redline | 33b18a85c6b49af6f5025ada7db397fad10b6e1d0c25d98b9ac557c3024a2ac4

Analysis

max time kernel
131s
max time network
123s
platform
windows10_x64
resource
win10-en-20211104
submitted
05-12-2021 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ProtonVPNcrack.exe
Size

10.1MB
MD5

4ba8a6af59b167aa45b1c9aae4a8f682
SHA1

414842ce90f8968f397a731e447a4559155f4e6a
SHA256

33b18a85c6b49af6f5025ada7db397fad10b6e1d0c25d98b9ac557c3024a2ac4
SHA512

12b59b8724eeca316cb264d836a13c9016d1cd2ac2a5738cc57016231b684dbb5834d900238446e3bdfa98c236d74b515d76b08218364e81eaeb97bf76cb3283

Score

10^/10

redline xmrig discovery evasion infostealer miner spyware stealer trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3952-134-0x0000000000400000-0x00000000007F4000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3208-444-0x0000000140310068-mapping.dmp	xmrig

Executes dropped EXE 4 IoCs

Processes:

11.exeProtonVPN.exeservices64.exesihost64.exe

pid process

3952 11.exe
4220 ProtonVPN.exe
2568 services64.exe
4408 sihost64.exe

pid	process
3952	11.exe
4220	ProtonVPN.exe
2568	services64.exe
4408	sihost64.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

11.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	11.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	11.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

11.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 11.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

ProtonVPN.exeservices64.exe

pid process

4220 ProtonVPN.exe
4220 ProtonVPN.exe
4220 ProtonVPN.exe
2568 services64.exe
2568 services64.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

services64.exe

description pid process target process

PID 2568 set thread context of 3208 2568 services64.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5092 schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	11.exe

pid	process
4220	ProtonVPN.exe
4220	ProtonVPN.exe
4220	ProtonVPN.exe
2568	services64.exe
2568	services64.exe

description	pid	process	target process
PID 2568 set thread context of 3208	2568	services64.exe	svchost.exe

pid	process
5092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exeProtonVPN.exe11.exepowershell.exepowershell.exeservices64.exe

