redline | 33b18a85c6b49af6f5025ada7db397fad10b6e1d0c25d98b9ac557c3024a2ac4

Analysis

max time kernel
135s
max time network
122s
platform
windows7_x64
resource
win7-en-20211014
submitted
05-12-2021 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ProtonVPNcrack.exe
Size

10.1MB
MD5

4ba8a6af59b167aa45b1c9aae4a8f682
SHA1

414842ce90f8968f397a731e447a4559155f4e6a
SHA256

33b18a85c6b49af6f5025ada7db397fad10b6e1d0c25d98b9ac557c3024a2ac4
SHA512

12b59b8724eeca316cb264d836a13c9016d1cd2ac2a5738cc57016231b684dbb5834d900238446e3bdfa98c236d74b515d76b08218364e81eaeb97bf76cb3283

Score

10^/10

redline xmrig discovery evasion infostealer miner spyware stealer trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/608-67-0x0000000000400000-0x00000000007F4000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1628-247-0x0000000140310068-mapping.dmp	xmrig

Executes dropped EXE 4 IoCs

Processes:

11.exeProtonVPN.exeservices64.exesihost64.exe

pid process

608 11.exe
1640 ProtonVPN.exe
1116 services64.exe
1416 sihost64.exe

pid	process
608	11.exe
1640	ProtonVPN.exe
1116	services64.exe
1416	sihost64.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

11.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	11.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	11.exe

Loads dropped DLL 7 IoCs

Processes:

ProtonVPNcrack.execmd.exeservices64.exe

pid process

692 ProtonVPNcrack.exe
692 ProtonVPNcrack.exe
692 ProtonVPNcrack.exe
692 ProtonVPNcrack.exe
692 ProtonVPNcrack.exe
1060 cmd.exe
1116 services64.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

11.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 11.exe

pid	process
692	ProtonVPNcrack.exe
692	ProtonVPNcrack.exe
692	ProtonVPNcrack.exe
692	ProtonVPNcrack.exe
692	ProtonVPNcrack.exe
1060	cmd.exe
1116	services64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	11.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

ProtonVPN.exeservices64.exe

pid process

1640 ProtonVPN.exe
1640 ProtonVPN.exe
1640 ProtonVPN.exe
1640 ProtonVPN.exe
1116 services64.exe
1116 services64.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

services64.exe

description pid process target process

PID 1116 set thread context of 1628 1116 services64.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1712 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exeProtonVPN.exe11.exepowershell.exepowershell.exeservices64.exe

pid process

1568 powershell.exe
1416 powershell.exe
1640 ProtonVPN.exe
608 11.exe
432 powershell.exe
2004 powershell.exe
1116 services64.exe

pid	process
1640	ProtonVPN.exe
1640	ProtonVPN.exe
1640	ProtonVPN.exe
1640	ProtonVPN.exe
1116	services64.exe
1116	services64.exe

description	pid	process	target process
PID 1116 set thread context of 1628	1116	services64.exe	svchost.exe

pid	process
1712	schtasks.exe

pid	process
1568	powershell.exe
1416	powershell.exe
1640	ProtonVPN.exe
608	11.exe
432	powershell.exe
2004	powershell.exe
1116	services64.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exeProtonVPN.exe11.exepowershell.exepowershell.exeservices64.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	1640	ProtonVPN.exe
Token: SeDebugPrivilege	608	11.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1116	services64.exe
Token: SeLockMemoryPrivilege	1628	svchost.exe
Token: SeLockMemoryPrivilege	1628	svchost.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

