raccoon | 9a388aea47d2682630cd9208ba1f0ae9a9e9c1a57aa0448fb6c2995afe1da9be

Analysis

max time kernel
131s
max time network
137s
platform
windows10_x64
resource
win10-en-20211208
submitted
22-12-2021 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52fc012dd5afbbe2a0de6eb91bc888cc.exe
Size

698KB
MD5

52fc012dd5afbbe2a0de6eb91bc888cc
SHA1

aae34b8665dd350a3aeb2fe2d8651825387f7062
SHA256

9a388aea47d2682630cd9208ba1f0ae9a9e9c1a57aa0448fb6c2995afe1da9be
SHA512

5d81171a9725b74d3e7e1de5e6d22b0da17ea8fef75f3c9b4f8cc06c2ed31fc30ab075d5a24206b989d5ca36ecaa77b77b8ca14f0c0d743f85b7da73439f03fa

Score

10^/10

raccoon redline cheat e9f10fade0328e7cef5c9f5bf00076086ba5a8a1 discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

185.215.113.57:50723

Extracted

Family

redline

Botnet

cheat

45.147.196.146:6213

Extracted

Family

raccoon

Botnet

e9f10fade0328e7cef5c9f5bf00076086ba5a8a1

Attributes

url4cnc
http://91.219.236.18/baldandbankrupt1
http://194.180.174.41/baldandbankrupt1
http://91.219.236.148/baldandbankrupt1
https://t.me/baldandbankrupt1

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1908-121-0x000000000041BBCE-mapping.dmp	family_redline
behavioral2/memory/1908-122-0x0000000000750000-0x0000000000770000-memory.dmp	family_redline
behavioral2/memory/1908-123-0x0000000000750000-0x0000000000770000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\whw.exe	family_redline
behavioral2/memory/1104-137-0x0000000000BA0000-0x0000000000BC0000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\whw.exe	family_redline
behavioral2/memory/1104-138-0x0000000000BA0000-0x0000000000BC0000-memory.dmp	family_redline
behavioral2/memory/1104-157-0x0000000005390000-0x0000000005996000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

safas2f.exewhw.exee3dwefw.exesdfsd.exefl.exeservices32.exesihost32.exe

pid process

1824 safas2f.exe
1104 whw.exe
1244 e3dwefw.exe
2620 sdfsd.exe
3792 fl.exe
836 services32.exe
1684 sihost32.exe

pid	process
1824	safas2f.exe
1104	whw.exe
1244	e3dwefw.exe
2620	sdfsd.exe
3792	fl.exe
836	services32.exe
1684	sihost32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sdfsd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sdfsd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sdfsd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e3dwefw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\ChromeUpdate.exe"	e3dwefw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

sdfsd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdfsd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdfsd.exe

Drops file in System32 directory 3 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	conhost.exe
File created	C:\Windows\system32\services32.exe	conhost.exe
File opened for modification	C:\Windows\system32\services32.exe	conhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

sdfsd.exe

pid process

2620 sdfsd.exe
2620 sdfsd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

52fc012dd5afbbe2a0de6eb91bc888cc.exe

description pid process target process

PID 2836 set thread context of 1908 2836 52fc012dd5afbbe2a0de6eb91bc888cc.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2620	sdfsd.exe
2620	sdfsd.exe

description	pid	process	target process
PID 2836 set thread context of 1908	2836	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1136 schtasks.exe