pid	process
1252	powershell.exe
1252	powershell.exe
1252	powershell.exe
4112	powershell.exe
4112	powershell.exe
4112	powershell.exe
4220	ProtonVPN.exe
3952	11.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
3228	powershell.exe
3228	powershell.exe
3228	powershell.exe
2568	services64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeProtonVPN.exe11.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeIncreaseQuotaPrivilege	1252	powershell.exe
Token: SeSecurityPrivilege	1252	powershell.exe
Token: SeTakeOwnershipPrivilege	1252	powershell.exe
Token: SeLoadDriverPrivilege	1252	powershell.exe
Token: SeSystemProfilePrivilege	1252	powershell.exe
Token: SeSystemtimePrivilege	1252	powershell.exe
Token: SeProfSingleProcessPrivilege	1252	powershell.exe
Token: SeIncBasePriorityPrivilege	1252	powershell.exe
Token: SeCreatePagefilePrivilege	1252	powershell.exe
Token: SeBackupPrivilege	1252	powershell.exe
Token: SeRestorePrivilege	1252	powershell.exe
Token: SeShutdownPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeSystemEnvironmentPrivilege	1252	powershell.exe
Token: SeRemoteShutdownPrivilege	1252	powershell.exe
Token: SeUndockPrivilege	1252	powershell.exe
Token: SeManageVolumePrivilege	1252	powershell.exe
Token: 33	1252	powershell.exe
Token: 34	1252	powershell.exe
Token: 35	1252	powershell.exe
Token: 36	1252	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeIncreaseQuotaPrivilege	4112	powershell.exe
Token: SeSecurityPrivilege	4112	powershell.exe
Token: SeTakeOwnershipPrivilege	4112	powershell.exe
Token: SeLoadDriverPrivilege	4112	powershell.exe
Token: SeSystemProfilePrivilege	4112	powershell.exe
Token: SeSystemtimePrivilege	4112	powershell.exe
Token: SeProfSingleProcessPrivilege	4112	powershell.exe
Token: SeIncBasePriorityPrivilege	4112	powershell.exe
Token: SeCreatePagefilePrivilege	4112	powershell.exe
Token: SeBackupPrivilege	4112	powershell.exe
Token: SeRestorePrivilege	4112	powershell.exe
Token: SeShutdownPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeSystemEnvironmentPrivilege	4112	powershell.exe
Token: SeRemoteShutdownPrivilege	4112	powershell.exe
Token: SeUndockPrivilege	4112	powershell.exe
Token: SeManageVolumePrivilege	4112	powershell.exe
Token: 33	4112	powershell.exe
Token: 34	4112	powershell.exe
Token: 35	4112	powershell.exe
Token: 36	4112	powershell.exe
Token: SeDebugPrivilege	4220	ProtonVPN.exe
Token: SeDebugPrivilege	3952	11.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeIncreaseQuotaPrivilege	2296	powershell.exe
Token: SeSecurityPrivilege	2296	powershell.exe
Token: SeTakeOwnershipPrivilege	2296	powershell.exe
Token: SeLoadDriverPrivilege	2296	powershell.exe
Token: SeSystemProfilePrivilege	2296	powershell.exe
Token: SeSystemtimePrivilege	2296	powershell.exe
Token: SeProfSingleProcessPrivilege	2296	powershell.exe
Token: SeIncBasePriorityPrivilege	2296	powershell.exe
Token: SeCreatePagefilePrivilege	2296	powershell.exe
Token: SeBackupPrivilege	2296	powershell.exe
Token: SeRestorePrivilege	2296	powershell.exe
Token: SeShutdownPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeSystemEnvironmentPrivilege	2296	powershell.exe
Token: SeRemoteShutdownPrivilege	2296	powershell.exe
Token: SeUndockPrivilege	2296	powershell.exe
Token: SeManageVolumePrivilege	2296	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ProtonVPN.exeservices64.exe

pid process

4220 ProtonVPN.exe
2568 services64.exe

pid	process
4220	ProtonVPN.exe
2568	services64.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

ProtonVPNcrack.exeProtonVPN.execmd.execmd.execmd.exeservices64.execmd.exesihost64.exe