ProtonVPNcrack.exeProtonVPN.execmd.execmd.execmd.exeservices64.execmd.exesihost64.exe

description	pid	process	target process
PID 692 wrote to memory of 608	692	ProtonVPNcrack.exe	11.exe
PID 692 wrote to memory of 608	692	ProtonVPNcrack.exe	11.exe
PID 692 wrote to memory of 608	692	ProtonVPNcrack.exe	11.exe
PID 692 wrote to memory of 608	692	ProtonVPNcrack.exe	11.exe
PID 692 wrote to memory of 1640	692	ProtonVPNcrack.exe	ProtonVPN.exe
PID 692 wrote to memory of 1640	692	ProtonVPNcrack.exe	ProtonVPN.exe
PID 692 wrote to memory of 1640	692	ProtonVPNcrack.exe	ProtonVPN.exe
PID 692 wrote to memory of 1640	692	ProtonVPNcrack.exe	ProtonVPN.exe
PID 1640 wrote to memory of 952	1640	ProtonVPN.exe	cmd.exe
PID 1640 wrote to memory of 952	1640	ProtonVPN.exe	cmd.exe
PID 1640 wrote to memory of 952	1640	ProtonVPN.exe	cmd.exe
PID 952 wrote to memory of 1568	952	cmd.exe	powershell.exe
PID 952 wrote to memory of 1568	952	cmd.exe	powershell.exe
PID 952 wrote to memory of 1568	952	cmd.exe	powershell.exe
PID 952 wrote to memory of 1416	952	cmd.exe	powershell.exe
PID 952 wrote to memory of 1416	952	cmd.exe	powershell.exe
PID 952 wrote to memory of 1416	952	cmd.exe	powershell.exe
PID 1640 wrote to memory of 1608	1640	ProtonVPN.exe	cmd.exe
PID 1640 wrote to memory of 1608	1640	ProtonVPN.exe	cmd.exe
PID 1640 wrote to memory of 1608	1640	ProtonVPN.exe	cmd.exe
PID 1608 wrote to memory of 1712	1608	cmd.exe	schtasks.exe
PID 1608 wrote to memory of 1712	1608	cmd.exe	schtasks.exe
PID 1608 wrote to memory of 1712	1608	cmd.exe	schtasks.exe
PID 1640 wrote to memory of 1060	1640	ProtonVPN.exe	cmd.exe
PID 1640 wrote to memory of 1060	1640	ProtonVPN.exe	cmd.exe
PID 1640 wrote to memory of 1060	1640	ProtonVPN.exe	cmd.exe
PID 1060 wrote to memory of 1116	1060	cmd.exe	services64.exe
PID 1060 wrote to memory of 1116	1060	cmd.exe	services64.exe
PID 1060 wrote to memory of 1116	1060	cmd.exe	services64.exe
PID 1116 wrote to memory of 820	1116	services64.exe	cmd.exe
PID 1116 wrote to memory of 820	1116	services64.exe	cmd.exe
PID 1116 wrote to memory of 820	1116	services64.exe	cmd.exe
PID 820 wrote to memory of 432	820	cmd.exe	powershell.exe
PID 820 wrote to memory of 432	820	cmd.exe	powershell.exe
PID 820 wrote to memory of 432	820	cmd.exe	powershell.exe
PID 820 wrote to memory of 2004	820	cmd.exe	powershell.exe
PID 820 wrote to memory of 2004	820	cmd.exe	powershell.exe
PID 820 wrote to memory of 2004	820	cmd.exe	powershell.exe
PID 1116 wrote to memory of 1416	1116	services64.exe	sihost64.exe
PID 1116 wrote to memory of 1416	1116	services64.exe	sihost64.exe
PID 1116 wrote to memory of 1416	1116	services64.exe	sihost64.exe
PID 1116 wrote to memory of 1628	1116	services64.exe	svchost.exe
PID 1116 wrote to memory of 1628	1116	services64.exe	svchost.exe
PID 1116 wrote to memory of 1628	1116	services64.exe	svchost.exe
PID 1116 wrote to memory of 1628	1116	services64.exe	svchost.exe
PID 1116 wrote to memory of 1628	1116	services64.exe	svchost.exe
PID 1116 wrote to memory of 1628	1116	services64.exe	svchost.exe
PID 1116 wrote to memory of 1628	1116	services64.exe	svchost.exe
PID 1116 wrote to memory of 1628	1116	services64.exe	svchost.exe
PID 1116 wrote to memory of 1628	1116	services64.exe	svchost.exe
PID 1116 wrote to memory of 1628	1116	services64.exe	svchost.exe
PID 1116 wrote to memory of 1628	1116	services64.exe	svchost.exe
PID 1116 wrote to memory of 1628	1116	services64.exe	svchost.exe
PID 1116 wrote to memory of 1628	1116	services64.exe	svchost.exe
PID 1116 wrote to memory of 1628	1116	services64.exe	svchost.exe
PID 1116 wrote to memory of 1628	1116	services64.exe	svchost.exe
PID 1116 wrote to memory of 1628	1116	services64.exe	svchost.exe
PID 1416 wrote to memory of 1308	1416	sihost64.exe	conhost.exe
PID 1416 wrote to memory of 1308	1416	sihost64.exe	conhost.exe
PID 1416 wrote to memory of 1308	1416	sihost64.exe	conhost.exe
PID 1416 wrote to memory of 1308	1416	sihost64.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\ProtonVPNcrack.exe
"C:\Users\Admin\AppData\Local\Temp\ProtonVPNcrack.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:692