pid	process
1136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

RegAsm.exesdfsd.exewhw.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exe

pid	process
1908	RegAsm.exe
1908	RegAsm.exe
2620	sdfsd.exe
2620	sdfsd.exe
2620	sdfsd.exe
2620	sdfsd.exe
1104	whw.exe
1908	RegAsm.exe
1936	conhost.exe
3520	powershell.exe
3520	powershell.exe
3520	powershell.exe
2484	powershell.exe
2484	powershell.exe
2484	powershell.exe
948	conhost.exe
948	conhost.exe
1508	powershell.exe
1508	powershell.exe
1508	powershell.exe
820	powershell.exe
820	powershell.exe
820	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RegAsm.exewhw.execonhost.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1908	RegAsm.exe
Token: SeDebugPrivilege	1104	whw.exe
Token: SeDebugPrivilege	3188	conhost.exe
Token: SeDebugPrivilege	1936	conhost.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeIncreaseQuotaPrivilege	3520	powershell.exe
Token: SeSecurityPrivilege	3520	powershell.exe
Token: SeTakeOwnershipPrivilege	3520	powershell.exe
Token: SeLoadDriverPrivilege	3520	powershell.exe
Token: SeSystemProfilePrivilege	3520	powershell.exe
Token: SeSystemtimePrivilege	3520	powershell.exe
Token: SeProfSingleProcessPrivilege	3520	powershell.exe
Token: SeIncBasePriorityPrivilege	3520	powershell.exe
Token: SeCreatePagefilePrivilege	3520	powershell.exe
Token: SeBackupPrivilege	3520	powershell.exe
Token: SeRestorePrivilege	3520	powershell.exe
Token: SeShutdownPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeSystemEnvironmentPrivilege	3520	powershell.exe
Token: SeRemoteShutdownPrivilege	3520	powershell.exe
Token: SeUndockPrivilege	3520	powershell.exe
Token: SeManageVolumePrivilege	3520	powershell.exe
Token: 33	3520	powershell.exe
Token: 34	3520	powershell.exe
Token: 35	3520	powershell.exe
Token: 36	3520	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeIncreaseQuotaPrivilege	2484	powershell.exe
Token: SeSecurityPrivilege	2484	powershell.exe
Token: SeTakeOwnershipPrivilege	2484	powershell.exe
Token: SeLoadDriverPrivilege	2484	powershell.exe
Token: SeSystemProfilePrivilege	2484	powershell.exe
Token: SeSystemtimePrivilege	2484	powershell.exe
Token: SeProfSingleProcessPrivilege	2484	powershell.exe
Token: SeIncBasePriorityPrivilege	2484	powershell.exe
Token: SeCreatePagefilePrivilege	2484	powershell.exe
Token: SeBackupPrivilege	2484	powershell.exe
Token: SeRestorePrivilege	2484	powershell.exe
Token: SeShutdownPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeSystemEnvironmentPrivilege	2484	powershell.exe
Token: SeRemoteShutdownPrivilege	2484	powershell.exe
Token: SeUndockPrivilege	2484	powershell.exe
Token: SeManageVolumePrivilege	2484	powershell.exe
Token: 33	2484	powershell.exe
Token: 34	2484	powershell.exe
Token: 35	2484	powershell.exe
Token: 36	2484	powershell.exe
Token: SeDebugPrivilege	948	conhost.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeIncreaseQuotaPrivilege	1508	powershell.exe
Token: SeSecurityPrivilege	1508	powershell.exe
Token: SeTakeOwnershipPrivilege	1508	powershell.exe
Token: SeLoadDriverPrivilege	1508	powershell.exe
Token: SeSystemProfilePrivilege	1508	powershell.exe
Token: SeSystemtimePrivilege	1508	powershell.exe
Token: SeProfSingleProcessPrivilege	1508	powershell.exe
Token: SeIncBasePriorityPrivilege	1508	powershell.exe
Token: SeCreatePagefilePrivilege	1508	powershell.exe
Token: SeBackupPrivilege	1508	powershell.exe
Token: SeRestorePrivilege	1508	powershell.exe
Token: SeShutdownPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeSystemEnvironmentPrivilege	1508	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

52fc012dd5afbbe2a0de6eb91bc888cc.exeRegAsm.exesafas2f.exefl.execonhost.execmd.execmd.execmd.exeservices32.execonhost.execmd.exesihost32.exe