description	pid	process	target process
PID 3708 wrote to memory of 3952	3708	ProtonVPNcrack.exe	11.exe
PID 3708 wrote to memory of 3952	3708	ProtonVPNcrack.exe	11.exe
PID 3708 wrote to memory of 3952	3708	ProtonVPNcrack.exe	11.exe
PID 3708 wrote to memory of 4220	3708	ProtonVPNcrack.exe	ProtonVPN.exe
PID 3708 wrote to memory of 4220	3708	ProtonVPNcrack.exe	ProtonVPN.exe
PID 4220 wrote to memory of 420	4220	ProtonVPN.exe	cmd.exe
PID 4220 wrote to memory of 420	4220	ProtonVPN.exe	cmd.exe
PID 420 wrote to memory of 1252	420	cmd.exe	powershell.exe
PID 420 wrote to memory of 1252	420	cmd.exe	powershell.exe
PID 420 wrote to memory of 4112	420	cmd.exe	powershell.exe
PID 420 wrote to memory of 4112	420	cmd.exe	powershell.exe
PID 4220 wrote to memory of 4552	4220	ProtonVPN.exe	cmd.exe
PID 4220 wrote to memory of 4552	4220	ProtonVPN.exe	cmd.exe
PID 4552 wrote to memory of 5092	4552	cmd.exe	schtasks.exe
PID 4552 wrote to memory of 5092	4552	cmd.exe	schtasks.exe
PID 4220 wrote to memory of 932	4220	ProtonVPN.exe	cmd.exe
PID 4220 wrote to memory of 932	4220	ProtonVPN.exe	cmd.exe
PID 932 wrote to memory of 2568	932	cmd.exe	services64.exe
PID 932 wrote to memory of 2568	932	cmd.exe	services64.exe
PID 2568 wrote to memory of 2184	2568	services64.exe	cmd.exe
PID 2568 wrote to memory of 2184	2568	services64.exe	cmd.exe
PID 2184 wrote to memory of 2296	2184	cmd.exe	powershell.exe
PID 2184 wrote to memory of 2296	2184	cmd.exe	powershell.exe
PID 2184 wrote to memory of 3228	2184	cmd.exe	powershell.exe
PID 2184 wrote to memory of 3228	2184	cmd.exe	powershell.exe
PID 2568 wrote to memory of 4408	2568	services64.exe	sihost64.exe
PID 2568 wrote to memory of 4408	2568	services64.exe	sihost64.exe
PID 2568 wrote to memory of 3208	2568	services64.exe	svchost.exe
PID 2568 wrote to memory of 3208	2568	services64.exe	svchost.exe
PID 2568 wrote to memory of 3208	2568	services64.exe	svchost.exe
PID 2568 wrote to memory of 3208	2568	services64.exe	svchost.exe
PID 2568 wrote to memory of 3208	2568	services64.exe	svchost.exe
PID 2568 wrote to memory of 3208	2568	services64.exe	svchost.exe
PID 2568 wrote to memory of 3208	2568	services64.exe	svchost.exe
PID 2568 wrote to memory of 3208	2568	services64.exe	svchost.exe
PID 2568 wrote to memory of 3208	2568	services64.exe	svchost.exe
PID 2568 wrote to memory of 3208	2568	services64.exe	svchost.exe
PID 2568 wrote to memory of 3208	2568	services64.exe	svchost.exe
PID 2568 wrote to memory of 3208	2568	services64.exe	svchost.exe
PID 2568 wrote to memory of 3208	2568	services64.exe	svchost.exe
PID 2568 wrote to memory of 3208	2568	services64.exe	svchost.exe
PID 2568 wrote to memory of 3208	2568	services64.exe	svchost.exe
PID 4408 wrote to memory of 372	4408	sihost64.exe	conhost.exe
PID 4408 wrote to memory of 372	4408	sihost64.exe	conhost.exe
PID 4408 wrote to memory of 372	4408	sihost64.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\ProtonVPNcrack.exe
"C:\Users\Admin\AppData\Local\Temp\ProtonVPNcrack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\11.exe
"C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\11.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\ProtonVPN.exe
"C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\ProtonVPN.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\Microsoft\services64.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\Microsoft\services64.exe"
4⤵
- Creates scheduled task(s)
PID:5092

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\Microsoft\services64.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\Microsoft\services64.exe
C:\Users\Admin\Microsoft\services64.exe
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3228

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "tpnqgkvcwcobda"
6⤵
PID:372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe yyuwyemgm0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPB3EYEaWtdTNgeO+yOcML2FLdin0Rbrrbm/YoAjK7mqvZEX/HgK//sgsnHcQsRkM9iGKCen+11TiuyHWyZAdf1wMLE4agYXDET+uLyuqzRfvjrbqdOzrMw7uyk9GJnctDF8x49xwghsNTxALZT8Q9OM4wOBYwE039IMn9ca6XIbihbr07+StpGza7Q9Qq6H+R3vjoBT3kqX83xAYIxFwBE4re5nCVh9x92A1w5zRjX0fl
5⤵
PID:3208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b644e248396c6668558a7f069edd8a00

SHA1
9d5a66511a0b9c343e733133c1875bd53f268161

SHA256
1740b5a51012986f3ad685b676536a011e23fa6b9524db6834b8b8729e0c6ea0

SHA512
7f74b30f54c335029de13ecc1b4633f595cfc075950ab77a061ef54e096bf44fe45e896cc924f9a9556e22e40f7226851954197e099efa9729ae060281f96da6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3fe31cfa0f3870a6636118a2aac5ccb9

