redline | 15c60b9188ef2cc9228ea576732f3b60eac10ca6e39f8a39956bad5722176650

Analysis

max time kernel
1701s
max time network
1162s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.bat
Size

539B
MD5

162d9e9294fb1ca66b2ef0808c37b3d0
SHA1

c4c12026021484ae35ab529d2be4263435762a4b
SHA256

6c4077874e378e3b7ff05dbe2063f0c7018f98bee429a4f4b2f8ffc7ff793d4b
SHA512

f467ddf08d99ec1495f32a4eef8a43b3080d976e56ce569264b38e160e6e9655b44d84d1cb5a3ebcb223a802f9b914a28dee7bc51abce48c836f4a4abbb2da88

Score

10^/10

redline discovery execution infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4920-449-0x0000000000400000-0x000000000044A000-memory.dmp	family_redline

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

55 4340 rundll32.exe
57 4340 rundll32.exe
58 4340 rundll32.exe
60 4340 rundll32.exe
61 4340 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

Roblox.exeRoblox.exe

pid process

4988 Roblox.exe
4108 Roblox.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2620 rundll32.exe
4340 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\system32\rundll32.exe rundll32.exe

flow	pid	process
55	4340	rundll32.exe
57	4340	rundll32.exe
58	4340	rundll32.exe
60	4340	rundll32.exe
61	4340	rundll32.exe

pid	process
4988	Roblox.exe
4108	Roblox.exe

pid	process
2620	rundll32.exe
4340	rundll32.exe

flow	ioc
6	ip-api.com

description	ioc	process
File opened for modification	C:\Windows\system32\rundll32.exe	rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Roblox.exeRoblox.exe

description	pid	process	target process
PID 4988 set thread context of 4920	4988	Roblox.exe	RegAsm.exe
PID 4108 set thread context of 3896	4108	Roblox.exe	RegAsm.exe

Drops file in Windows directory 1 IoCs

Processes:

luajit.exe

description ioc process

File created C:\Windows\Setup\Scripts\ErrorHandler.cmd luajit.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4784 powershell.exe
2764 powershell.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2440 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exeRegAsm.exeRegAsm.exe

pid process

4784 powershell.exe
4784 powershell.exe
2764 powershell.exe
2764 powershell.exe
2764 powershell.exe
4920 RegAsm.exe
3896 RegAsm.exe

description	ioc	process
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	luajit.exe

pid	process
4784	powershell.exe
2764	powershell.exe

pid	process
2440	schtasks.exe

pid	process
4784	powershell.exe
4784	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
4920	RegAsm.exe
3896	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeIncreaseQuotaPrivilege	4784	powershell.exe
Token: SeSecurityPrivilege	4784	powershell.exe
Token: SeTakeOwnershipPrivilege	4784	powershell.exe
Token: SeLoadDriverPrivilege	4784	powershell.exe
Token: SeSystemProfilePrivilege	4784	powershell.exe
Token: SeSystemtimePrivilege	4784	powershell.exe
Token: SeProfSingleProcessPrivilege	4784	powershell.exe
Token: SeIncBasePriorityPrivilege	4784	powershell.exe
Token: SeCreatePagefilePrivilege	4784	powershell.exe
Token: SeBackupPrivilege	4784	powershell.exe
Token: SeRestorePrivilege	4784	powershell.exe
Token: SeShutdownPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeSystemEnvironmentPrivilege	4784	powershell.exe
Token: SeRemoteShutdownPrivilege	4784	powershell.exe
Token: SeUndockPrivilege	4784	powershell.exe
Token: SeManageVolumePrivilege	4784	powershell.exe
Token: 33	4784	powershell.exe
Token: 34	4784	powershell.exe
Token: 35	4784	powershell.exe
Token: 36	4784	powershell.exe
Token: SeIncreaseQuotaPrivilege	4784	powershell.exe
Token: SeSecurityPrivilege	4784	powershell.exe
Token: SeTakeOwnershipPrivilege	4784	powershell.exe
Token: SeLoadDriverPrivilege	4784	powershell.exe
Token: SeSystemProfilePrivilege	4784	powershell.exe
Token: SeSystemtimePrivilege	4784	powershell.exe
Token: SeProfSingleProcessPrivilege	4784	powershell.exe
Token: SeIncBasePriorityPrivilege	4784	powershell.exe
Token: SeCreatePagefilePrivilege	4784	powershell.exe
Token: SeBackupPrivilege	4784	powershell.exe
Token: SeRestorePrivilege	4784	powershell.exe
Token: SeShutdownPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeSystemEnvironmentPrivilege	4784	powershell.exe
Token: SeRemoteShutdownPrivilege	4784	powershell.exe
Token: SeUndockPrivilege	4784	powershell.exe
Token: SeManageVolumePrivilege	4784	powershell.exe
Token: 33	4784	powershell.exe
Token: 34	4784	powershell.exe
Token: 35	4784	powershell.exe
Token: 36	4784	powershell.exe
Token: SeIncreaseQuotaPrivilege	4784	powershell.exe
Token: SeSecurityPrivilege	4784	powershell.exe
Token: SeTakeOwnershipPrivilege	4784	powershell.exe
Token: SeLoadDriverPrivilege	4784	powershell.exe
Token: SeSystemProfilePrivilege	4784	powershell.exe
Token: SeSystemtimePrivilege	4784	powershell.exe
Token: SeProfSingleProcessPrivilege	4784	powershell.exe
Token: SeIncBasePriorityPrivilege	4784	powershell.exe
Token: SeCreatePagefilePrivilege	4784	powershell.exe
Token: SeBackupPrivilege	4784	powershell.exe
Token: SeRestorePrivilege	4784	powershell.exe
Token: SeShutdownPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeSystemEnvironmentPrivilege	4784	powershell.exe
Token: SeRemoteShutdownPrivilege	4784	powershell.exe
Token: SeUndockPrivilege	4784	powershell.exe
Token: SeManageVolumePrivilege	4784	powershell.exe
Token: 33	4784	powershell.exe
Token: 34	4784	powershell.exe
Token: 35	4784	powershell.exe
Token: 36	4784	powershell.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

