
741a69c9386d21c88f4acec9acfb9dca

SHA1
b3bbaa532718f61d14f6d13e89e9e7a7566f471f

SHA256
e1bbe9bee9f6686812be51d9d0acc2a0d2f6047262598d16d1b232446d837cee

SHA512
d86be97ea1bb2db60c6571fd03cdfdb9e49a1baa3993c397eb15fa0c78166fbd799b14edd2d152af3516fa76b5049ec85fb87839c57d25e9a0dccde6a1a20f05

Download Submit
C:\Users\Admin\AppData\Roaming\Fore.exe
MD5
9c615b6b1e28e42040b618fb634adad7

SHA1
b0685c6bf569505b693a84fe072b99ecbd9bfdef

SHA256
76bb47a862406207a8e60779ab38a7a335b54aa893384c5f3a275059fddfcf55

SHA512
e27efa69f0452377059ae765005e353f13a2ee47780e68f07b2d16f2f3b06e826d33c50e82151b843a7c0a84355d403d84c80b5ac36a87bf51b636ae4aae7d72

Download Submit
C:\Users\Admin\AppData\Roaming\Fore.exe
MD5
9c615b6b1e28e42040b618fb634adad7

SHA1
b0685c6bf569505b693a84fe072b99ecbd9bfdef

SHA256
76bb47a862406207a8e60779ab38a7a335b54aa893384c5f3a275059fddfcf55

SHA512
e27efa69f0452377059ae765005e353f13a2ee47780e68f07b2d16f2f3b06e826d33c50e82151b843a7c0a84355d403d84c80b5ac36a87bf51b636ae4aae7d72

Download Submit
C:\Users\Admin\AppData\Roaming\Heno.exe
MD5
5988b5e6bc658eadcdd1318c0c3c0d91

SHA1
b554f12f68b63c0277b88f34453110822e169446

SHA256
b8a97e6bc7f8fd4a3c3f1cdc4183cbae2a48262b8e352e5169c2b647696ab1b8

SHA512
95555775ab0db4e9f787ccea9bcad66c3d43627516ea2bd524a0cc85666c6bb56b976c6c4630b6c16bc1e9cedda65de22b8db52f8d81ed7de7fabd1fe5ac05f8

Download Submit
C:\Users\Admin\AppData\Roaming\Heno.exe
MD5
5988b5e6bc658eadcdd1318c0c3c0d91

SHA1
b554f12f68b63c0277b88f34453110822e169446

SHA256
b8a97e6bc7f8fd4a3c3f1cdc4183cbae2a48262b8e352e5169c2b647696ab1b8

SHA512
95555775ab0db4e9f787ccea9bcad66c3d43627516ea2bd524a0cc85666c6bb56b976c6c4630b6c16bc1e9cedda65de22b8db52f8d81ed7de7fabd1fe5ac05f8

Download Submit
C:\Users\Admin\AppData\Roaming\Monitor.exe
MD5
41f68b65d2af9150b1069b9a94f41e5a

SHA1
60f5f4fdbe12f3a2a9a4b9d52914ede90bb3235f

SHA256
9de683234bb62dd2a89d9a24b9139852ffe87a1a7f5fd0227e7d7d82e0e96248

SHA512
311ccd3f875a82cf68773212755f47cd6d091b5d5abdb59a58ab5f0e0bde0475160a44b83c4eb7db9c83cf1ad53223778a978c8765807eae9d9502122914b306

Download Submit
C:\Users\Admin\AppData\Roaming\Monitor.exe
MD5
41f68b65d2af9150b1069b9a94f41e5a

SHA1
60f5f4fdbe12f3a2a9a4b9d52914ede90bb3235f

SHA256
9de683234bb62dd2a89d9a24b9139852ffe87a1a7f5fd0227e7d7d82e0e96248

SHA512
311ccd3f875a82cf68773212755f47cd6d091b5d5abdb59a58ab5f0e0bde0475160a44b83c4eb7db9c83cf1ad53223778a978c8765807eae9d9502122914b306

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
MD5
c3f0b3bc8908c14dc410b06fa8384015