SHA1
e689b54e8072bb3ee47080eb6567a0e1ce7e92fc

SHA256
da1879407fd2444e2b1b2ba89cca2a498d94651b4e6a0c56fb5eef97c3f83eed

SHA512
1321e259635a32c2ef24f245531bbf14bff7d3052b75ca0b1b11b2bbbff0a4a79bc3f947408b50140ffcc276481cb6a1f74541e23244b2feaa2bc62b9b5c17b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
945861c46a3d159fed2a604163390c59

SHA1
a39e6fc71e4b653b781a9768573cfa3a9aec089c

SHA256
a9bc30a848a87148a04dbdb542b915f335e0b1cdb8d4dbb29bc518a3f9694f3a

SHA512
bbef3d7d2d3257114d2788a79a6a8a8a4262de672f3fa7454b5b55fa0dcf715a24299f32fcd47106cd60365d7dbd841f808985e4f00d875fb99c6cddacacbcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\11.exe
MD5
9ecac4c4fbb96a213d3a9724d3be50b6

SHA1
04bd5852e33672f2ccd1560261a92bdbeb543836

SHA256
94330c67c415ce150d53b52ed8f06bcec2c12d59e8c57b6e0eb725573dabcb03

SHA512
cb392d6cd28df84baf85aae06aeb7a6e3b3d2654ab160d3adc1c2b5d546c53b1dc6ed6a1fc92a4b91ecbff0545b6d3f6c2fc4009a8fa26c3018f95b2948a5bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\11.exe
MD5
9ecac4c4fbb96a213d3a9724d3be50b6

SHA1
04bd5852e33672f2ccd1560261a92bdbeb543836

SHA256
94330c67c415ce150d53b52ed8f06bcec2c12d59e8c57b6e0eb725573dabcb03

SHA512
cb392d6cd28df84baf85aae06aeb7a6e3b3d2654ab160d3adc1c2b5d546c53b1dc6ed6a1fc92a4b91ecbff0545b6d3f6c2fc4009a8fa26c3018f95b2948a5bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\ProtonVPN.exe
MD5
57b8949197d45be69ea67e78c36fbbe5

SHA1
b41e69f791a6ef5c82e030ff6e19ed20017aeee5

SHA256
3ca5f6814976f1d1281da36a1fc12044a236214f3c7a88cd9700249cc91d892e

SHA512
5ae2b704ef781f032ebe6133e5a4ebfab4d45aa8606bc74458b86135a856c70d270d312ad520fe35961f02e43ea02ebbcc7259bc0beb4926e06bc9cafd691677

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\ProtonVPN.exe
MD5
57b8949197d45be69ea67e78c36fbbe5

SHA1
b41e69f791a6ef5c82e030ff6e19ed20017aeee5

SHA256
3ca5f6814976f1d1281da36a1fc12044a236214f3c7a88cd9700249cc91d892e

SHA512
5ae2b704ef781f032ebe6133e5a4ebfab4d45aa8606bc74458b86135a856c70d270d312ad520fe35961f02e43ea02ebbcc7259bc0beb4926e06bc9cafd691677

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
0ce6c508acd66bc4cb1e59875a3bb1e4

SHA1
884fe7f7de132bc10b49abbf3f31ce1529260902

SHA256
0ad785281992fd8a98ea8e69af7110da3810319aee8d97d5fc8e704abdb44850

SHA512
746adcdada8642e629940717da5cc5d3c8335f7c1502379d22fe5e07e7e136698cc0bff989859d88db12a899dc229a95cceec6bcb1541e806b08a3eab63aee64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
0ce6c508acd66bc4cb1e59875a3bb1e4

SHA1
884fe7f7de132bc10b49abbf3f31ce1529260902

SHA256
0ad785281992fd8a98ea8e69af7110da3810319aee8d97d5fc8e704abdb44850

SHA512
746adcdada8642e629940717da5cc5d3c8335f7c1502379d22fe5e07e7e136698cc0bff989859d88db12a899dc229a95cceec6bcb1541e806b08a3eab63aee64

Download Submit
C:\Users\Admin\Microsoft\services64.exe
MD5
57b8949197d45be69ea67e78c36fbbe5