description	pid	process	target process
PID 2836 wrote to memory of 1908	2836	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 2836 wrote to memory of 1908	2836	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 2836 wrote to memory of 1908	2836	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 2836 wrote to memory of 1908	2836	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 2836 wrote to memory of 1908	2836	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 2836 wrote to memory of 1908	2836	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 2836 wrote to memory of 1908	2836	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 2836 wrote to memory of 1908	2836	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 1908 wrote to memory of 1824	1908	RegAsm.exe	safas2f.exe
PID 1908 wrote to memory of 1824	1908	RegAsm.exe	safas2f.exe
PID 1908 wrote to memory of 1104	1908	RegAsm.exe	whw.exe
PID 1908 wrote to memory of 1104	1908	RegAsm.exe	whw.exe
PID 1908 wrote to memory of 1104	1908	RegAsm.exe	whw.exe
PID 1908 wrote to memory of 1244	1908	RegAsm.exe	e3dwefw.exe
PID 1908 wrote to memory of 1244	1908	RegAsm.exe	e3dwefw.exe
PID 1908 wrote to memory of 2620	1908	RegAsm.exe	sdfsd.exe
PID 1908 wrote to memory of 2620	1908	RegAsm.exe	sdfsd.exe
PID 1908 wrote to memory of 2620	1908	RegAsm.exe	sdfsd.exe
PID 1908 wrote to memory of 3792	1908	RegAsm.exe	fl.exe
PID 1908 wrote to memory of 3792	1908	RegAsm.exe	fl.exe
PID 1824 wrote to memory of 3188	1824	safas2f.exe	conhost.exe
PID 1824 wrote to memory of 3188	1824	safas2f.exe	conhost.exe
PID 1824 wrote to memory of 3188	1824	safas2f.exe	conhost.exe
PID 3792 wrote to memory of 1936	3792	fl.exe	conhost.exe
PID 3792 wrote to memory of 1936	3792	fl.exe	conhost.exe
PID 3792 wrote to memory of 1936	3792	fl.exe	conhost.exe
PID 1936 wrote to memory of 2260	1936	conhost.exe	cmd.exe
PID 1936 wrote to memory of 2260	1936	conhost.exe	cmd.exe
PID 2260 wrote to memory of 3520	2260	cmd.exe	powershell.exe
PID 2260 wrote to memory of 3520	2260	cmd.exe	powershell.exe
PID 1936 wrote to memory of 652	1936	conhost.exe	cmd.exe
PID 1936 wrote to memory of 652	1936	conhost.exe	cmd.exe
PID 652 wrote to memory of 1136	652	cmd.exe	schtasks.exe
PID 652 wrote to memory of 1136	652	cmd.exe	schtasks.exe
PID 2260 wrote to memory of 2484	2260	cmd.exe	powershell.exe
PID 2260 wrote to memory of 2484	2260	cmd.exe	powershell.exe
PID 1936 wrote to memory of 1908	1936	conhost.exe	cmd.exe
PID 1936 wrote to memory of 1908	1936	conhost.exe	cmd.exe
PID 1908 wrote to memory of 836	1908	cmd.exe	services32.exe
PID 1908 wrote to memory of 836	1908	cmd.exe	services32.exe
PID 836 wrote to memory of 948	836	services32.exe	conhost.exe
PID 836 wrote to memory of 948	836	services32.exe	conhost.exe
PID 836 wrote to memory of 948	836	services32.exe	conhost.exe
PID 948 wrote to memory of 3772	948	conhost.exe	cmd.exe
PID 948 wrote to memory of 3772	948	conhost.exe	cmd.exe
PID 3772 wrote to memory of 1508	3772	cmd.exe	powershell.exe
PID 3772 wrote to memory of 1508	3772	cmd.exe	powershell.exe
PID 948 wrote to memory of 1684	948	conhost.exe	sihost32.exe
PID 948 wrote to memory of 1684	948	conhost.exe	sihost32.exe
PID 3772 wrote to memory of 820	3772	cmd.exe	powershell.exe
PID 3772 wrote to memory of 820	3772	cmd.exe	powershell.exe
PID 1684 wrote to memory of 2580	1684	sihost32.exe	conhost.exe
PID 1684 wrote to memory of 2580	1684	sihost32.exe	conhost.exe
PID 1684 wrote to memory of 2580	1684	sihost32.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\52fc012dd5afbbe2a0de6eb91bc888cc.exe
"C:\Users\Admin\AppData\Local\Temp\52fc012dd5afbbe2a0de6eb91bc888cc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Roaming\safas2f.exe
"C:\Users\Admin\AppData\Roaming\safas2f.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\safas2f.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Users\Admin\AppData\Roaming\whw.exe
"C:\Users\Admin\AppData\Roaming\whw.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Users\Admin\AppData\Roaming\e3dwefw.exe
"C:\Users\Admin\AppData\Roaming\e3dwefw.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1244

C:\Users\Admin\AppData\Roaming\sdfsd.exe
"C:\Users\Admin\AppData\Roaming\sdfsd.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2620

C:\Users\Admin\AppData\Local\Temp\fl.exe
"C:\Users\Admin\AppData\Local\Temp\fl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\fl.exe"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
6⤵
- Creates scheduled task(s)
PID:1136

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services32.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\services32.exe
C:\Windows\system32\services32.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services32.exe"
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
8⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:820

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost32"
9⤵
PID:2580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
MD5
1340455a637fc44dc74dcda441d71018