SHA1
6b94d30c99260c1e3ccc22ab8f220fe942e9f726

SHA256
bf97e4c7945489425107362ca66e61020db7a8c169f715a69ed3b9844445fc4f

SHA512
c209802bac2cf8f909eefd90a8d0db8ae002c4ea9f9d897a77bb768789fe0d2cbbc5770271c41273bb2dcaf2abcc6bd4a3b5f9297e72c02122c011df0e22a1f1

Download Submit
C:\Windows\System32\services32.exe
MD5
41f68b65d2af9150b1069b9a94f41e5a

SHA1
60f5f4fdbe12f3a2a9a4b9d52914ede90bb3235f

SHA256
9de683234bb62dd2a89d9a24b9139852ffe87a1a7f5fd0227e7d7d82e0e96248

SHA512
311ccd3f875a82cf68773212755f47cd6d091b5d5abdb59a58ab5f0e0bde0475160a44b83c4eb7db9c83cf1ad53223778a978c8765807eae9d9502122914b306

Download Submit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
MD5
c3f0b3bc8908c14dc410b06fa8384015

SHA1
6b94d30c99260c1e3ccc22ab8f220fe942e9f726

SHA256
bf97e4c7945489425107362ca66e61020db7a8c169f715a69ed3b9844445fc4f

SHA512
c209802bac2cf8f909eefd90a8d0db8ae002c4ea9f9d897a77bb768789fe0d2cbbc5770271c41273bb2dcaf2abcc6bd4a3b5f9297e72c02122c011df0e22a1f1

Download Submit
C:\Windows\system32\services32.exe
MD5
41f68b65d2af9150b1069b9a94f41e5a

SHA1
60f5f4fdbe12f3a2a9a4b9d52914ede90bb3235f

SHA256
9de683234bb62dd2a89d9a24b9139852ffe87a1a7f5fd0227e7d7d82e0e96248

SHA512
311ccd3f875a82cf68773212755f47cd6d091b5d5abdb59a58ab5f0e0bde0475160a44b83c4eb7db9c83cf1ad53223778a978c8765807eae9d9502122914b306

Download Submit
memory/512-228-0x000002CC14FB0000-0x000002CC14FB2000-memory.dmp

Filesize
8KB

Download
memory/512-232-0x000002CC2F590000-0x000002CC2F77E000-memory.dmp

Filesize
1.9MB

Download
memory/512-231-0x000002CC14FB0000-0x000002CC14FB2000-memory.dmp

Filesize
8KB

Download
memory/512-230-0x000002CC14FB0000-0x000002CC14FB2000-memory.dmp

Filesize
8KB

Download
memory/512-236-0x000002CC14FB0000-0x000002CC14FB2000-memory.dmp

Filesize
8KB

Download
memory/512-250-0x000002CC14C50000-0x000002CC14E42000-memory.dmp

Filesize
1.9MB

Download
memory/512-252-0x000002CC15000000-0x000002CC15002000-memory.dmp

Filesize
8KB

Download
memory/512-229-0x000002CC14FB0000-0x000002CC14FB2000-memory.dmp

Filesize
8KB

Download
memory/512-253-0x000002CC15003000-0x000002CC15005000-memory.dmp

Filesize
8KB

Download
memory/512-234-0x000002CC14FB0000-0x000002CC14FB2000-memory.dmp

Filesize
8KB

Download
memory/512-235-0x000002CC16BF0000-0x000002CC16BF1000-memory.dmp

Filesize
4KB

Download
memory/1488-257-0x0000000000000000-mapping.dmp

Download
memory/1572-202-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/1572-214-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1572-144-0x0000000000000000-mapping.dmp

Download
memory/1572-227-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/1572-226-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/1572-157-0x0000000003720000-0x00000000037B1000-memory.dmp

Filesize
580KB

Download
memory/1572-225-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/1572-167-0x0000000000DD0000-0x0000000000E2F000-memory.dmp

Filesize
380KB

Download
memory/1572-169-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/1572-223-0x0000000003630000-0x0000000003631000-memory.dmp