SHA1
b41e69f791a6ef5c82e030ff6e19ed20017aeee5

SHA256
3ca5f6814976f1d1281da36a1fc12044a236214f3c7a88cd9700249cc91d892e

SHA512
5ae2b704ef781f032ebe6133e5a4ebfab4d45aa8606bc74458b86135a856c70d270d312ad520fe35961f02e43ea02ebbcc7259bc0beb4926e06bc9cafd691677

Download Submit
C:\Users\Admin\Microsoft\services64.exe
MD5
57b8949197d45be69ea67e78c36fbbe5

SHA1
b41e69f791a6ef5c82e030ff6e19ed20017aeee5

SHA256
3ca5f6814976f1d1281da36a1fc12044a236214f3c7a88cd9700249cc91d892e

SHA512
5ae2b704ef781f032ebe6133e5a4ebfab4d45aa8606bc74458b86135a856c70d270d312ad520fe35961f02e43ea02ebbcc7259bc0beb4926e06bc9cafd691677

Download Submit
memory/420-216-0x0000000000000000-mapping.dmp

Download
memory/932-316-0x0000000000000000-mapping.dmp

Download
memory/1252-235-0x000001FF30400000-0x000001FF30402000-memory.dmp

Filesize
8KB

Download
memory/1252-221-0x000001FF30400000-0x000001FF30402000-memory.dmp

Filesize
8KB

Download
memory/1252-238-0x000001FF30400000-0x000001FF30402000-memory.dmp

Filesize
8KB

Download
memory/1252-231-0x000001FF4A3A3000-0x000001FF4A3A5000-memory.dmp

Filesize
8KB

Download
memory/1252-218-0x000001FF30400000-0x000001FF30402000-memory.dmp

Filesize
8KB

Download
memory/1252-217-0x0000000000000000-mapping.dmp

Download
memory/1252-258-0x000001FF4A3A6000-0x000001FF4A3A8000-memory.dmp

Filesize
8KB

Download
memory/1252-220-0x000001FF30400000-0x000001FF30402000-memory.dmp

Filesize
8KB

Download
memory/1252-223-0x000001FF31D40000-0x000001FF31D41000-memory.dmp

Filesize
4KB

Download
memory/1252-237-0x000001FF30400000-0x000001FF30402000-memory.dmp

Filesize
8KB

Download
memory/1252-222-0x000001FF30400000-0x000001FF30402000-memory.dmp

Filesize
8KB

Download
memory/1252-230-0x000001FF30400000-0x000001FF30402000-memory.dmp

Filesize
8KB

Download
memory/1252-298-0x000001FF4A3A8000-0x000001FF4A3A9000-memory.dmp

Filesize
4KB

Download
memory/1252-219-0x000001FF30400000-0x000001FF30402000-memory.dmp

Filesize
8KB

Download
memory/1252-234-0x000001FF4C500000-0x000001FF4C501000-memory.dmp

Filesize
4KB

Download
memory/1252-229-0x000001FF4A3A0000-0x000001FF4A3A2000-memory.dmp

Filesize
8KB

Download
memory/1252-232-0x000001FF30400000-0x000001FF30402000-memory.dmp

Filesize
8KB

Download
memory/1252-233-0x000001FF30400000-0x000001FF30402000-memory.dmp

Filesize
8KB

Download
memory/2184-352-0x0000000000000000-mapping.dmp

Download
memory/2296-356-0x0000000000000000-mapping.dmp

Download
memory/2568-353-0x0000000003FF0000-0x0000000003FF2000-memory.dmp

Filesize
8KB

Download
memory/2568-317-0x0000000000000000-mapping.dmp

Download
memory/3208-444-0x0000000140310068-mapping.dmp

Download
memory/3228-397-0x0000000000000000-mapping.dmp

Download
memory/3708-118-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/3708-119-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/3952-145-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/3952-148-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/3952-156-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/3952-162-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/3952-150-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/3952-120-0x0000000000000000-mapping.dmp