SHA1
84277aa9596ccaacd2b7d72a3fbcef70de91dbd3

SHA256
a3fe2fec3d432df98c211861dddffe114eae9905d7324a806e0258e11f03628e

SHA512
087cf3f690ece24bc3fdb971c372b6f86a89e90ea0c6ac1498e8ce09b6e34b0aa7557a74f753f8ea61805199e2c19497b71a93cd25b56d33ca5806c14bdecd00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
af529683fb64d659978febed55b6d937

SHA1
cbe070a75adf5a57bdb3a30c4b484fb39a480aff

SHA256
d44cc9bfddbf3e993a95359888852b30db41fc1887a81b7c14a4edc950b2b221

SHA512
80cf71ed0d901aac38b0f9ce9b541528244514793174f8a2d74ce76ac43a9a6e329439572aec7320a77859042bd2421ff7b740574a7a7b06f90bc5e0e69fddbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ddd850270da84815bf1da13d211c2174

SHA1
1415f6f2a54162bc92140b66e6e5370c7e9fe174

SHA256
e8faaca59becafe3b35c9b139cb70b3ff5d07926cc97cca1d26889b9ac028e95

SHA512
f65503d60b58f2710c1fab14b858257a8dfec478293722784a01c51f3bb454e1b20d34967f4bcb8c4fafcc1d1ce4aa113376b3c197e1243d6f2d6553798faad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5d65b552c0e85d39a415ffd7bac04399

SHA1
235a82a03065c069f636b200b3e429e8bde9828a

SHA256
1a33fadbf38720654b77e50b7a27377c6af43ed14f64417c7cc867c6c71320cb

SHA512
edc26cbfe86a200d747bd14f5c71fc06f3862771bbe508c1eb3a4516bdc109daf932646b9da62f425080b40cb04c20575e4c24475e4fb6b7ef1189c22b4b29cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
MD5
a8b987b72d561e365d7b62cffdd44908

SHA1
59125b006372bca87573a88d7826cfd967b50202

SHA256
8ba07646bf26373d87cd05f6c7df4e0eb4bef4660385ea0be7dea10eef891728

SHA512
44aaf1e354d08f7a690bb3c32142c625fec846f97c371f1713d3d7b90b3c6989e1f042627a30428f9223af4afda40630de847df57e5527ca5f789495beeac5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
MD5
a8b987b72d561e365d7b62cffdd44908

SHA1
59125b006372bca87573a88d7826cfd967b50202

SHA256
8ba07646bf26373d87cd05f6c7df4e0eb4bef4660385ea0be7dea10eef891728

SHA512
44aaf1e354d08f7a690bb3c32142c625fec846f97c371f1713d3d7b90b3c6989e1f042627a30428f9223af4afda40630de847df57e5527ca5f789495beeac5d7

Download Submit
C:\Users\Admin\AppData\Roaming\e3dwefw.exe
MD5
dc715c5534a7bee1750636c80ad4a22e

SHA1
e4c6b18a3bb9da564aa7c94a23d5c2451d8f12c4

SHA256
399686dc158a026b4c83dcaa9dd00e99784f6175093f6d21781d208647ed3b4e

SHA512
8da50bb4c5a76122ad73db7658793477812d30e15de0eaf78486f36fe60fc4ed2c0a1c2d02df07824f526845af9804814e6810141687064636006b88e0cbe8a0

Download Submit
C:\Users\Admin\AppData\Roaming\e3dwefw.exe
MD5
dc715c5534a7bee1750636c80ad4a22e

SHA1
e4c6b18a3bb9da564aa7c94a23d5c2451d8f12c4

SHA256
399686dc158a026b4c83dcaa9dd00e99784f6175093f6d21781d208647ed3b4e

SHA512
8da50bb4c5a76122ad73db7658793477812d30e15de0eaf78486f36fe60fc4ed2c0a1c2d02df07824f526845af9804814e6810141687064636006b88e0cbe8a0

Download Submit
C:\Users\Admin\AppData\Roaming\safas2f.exe
MD5
ad30c6dbec18614593ae6887fd2f6137

SHA1
bf569023e4af4b258fa616c63994bec5db2e80c8

SHA256
78187720711b664e966111ec1815b19aac0668f00706ddb8ffadfa772a9fa354

SHA512
fa3409f1c0679545c1bbda20a941d27059e9a38a17360f1488b3bc15dcfac7f24452a935f6d93f57d4ad4451893252fbb70310f2922839a03effd3165cacb917

Download Submit
C:\Users\Admin\AppData\Roaming\safas2f.exe
MD5
ad30c6dbec18614593ae6887fd2f6137