Filesize
4KB

Download
memory/1572-224-0x0000000003680000-0x0000000003681000-memory.dmp

Filesize
4KB

Download
memory/1572-170-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1572-173-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/1572-174-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/1572-175-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/1572-177-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1572-176-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/1572-179-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/1572-178-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1572-180-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/1572-182-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/1572-183-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/1572-184-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/1572-185-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1572-186-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1572-187-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/1572-190-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1572-189-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1572-188-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1572-191-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/1572-192-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/1572-193-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/1572-195-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1572-194-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/1572-196-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/1572-197-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/1572-199-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1572-201-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/1572-200-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1572-198-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1572-221-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/1572-203-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/1572-204-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/1572-206-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/1572-208-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/1572-209-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1572-211-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/1572-212-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/1572-213-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/1572-215-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1572-217-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/1572-218-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/1572-216-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/1572-222-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/1572-210-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1572-207-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/1572-205-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/1572-219-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/1572-220-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/1920-328-0x0000000000000000-mapping.dmp

Download
memory/2068-398-0x0000000000000000-mapping.dmp

Download
memory/2112-331-0x0000000000000000-mapping.dmp

Download
memory/2116-137-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/2116-128-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/2116-124-0x000000000041B56E-mapping.dmp

Download
memory/2116-133-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/2116-123-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2116-132-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/2116-140-0x0000000007010000-0x0000000007011000-memory.dmp

Filesize
4KB

Download
memory/2116-139-0x00000000072A0000-0x00000000072A1000-memory.dmp

Filesize
4KB

Download
memory/2116-138-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/2116-127-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/2116-136-0x0000000005EF0000-0x0000000005EF1000-memory.dmp

Filesize
4KB

Download
memory/2116-135-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/2116-131-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/2116-134-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/2116-129-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/2116-130-0x0000000005090000-0x0000000005696000-memory.dmp

Filesize
6.0MB

Download
memory/2148-345-0x0000000000000000-mapping.dmp

Download
memory/2176-237-0x0000000000000000-mapping.dmp

Download
memory/2184-141-0x0000000000000000-mapping.dmp

Download
memory/2688-172-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/2688-171-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/2688-156-0x00000000004193EE-mapping.dmp

Download
memory/2688-155-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3260-152-0x0000000001200000-0x0000000001202000-memory.dmp

Filesize
8KB

Download
memory/3260-150-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/3260-147-0x0000000000000000-mapping.dmp

Download
memory/3316-365-0x0000000000000000-mapping.dmp

Download
memory/3440-120-0x000000001B400000-0x000000001B401000-memory.dmp

Filesize
4KB

Download
memory/3440-121-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3440-118-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/3440-122-0x000000001B720000-0x000000001B722000-memory.dmp

Filesize
8KB

Download
memory/3612-285-0x0000000000000000-mapping.dmp

Download
memory/3796-239-0x0000020322320000-0x0000020322322000-memory.dmp

Filesize
8KB

Download
memory/3796-241-0x0000020322320000-0x0000020322322000-memory.dmp

Filesize
8KB

Download
memory/3796-240-0x0000020322320000-0x0000020322322000-memory.dmp

Filesize
8KB

Download
memory/3796-238-0x0000000000000000-mapping.dmp

Download
memory/3796-246-0x0000020322320000-0x0000020322322000-memory.dmp

Filesize
8KB

Download
memory/3796-258-0x0000020322320000-0x0000020322322000-memory.dmp

Filesize
8KB

Download
memory/3796-248-0x0000020322320000-0x0000020322322000-memory.dmp

Filesize
8KB

Download
memory/3796-242-0x0000020322320000-0x0000020322322000-memory.dmp

Filesize
8KB

Download
memory/3796-243-0x0000020322320000-0x0000020322322000-memory.dmp

Filesize
8KB

Download
memory/3796-244-0x000002033A960000-0x000002033A961000-memory.dmp

Filesize
4KB

Download
memory/3796-245-0x0000020322320000-0x0000020322322000-memory.dmp

Filesize
8KB

Download
memory/3796-249-0x0000020322320000-0x0000020322322000-memory.dmp

Filesize
8KB

Download
memory/3960-344-0x0000000000000000-mapping.dmp

Download
memory/3992-247-0x0000000000000000-mapping.dmp

Download