C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\11.exe
"C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\11.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\ProtonVPN.exe
"C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\ProtonVPN.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\Microsoft\services64.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\Microsoft\services64.exe"
4⤵
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\Microsoft\services64.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\Microsoft\services64.exe
C:\Users\Admin\Microsoft\services64.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "tpnqgkvcwcobda"
6⤵
PID:1308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe yyuwyemgm0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPB3EYEaWtdTNgeO+yOcML2FLdin0Rbrrbm/YoAjK7mqvZEX/HgK//sgsnHcQsRkM9iGKCen+11TiuyHWyZAdf1wMLE4agYXDET+uLyuqzRfvjrbqdOzrMw7uyk9GJnctDF8x49xwghsNTxALZT8Q9OM4wOBYwE039IMn9ca6XIbihbr07+StpGza7Q9Qq6H+R3vjoBT3kqX83xAYIxFwBE4re5nCVh9x92A1w5zRjX0fl
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\11.exe
MD5
9ecac4c4fbb96a213d3a9724d3be50b6

SHA1
04bd5852e33672f2ccd1560261a92bdbeb543836

SHA256
94330c67c415ce150d53b52ed8f06bcec2c12d59e8c57b6e0eb725573dabcb03

SHA512
cb392d6cd28df84baf85aae06aeb7a6e3b3d2654ab160d3adc1c2b5d546c53b1dc6ed6a1fc92a4b91ecbff0545b6d3f6c2fc4009a8fa26c3018f95b2948a5bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\ProtonVPN.exe
MD5
57b8949197d45be69ea67e78c36fbbe5

SHA1
b41e69f791a6ef5c82e030ff6e19ed20017aeee5

SHA256
3ca5f6814976f1d1281da36a1fc12044a236214f3c7a88cd9700249cc91d892e

SHA512
5ae2b704ef781f032ebe6133e5a4ebfab4d45aa8606bc74458b86135a856c70d270d312ad520fe35961f02e43ea02ebbcc7259bc0beb4926e06bc9cafd691677

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
0ce6c508acd66bc4cb1e59875a3bb1e4

SHA1
884fe7f7de132bc10b49abbf3f31ce1529260902

SHA256
0ad785281992fd8a98ea8e69af7110da3810319aee8d97d5fc8e704abdb44850

SHA512
746adcdada8642e629940717da5cc5d3c8335f7c1502379d22fe5e07e7e136698cc0bff989859d88db12a899dc229a95cceec6bcb1541e806b08a3eab63aee64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
b844589e89eb9680bc86de98eabb9a0c