SHA1
bf569023e4af4b258fa616c63994bec5db2e80c8

SHA256
78187720711b664e966111ec1815b19aac0668f00706ddb8ffadfa772a9fa354

SHA512
fa3409f1c0679545c1bbda20a941d27059e9a38a17360f1488b3bc15dcfac7f24452a935f6d93f57d4ad4451893252fbb70310f2922839a03effd3165cacb917

Download Submit
C:\Users\Admin\AppData\Roaming\sdfsd.exe
MD5
b274275b3605c6b253c637f5c610d750

SHA1
dec7dffa59a8e6ef8f8f4a6e7a3852fff4175f9f

SHA256
c5a9ce2bfc98f573a21035f31f6261fd450b69423bccc00765957aa5e7ead1cc

SHA512
642fdd67f477a891d2a5151c743693ef21c23aca76ca4d6a9d2064f56fdf8f1a9f3503b241f8c004178d371076be9f5d7273b032f5ffc006a319c0ca925e1ecc

Download Submit
C:\Users\Admin\AppData\Roaming\sdfsd.exe
MD5
b274275b3605c6b253c637f5c610d750

SHA1
dec7dffa59a8e6ef8f8f4a6e7a3852fff4175f9f

SHA256
c5a9ce2bfc98f573a21035f31f6261fd450b69423bccc00765957aa5e7ead1cc

SHA512
642fdd67f477a891d2a5151c743693ef21c23aca76ca4d6a9d2064f56fdf8f1a9f3503b241f8c004178d371076be9f5d7273b032f5ffc006a319c0ca925e1ecc

Download Submit
C:\Users\Admin\AppData\Roaming\whw.exe
MD5
4a27b13fee2be56761131a114cc137e7

SHA1
e6f97d23bd3803df6182a187ce6c8fe0b817d728

SHA256
d4a48931dc5e67ed564fa4d7c12b108252a150d4c8efad222afc136a255d2b58

SHA512
0f8a6ee408a89b73a0e27d3e858c27f310018bf21c1a091ac244f7cd7339fa64760fc1f67cfe83be92c01612dde9c517f04c5510ff65a17962033e7caa17bfc5

Download Submit
C:\Users\Admin\AppData\Roaming\whw.exe
MD5
4a27b13fee2be56761131a114cc137e7

SHA1
e6f97d23bd3803df6182a187ce6c8fe0b817d728

SHA256
d4a48931dc5e67ed564fa4d7c12b108252a150d4c8efad222afc136a255d2b58

SHA512
0f8a6ee408a89b73a0e27d3e858c27f310018bf21c1a091ac244f7cd7339fa64760fc1f67cfe83be92c01612dde9c517f04c5510ff65a17962033e7caa17bfc5

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
MD5
86fcce6aeceb68ca90fb404b5c6f18fa

SHA1
4e4cd6a813e2cdfe27f2df24b6c897a5ef37bd1c

SHA256
9ae77a6a33a1c9070859ff38a3346cbecfa552c8ec609d96bb05eb222bb887f9

SHA512
cfeba1eafe815483940567881100d45590ce19f4da8ad8fc7c7393daf193afb27f4c810266369413fa5a7a46cd77065f0b8fe8c9ed7fab83ef5f2d5fbdea18c5

Download Submit
C:\Windows\System32\services32.exe
MD5
a8b987b72d561e365d7b62cffdd44908

SHA1
59125b006372bca87573a88d7826cfd967b50202

SHA256
8ba07646bf26373d87cd05f6c7df4e0eb4bef4660385ea0be7dea10eef891728

SHA512
44aaf1e354d08f7a690bb3c32142c625fec846f97c371f1713d3d7b90b3c6989e1f042627a30428f9223af4afda40630de847df57e5527ca5f789495beeac5d7

Download Submit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
MD5
86fcce6aeceb68ca90fb404b5c6f18fa

SHA1
4e4cd6a813e2cdfe27f2df24b6c897a5ef37bd1c

SHA256
9ae77a6a33a1c9070859ff38a3346cbecfa552c8ec609d96bb05eb222bb887f9

SHA512
cfeba1eafe815483940567881100d45590ce19f4da8ad8fc7c7393daf193afb27f4c810266369413fa5a7a46cd77065f0b8fe8c9ed7fab83ef5f2d5fbdea18c5

Download Submit
C:\Windows\system32\services32.exe
MD5
a8b987b72d561e365d7b62cffdd44908