Download
memory/3952-165-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/3952-161-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/3952-170-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/3952-135-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/3952-134-0x0000000000400000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/3952-172-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/3952-131-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3952-175-0x0000000005C70000-0x0000000005C71000-memory.dmp

Filesize
4KB

Download
memory/3952-174-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/3952-177-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/3952-178-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/3952-181-0x0000000006340000-0x0000000006341000-memory.dmp

Filesize
4KB

Download
memory/3952-182-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/3952-180-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/3952-179-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/3952-184-0x00000000064C0000-0x00000000064C1000-memory.dmp

Filesize
4KB

Download
memory/3952-183-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/3952-154-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/3952-151-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3952-167-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/3952-186-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/3952-187-0x0000000006450000-0x0000000006451000-memory.dmp

Filesize
4KB

Download
memory/3952-188-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/3952-189-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/3952-190-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/3952-158-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/3952-191-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3952-192-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/3952-194-0x00000000064E0000-0x00000000064E1000-memory.dmp

Filesize
4KB

Download
memory/3952-196-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/3952-195-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/3952-197-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/3952-193-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/3952-198-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/3952-199-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/3952-200-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/3952-201-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/3952-202-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/3952-203-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/3952-204-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/3952-206-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/3952-207-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/3952-205-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/3952-208-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/3952-209-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/3952-210-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/3952-211-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/3952-137-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/3952-142-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/3952-144-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/3952-140-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/4112-312-0x0000020785B98000-0x0000020785B99000-memory.dmp

Filesize
4KB

Download
memory/4112-299-0x0000020785B90000-0x0000020785B92000-memory.dmp

Filesize
8KB

Download
memory/4112-302-0x0000020785B96000-0x0000020785B98000-memory.dmp

Filesize
8KB

Download
memory/4112-300-0x0000020785B93000-0x0000020785B95000-memory.dmp

Filesize
8KB

Download
memory/4112-262-0x0000000000000000-mapping.dmp

Download
memory/4220-159-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-160-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-224-0x00000000048D0000-0x0000000004CD7000-memory.dmp

Filesize
4.0MB

Download
memory/4220-226-0x000000001E340000-0x000000001E342000-memory.dmp

Filesize
8KB

Download
memory/4220-225-0x00007FFA0AD00000-0x00007FFA0AD10000-memory.dmp

Filesize
64KB

Download
memory/4220-227-0x000000001E343000-0x000000001E345000-memory.dmp

Filesize
8KB

Download
memory/4220-213-0x000000001E770000-0x000000001EB73000-memory.dmp

Filesize
4.0MB

Download
memory/4220-212-0x00007FF5FFAF0000-0x00007FF5FFEC1000-memory.dmp

Filesize
3.8MB

Download
memory/4220-185-0x0000000000400000-0x00000000017A4000-memory.dmp

Filesize
19.6MB

Download
memory/4220-228-0x000000001E346000-0x000000001E347000-memory.dmp

Filesize
4KB

Download
memory/4220-173-0x00007FFA0ACD0000-0x00007FFA0ACE0000-memory.dmp

Filesize
64KB

Download
memory/4220-176-0x00007FFA0ACD0000-0x00007FFA0ACE0000-memory.dmp

Filesize
64KB

Download
memory/4220-168-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-171-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-169-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-166-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-147-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-149-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-152-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-164-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-163-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-215-0x00000000039E0000-0x00000000039E1000-memory.dmp

Filesize
4KB

Download
memory/4220-157-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-155-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-123-0x0000000000000000-mapping.dmp

Download
memory/4220-126-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-139-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-143-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-141-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-146-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-138-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-136-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-132-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-133-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-130-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-129-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-128-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4220-127-0x00007FFA0AC30000-0x00007FFA0AC40000-memory.dmp

Filesize
64KB

Download
memory/4408-440-0x0000000000000000-mapping.dmp

Download
memory/4552-310-0x0000000000000000-mapping.dmp

Download
memory/5092-311-0x0000000000000000-mapping.dmp

Download