SHA1
3ac93c4ec8960037b8895d56075376f598796fff

SHA256
7c81b1ae67a8268d7c14e611c27df5df0f4109bca5b48d3e12243efe590c31be

SHA512
5fee321b1541eb213f8994cd2994bf6462100171786a92a3830f574ab760c1320e1850f5c156c63619b765cf977590278988b0b8e5f90b85aa822ea703b9c1ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
b844589e89eb9680bc86de98eabb9a0c

SHA1
3ac93c4ec8960037b8895d56075376f598796fff

SHA256
7c81b1ae67a8268d7c14e611c27df5df0f4109bca5b48d3e12243efe590c31be

SHA512
5fee321b1541eb213f8994cd2994bf6462100171786a92a3830f574ab760c1320e1850f5c156c63619b765cf977590278988b0b8e5f90b85aa822ea703b9c1ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
b844589e89eb9680bc86de98eabb9a0c

SHA1
3ac93c4ec8960037b8895d56075376f598796fff

SHA256
7c81b1ae67a8268d7c14e611c27df5df0f4109bca5b48d3e12243efe590c31be

SHA512
5fee321b1541eb213f8994cd2994bf6462100171786a92a3830f574ab760c1320e1850f5c156c63619b765cf977590278988b0b8e5f90b85aa822ea703b9c1ea

Download Submit
C:\Users\Admin\Microsoft\services64.exe
MD5
57b8949197d45be69ea67e78c36fbbe5

SHA1
b41e69f791a6ef5c82e030ff6e19ed20017aeee5

SHA256
3ca5f6814976f1d1281da36a1fc12044a236214f3c7a88cd9700249cc91d892e

SHA512
5ae2b704ef781f032ebe6133e5a4ebfab4d45aa8606bc74458b86135a856c70d270d312ad520fe35961f02e43ea02ebbcc7259bc0beb4926e06bc9cafd691677

Download Submit
\??\c:\users\admin\appdata\local\temp\chrome_setup\protonvpn.exe
MD5
57b8949197d45be69ea67e78c36fbbe5

SHA1
b41e69f791a6ef5c82e030ff6e19ed20017aeee5

SHA256
3ca5f6814976f1d1281da36a1fc12044a236214f3c7a88cd9700249cc91d892e

SHA512
5ae2b704ef781f032ebe6133e5a4ebfab4d45aa8606bc74458b86135a856c70d270d312ad520fe35961f02e43ea02ebbcc7259bc0beb4926e06bc9cafd691677

Download Submit
\??\c:\users\admin\microsoft\services64.exe
MD5
57b8949197d45be69ea67e78c36fbbe5

SHA1
b41e69f791a6ef5c82e030ff6e19ed20017aeee5

SHA256
3ca5f6814976f1d1281da36a1fc12044a236214f3c7a88cd9700249cc91d892e

SHA512
5ae2b704ef781f032ebe6133e5a4ebfab4d45aa8606bc74458b86135a856c70d270d312ad520fe35961f02e43ea02ebbcc7259bc0beb4926e06bc9cafd691677

Download Submit
\Users\Admin\AppData\Local\Temp\CHROME_SETUP\11.exe
MD5
9ecac4c4fbb96a213d3a9724d3be50b6

SHA1
04bd5852e33672f2ccd1560261a92bdbeb543836

SHA256
94330c67c415ce150d53b52ed8f06bcec2c12d59e8c57b6e0eb725573dabcb03

SHA512
cb392d6cd28df84baf85aae06aeb7a6e3b3d2654ab160d3adc1c2b5d546c53b1dc6ed6a1fc92a4b91ecbff0545b6d3f6c2fc4009a8fa26c3018f95b2948a5bc4

Download Submit
\Users\Admin\AppData\Local\Temp\CHROME_SETUP\11.exe
MD5
9ecac4c4fbb96a213d3a9724d3be50b6