SHA1
59125b006372bca87573a88d7826cfd967b50202

SHA256
8ba07646bf26373d87cd05f6c7df4e0eb4bef4660385ea0be7dea10eef891728

SHA512
44aaf1e354d08f7a690bb3c32142c625fec846f97c371f1713d3d7b90b3c6989e1f042627a30428f9223af4afda40630de847df57e5527ca5f789495beeac5d7

Download Submit
memory/652-225-0x0000000000000000-mapping.dmp

Download
memory/820-383-0x0000000000000000-mapping.dmp

Download
memory/836-314-0x0000000000000000-mapping.dmp

Download
memory/1104-157-0x0000000005390000-0x0000000005996000-memory.dmp

Filesize
6.0MB

Download
memory/1104-148-0x0000000005410000-0x000000000544E000-memory.dmp

Filesize
248KB

Download
memory/1104-141-0x00000000053B0000-0x00000000053C2000-memory.dmp

Filesize
72KB

Download
memory/1104-142-0x00000000054E0000-0x00000000055EA000-memory.dmp

Filesize
1.0MB

Download
memory/1104-138-0x0000000000BA0000-0x0000000000BC0000-memory.dmp

Filesize
128KB

Download
memory/1104-186-0x0000000007770000-0x0000000007C9C000-memory.dmp

Filesize
5.2MB

Download
memory/1104-137-0x0000000000BA0000-0x0000000000BC0000-memory.dmp

Filesize
128KB

Download
memory/1104-184-0x0000000007070000-0x0000000007232000-memory.dmp

Filesize
1.8MB

Download
memory/1104-134-0x0000000000000000-mapping.dmp

Download
memory/1104-175-0x00000000064B0000-0x00000000069AE000-memory.dmp

Filesize
5.0MB

Download
memory/1104-182-0x0000000006BB0000-0x0000000006C00000-memory.dmp

Filesize
320KB

Download
memory/1104-180-0x0000000006200000-0x000000000621E000-memory.dmp

Filesize
120KB

Download
memory/1104-179-0x0000000006350000-0x00000000063E2000-memory.dmp

Filesize
584KB

Download
memory/1104-178-0x0000000006230000-0x00000000062A6000-memory.dmp

Filesize
472KB

Download
memory/1104-176-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/1104-153-0x0000000005450000-0x000000000549B000-memory.dmp

Filesize
300KB

Download
memory/1104-139-0x00000000059A0000-0x0000000005FA6000-memory.dmp

Filesize
6.0MB

Download
memory/1136-228-0x0000000000000000-mapping.dmp

Download
memory/1244-151-0x00000000008B0000-0x00000000008B8000-memory.dmp

Filesize
32KB

Download
memory/1244-149-0x00000000008B0000-0x00000000008B8000-memory.dmp

Filesize
32KB

Download
memory/1244-140-0x0000000000000000-mapping.dmp

Download
memory/1508-327-0x0000000000000000-mapping.dmp

Download
memory/1684-340-0x0000000000000000-mapping.dmp

Download
memory/1824-131-0x0000000000000000-mapping.dmp

Download
memory/1908-185-0x0000000007A10000-0x0000000007F3C000-memory.dmp

Filesize
5.2MB

Download
memory/1908-125-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/1908-124-0x0000000005230000-0x0000000005836000-memory.dmp

Filesize
6.0MB

Download
memory/1908-121-0x000000000041BBCE-mapping.dmp

Download
memory/1908-122-0x0000000000750000-0x0000000000770000-memory.dmp

Filesize
128KB

Download
memory/1908-123-0x0000000000750000-0x0000000000770000-memory.dmp

Filesize
128KB

Download
memory/1908-311-0x0000000000000000-mapping.dmp

Download
memory/1908-126-0x0000000004D30000-0x0000000004E3A000-memory.dmp

Filesize
1.0MB

Download
memory/1908-183-0x0000000007310000-0x00000000074D2000-memory.dmp

Filesize
1.8MB

Download
memory/1908-171-0x00000000064A0000-0x0000000006516000-memory.dmp

Filesize
472KB

Download
memory/1908-172-0x0000000006870000-0x0000000006902000-memory.dmp

Filesize
584KB

Download
memory/1908-174-0x0000000006E10000-0x000000000730E000-memory.dmp

Filesize
5.0MB

Download
memory/1908-181-0x0000000006B10000-0x0000000006B60000-memory.dmp

Filesize
320KB

Download
memory/1908-130-0x00000000050D0000-0x000000000511B000-memory.dmp

Filesize
300KB

Download
memory/1908-128-0x0000000005080000-0x00000000050BE000-memory.dmp

Filesize
248KB

Download
memory/1908-177-0x0000000006540000-0x000000000655E000-memory.dmp

Filesize
120KB

Download
memory/1908-129-0x0000000004C20000-0x0000000005226000-memory.dmp

Filesize
6.0MB

Download
memory/1908-127-0x0000000004C90000-0x0000000004CF6000-memory.dmp

Filesize
408KB

Download
memory/1936-215-0x000001D065860000-0x000001D065A52000-memory.dmp

Filesize
1.9MB

Download
memory/1936-210-0x000001D0002D0000-0x000001D0004C2000-memory.dmp

Filesize
1.9MB

Download
memory/1936-206-0x000001D067660000-0x000001D067662000-memory.dmp

Filesize
8KB

Download
memory/1936-213-0x000001D067660000-0x000001D067662000-memory.dmp

Filesize
8KB

Download
memory/1936-218-0x000001D0000C6000-0x000001D0000C7000-memory.dmp

Filesize
4KB

Download
memory/1936-207-0x000001D067660000-0x000001D067662000-memory.dmp

Filesize
8KB

Download
memory/1936-212-0x000001D000050000-0x000001D000062000-memory.dmp

Filesize
72KB

Download
memory/1936-216-0x000001D0000C0000-0x000001D0000C2000-memory.dmp

Filesize
8KB

Download
memory/1936-205-0x000001D067660000-0x000001D067662000-memory.dmp

Filesize
8KB

Download
memory/1936-217-0x000001D0000C3000-0x000001D0000C5000-memory.dmp

Filesize
8KB

Download
memory/1936-211-0x000001D067660000-0x000001D067662000-memory.dmp

Filesize
8KB

Download
memory/1936-209-0x000001D0002D0000-0x000001D0004C2000-memory.dmp

Filesize
1.9MB

Download
memory/1936-208-0x000001D067660000-0x000001D067662000-memory.dmp

Filesize
8KB

Download
memory/2260-214-0x0000000000000000-mapping.dmp

Download
memory/2484-265-0x0000000000000000-mapping.dmp

Download
memory/2484-267-0x0000021540730000-0x0000021540732000-memory.dmp

Filesize
8KB

Download
memory/2620-154-0x0000000000B60000-0x0000000000F78000-memory.dmp

Filesize
4.1MB

Download
memory/2620-152-0x0000000000B60000-0x0000000000F78000-memory.dmp

Filesize
4.1MB

Download
memory/2620-161-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2620-160-0x0000000000B60000-0x0000000000F78000-memory.dmp

Filesize
4.1MB

Download
memory/2620-159-0x0000000000B60000-0x0000000000F78000-memory.dmp

Filesize
4.1MB

Download
memory/2620-158-0x0000000000F80000-0x0000000000FC5000-memory.dmp

Filesize
276KB

Download
memory/2620-156-0x0000000000B60000-0x0000000000F78000-memory.dmp

Filesize
4.1MB

Download
memory/2620-155-0x0000000000B60000-0x0000000000F78000-memory.dmp

Filesize
4.1MB

Download
memory/2620-163-0x0000000077190000-0x0000000077281000-memory.dmp

Filesize
964KB

Download
memory/2620-165-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2620-162-0x0000000076350000-0x0000000076512000-memory.dmp