SHA1
04bd5852e33672f2ccd1560261a92bdbeb543836

SHA256
94330c67c415ce150d53b52ed8f06bcec2c12d59e8c57b6e0eb725573dabcb03

SHA512
cb392d6cd28df84baf85aae06aeb7a6e3b3d2654ab160d3adc1c2b5d546c53b1dc6ed6a1fc92a4b91ecbff0545b6d3f6c2fc4009a8fa26c3018f95b2948a5bc4

Download Submit
\Users\Admin\AppData\Local\Temp\CHROME_SETUP\11.exe
MD5
9ecac4c4fbb96a213d3a9724d3be50b6

SHA1
04bd5852e33672f2ccd1560261a92bdbeb543836

SHA256
94330c67c415ce150d53b52ed8f06bcec2c12d59e8c57b6e0eb725573dabcb03

SHA512
cb392d6cd28df84baf85aae06aeb7a6e3b3d2654ab160d3adc1c2b5d546c53b1dc6ed6a1fc92a4b91ecbff0545b6d3f6c2fc4009a8fa26c3018f95b2948a5bc4

Download Submit
\Users\Admin\AppData\Local\Temp\CHROME_SETUP\11.exe
MD5
9ecac4c4fbb96a213d3a9724d3be50b6

SHA1
04bd5852e33672f2ccd1560261a92bdbeb543836

SHA256
94330c67c415ce150d53b52ed8f06bcec2c12d59e8c57b6e0eb725573dabcb03

SHA512
cb392d6cd28df84baf85aae06aeb7a6e3b3d2654ab160d3adc1c2b5d546c53b1dc6ed6a1fc92a4b91ecbff0545b6d3f6c2fc4009a8fa26c3018f95b2948a5bc4

Download Submit
\Users\Admin\AppData\Local\Temp\CHROME_SETUP\ProtonVPN.exe
MD5
57b8949197d45be69ea67e78c36fbbe5

SHA1
b41e69f791a6ef5c82e030ff6e19ed20017aeee5

SHA256
3ca5f6814976f1d1281da36a1fc12044a236214f3c7a88cd9700249cc91d892e

SHA512
5ae2b704ef781f032ebe6133e5a4ebfab4d45aa8606bc74458b86135a856c70d270d312ad520fe35961f02e43ea02ebbcc7259bc0beb4926e06bc9cafd691677

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
0ce6c508acd66bc4cb1e59875a3bb1e4

SHA1
884fe7f7de132bc10b49abbf3f31ce1529260902

SHA256
0ad785281992fd8a98ea8e69af7110da3810319aee8d97d5fc8e704abdb44850

SHA512
746adcdada8642e629940717da5cc5d3c8335f7c1502379d22fe5e07e7e136698cc0bff989859d88db12a899dc229a95cceec6bcb1541e806b08a3eab63aee64

Download Submit
\Users\Admin\Microsoft\services64.exe
MD5
57b8949197d45be69ea67e78c36fbbe5

SHA1
b41e69f791a6ef5c82e030ff6e19ed20017aeee5

SHA256
3ca5f6814976f1d1281da36a1fc12044a236214f3c7a88cd9700249cc91d892e

SHA512
5ae2b704ef781f032ebe6133e5a4ebfab4d45aa8606bc74458b86135a856c70d270d312ad520fe35961f02e43ea02ebbcc7259bc0beb4926e06bc9cafd691677

Download Submit
memory/432-210-0x0000000000000000-mapping.dmp

Download
memory/608-76-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/608-139-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/608-75-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/608-111-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/608-78-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/608-77-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/608-79-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/608-81-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/608-73-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/608-82-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/608-84-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/608-86-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/608-85-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/608-87-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/608-88-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/608-80-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/608-89-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/608-90-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/608-91-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/608-92-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/608-115-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/608-94-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/608-72-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/608-95-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/608-70-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/608-99-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/608-67-0x0000000000400000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/608-97-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/608-117-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/608-103-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/608-69-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/608-68-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/608-119-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/608-66-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/608-121-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/608-123-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/608-113-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/608-125-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/608-127-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/608-129-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/608-133-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/608-109-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/608-60-0x0000000000000000-mapping.dmp