Filesize
1.8MB

Download
memory/2620-150-0x0000000000B60000-0x0000000000F78000-memory.dmp

Filesize
4.1MB

Download
memory/2620-164-0x0000000000B60000-0x0000000000F78000-memory.dmp

Filesize
4.1MB

Download
memory/2620-166-0x0000000000B60000-0x0000000000F78000-memory.dmp

Filesize
4.1MB

Download
memory/2620-145-0x0000000000000000-mapping.dmp

Download
memory/2620-167-0x0000000000B60000-0x0000000000F78000-memory.dmp

Filesize
4.1MB

Download
memory/2620-173-0x0000000000B60000-0x0000000000F78000-memory.dmp

Filesize
4.1MB

Download
memory/2620-170-0x0000000000B60000-0x0000000000F78000-memory.dmp

Filesize
4.1MB

Download
memory/2620-169-0x0000000000B60000-0x0000000000F78000-memory.dmp

Filesize
4.1MB

Download
memory/2620-168-0x0000000000B60000-0x0000000000F78000-memory.dmp

Filesize
4.1MB

Download
memory/2836-116-0x0000000000AD0000-0x0000000000B82000-memory.dmp

Filesize
712KB

Download
memory/2836-119-0x000000001B7D0000-0x000000001B7D2000-memory.dmp

Filesize
8KB

Download
memory/2836-115-0x0000000000AD0000-0x0000000000B82000-memory.dmp

Filesize
712KB

Download
memory/2836-117-0x000000001B660000-0x000000001B6D6000-memory.dmp

Filesize
472KB

Download
memory/2836-118-0x0000000002B90000-0x0000000002BAE000-memory.dmp

Filesize
120KB

Download
memory/3188-194-0x000002307ABA0000-0x000002307AD88000-memory.dmp

Filesize
1.9MB

Download
memory/3188-191-0x0000023060730000-0x0000023060732000-memory.dmp

Filesize
8KB

Download
memory/3188-190-0x0000023060730000-0x0000023060732000-memory.dmp

Filesize
8KB

Download
memory/3188-197-0x0000023062270000-0x0000023062282000-memory.dmp

Filesize
72KB

Download
memory/3188-192-0x0000023060730000-0x0000023060732000-memory.dmp

Filesize
8KB

Download
memory/3188-193-0x0000023060730000-0x0000023060732000-memory.dmp

Filesize
8KB

Download
memory/3188-195-0x000002307ABA0000-0x000002307AD88000-memory.dmp

Filesize
1.9MB

Download
memory/3188-196-0x0000023060730000-0x0000023060732000-memory.dmp

Filesize
8KB

Download
memory/3188-203-0x0000023060786000-0x0000023060787000-memory.dmp

Filesize
4KB

Download
memory/3188-202-0x0000023060783000-0x0000023060785000-memory.dmp

Filesize
8KB

Download
memory/3188-200-0x00000230602D0000-0x00000230604B9000-memory.dmp

Filesize
1.9MB

Download
memory/3188-201-0x0000023060780000-0x0000023060782000-memory.dmp

Filesize
8KB

Download
memory/3188-199-0x0000023060730000-0x0000023060732000-memory.dmp

Filesize
8KB

Download
memory/3188-198-0x0000023060730000-0x0000023060732000-memory.dmp

Filesize
8KB

Download
memory/3520-224-0x000001A541750000-0x000001A541752000-memory.dmp

Filesize
8KB

Download
memory/3520-229-0x000001A541750000-0x000001A541752000-memory.dmp

Filesize
8KB

Download
memory/3520-261-0x000001A541750000-0x000001A541752000-memory.dmp

Filesize
8KB

Download
memory/3520-263-0x000001A541750000-0x000001A541752000-memory.dmp

Filesize
8KB

Download
memory/3520-264-0x000001A541750000-0x000001A541752000-memory.dmp

Filesize
8KB

Download
memory/3520-259-0x000001A541750000-0x000001A541752000-memory.dmp

Filesize
8KB

Download
memory/3520-246-0x000001A55B943000-0x000001A55B945000-memory.dmp

Filesize
8KB

Download
memory/3520-244-0x000001A55B940000-0x000001A55B942000-memory.dmp

Filesize
8KB

Download
memory/3520-232-0x000001A541750000-0x000001A541752000-memory.dmp

Filesize
8KB

Download
memory/3520-231-0x000001A55B8B0000-0x000001A55B926000-memory.dmp

Filesize
472KB

Download
memory/3520-230-0x000001A541750000-0x000001A541752000-memory.dmp

Filesize
8KB

Download
memory/3520-260-0x000001A541750000-0x000001A541752000-memory.dmp

Filesize
8KB

Download
memory/3520-227-0x000001A541750000-0x000001A541752000-memory.dmp

Filesize
8KB

Download
memory/3520-219-0x0000000000000000-mapping.dmp

Download
memory/3520-226-0x000001A543160000-0x000001A543182000-memory.dmp

Filesize
136KB

Download
memory/3520-223-0x000001A541750000-0x000001A541752000-memory.dmp

Filesize
8KB

Download
memory/3520-222-0x000001A541750000-0x000001A541752000-memory.dmp

Filesize
8KB

Download
memory/3520-221-0x000001A541750000-0x000001A541752000-memory.dmp

Filesize
8KB

Download
memory/3520-220-0x000001A541750000-0x000001A541752000-memory.dmp

Filesize
8KB

Download
memory/3772-326-0x0000000000000000-mapping.dmp

Download
memory/3792-187-0x0000000000000000-mapping.dmp

Download