Download
memory/608-107-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/608-105-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/608-131-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/608-101-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/608-146-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/608-144-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/608-74-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/608-137-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/608-135-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/692-55-0x0000000074A31000-0x0000000074A33000-memory.dmp

Filesize
8KB

Download
memory/820-209-0x0000000000000000-mapping.dmp

Download
memory/952-154-0x0000000000000000-mapping.dmp

Download
memory/1060-175-0x0000000000000000-mapping.dmp

Download
memory/1116-177-0x0000000000000000-mapping.dmp

Download
memory/1416-166-0x000007FEEC290000-0x000007FEECDED000-memory.dmp

Filesize
11.4MB

Download
memory/1416-170-0x00000000027D2000-0x00000000027D4000-memory.dmp

Filesize
8KB

Download
memory/1416-171-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/1416-172-0x00000000027DB000-0x00000000027FA000-memory.dmp

Filesize
124KB

Download
memory/1416-169-0x00000000027D0000-0x00000000027D2000-memory.dmp

Filesize
8KB

Download
memory/1416-167-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1416-163-0x0000000000000000-mapping.dmp

Download
memory/1416-227-0x0000000000000000-mapping.dmp

Download
memory/1568-155-0x0000000000000000-mapping.dmp

Download
memory/1568-156-0x000007FEFB5C1000-0x000007FEFB5C3000-memory.dmp

Filesize
8KB

Download
memory/1568-168-0x000000000299B000-0x00000000029BA000-memory.dmp

Filesize
124KB

Download
memory/1568-159-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/1568-162-0x0000000002994000-0x0000000002997000-memory.dmp

Filesize
12KB

Download
memory/1568-161-0x0000000002992000-0x0000000002994000-memory.dmp

Filesize
8KB

Download
memory/1568-160-0x0000000002990000-0x0000000002992000-memory.dmp

Filesize
8KB

Download
memory/1568-158-0x000007FEEC290000-0x000007FEECDED000-memory.dmp

Filesize
11.4MB

Download
memory/1608-173-0x0000000000000000-mapping.dmp

Download
memory/1628-247-0x0000000140310068-mapping.dmp

Download
memory/1640-128-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-118-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-151-0x000000001E2F2000-0x000000001E2F4000-memory.dmp

Filesize
8KB

Download
memory/1640-153-0x000000001E2F6000-0x000000001E2F7000-memory.dmp

Filesize
4KB

Download
memory/1640-134-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-130-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-149-0x000000001E780000-0x000000001EB83000-memory.dmp

Filesize
4.0MB

Download
memory/1640-157-0x000000001E2F7000-0x000000001E2F8000-memory.dmp

Filesize
4KB

Download
memory/1640-148-0x0000000076EF0000-0x0000000076F00000-memory.dmp

Filesize
64KB

Download
memory/1640-147-0x0000000004200000-0x0000000004607000-memory.dmp

Filesize
4.0MB

Download
memory/1640-136-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-138-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-143-0x0000000000400000-0x00000000017A4000-memory.dmp

Filesize
19.6MB

Download
memory/1640-141-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-126-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-124-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-122-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-132-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-120-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-152-0x000000001E2F4000-0x000000001E2F6000-memory.dmp

Filesize
8KB

Download
memory/1640-116-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-114-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-140-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-142-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-112-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-110-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-108-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-106-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-104-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-102-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-100-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-98-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-63-0x0000000000000000-mapping.dmp

Download
memory/1640-96-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-93-0x0000000076CC0000-0x0000000076CD0000-memory.dmp

Filesize
64KB

Download
memory/1640-71-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1712-174-0x0000000000000000-mapping.dmp

Download
memory/2004-221-0x0000000000000000-mapping.dmp

Download