cmd.exeluajit.exerundll32.exerundll32.exeRoblox.exeRoblox.exe

description	pid	process	target process
PID 3596 wrote to memory of 744	3596	cmd.exe	cacls.exe
PID 3596 wrote to memory of 744	3596	cmd.exe	cacls.exe
PID 3596 wrote to memory of 2368	3596	cmd.exe	luajit.exe
PID 3596 wrote to memory of 2368	3596	cmd.exe	luajit.exe
PID 3596 wrote to memory of 2368	3596	cmd.exe	luajit.exe
PID 2368 wrote to memory of 2440	2368	luajit.exe	schtasks.exe
PID 2368 wrote to memory of 2440	2368	luajit.exe	schtasks.exe
PID 2368 wrote to memory of 2440	2368	luajit.exe	schtasks.exe
PID 2368 wrote to memory of 4784	2368	luajit.exe	powershell.exe
PID 2368 wrote to memory of 4784	2368	luajit.exe	powershell.exe
PID 2368 wrote to memory of 4784	2368	luajit.exe	powershell.exe
PID 2368 wrote to memory of 2620	2368	luajit.exe	rundll32.exe
PID 2368 wrote to memory of 2620	2368	luajit.exe	rundll32.exe
PID 2368 wrote to memory of 2620	2368	luajit.exe	rundll32.exe
PID 2620 wrote to memory of 4340	2620	rundll32.exe	rundll32.exe
PID 2620 wrote to memory of 4340	2620	rundll32.exe	rundll32.exe
PID 4340 wrote to memory of 2764	4340	rundll32.exe	powershell.exe
PID 4340 wrote to memory of 2764	4340	rundll32.exe	powershell.exe
PID 4988 wrote to memory of 4920	4988	Roblox.exe	RegAsm.exe
PID 4988 wrote to memory of 4920	4988	Roblox.exe	RegAsm.exe
PID 4988 wrote to memory of 4920	4988	Roblox.exe	RegAsm.exe
PID 4988 wrote to memory of 4920	4988	Roblox.exe	RegAsm.exe
PID 4988 wrote to memory of 4920	4988	Roblox.exe	RegAsm.exe
PID 4988 wrote to memory of 4920	4988	Roblox.exe	RegAsm.exe
PID 4988 wrote to memory of 4920	4988	Roblox.exe	RegAsm.exe
PID 4988 wrote to memory of 4920	4988	Roblox.exe	RegAsm.exe
PID 4108 wrote to memory of 2292	4108	Roblox.exe	RegAsm.exe
PID 4108 wrote to memory of 2292	4108	Roblox.exe	RegAsm.exe
PID 4108 wrote to memory of 2292	4108	Roblox.exe	RegAsm.exe
PID 4108 wrote to memory of 3896	4108	Roblox.exe	RegAsm.exe
PID 4108 wrote to memory of 3896	4108	Roblox.exe	RegAsm.exe
PID 4108 wrote to memory of 3896	4108	Roblox.exe	RegAsm.exe
PID 4108 wrote to memory of 3896	4108	Roblox.exe	RegAsm.exe
PID 4108 wrote to memory of 3896	4108	Roblox.exe	RegAsm.exe
PID 4108 wrote to memory of 3896	4108	Roblox.exe	RegAsm.exe
PID 4108 wrote to memory of 3896	4108	Roblox.exe	RegAsm.exe
PID 4108 wrote to memory of 3896	4108	Roblox.exe	RegAsm.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\luajit.exe
luajit.exe log
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc daily /st 13:39 /f /tn WindowsSetup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
3⤵
- Creates scheduled task(s)
PID:2440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Register-ScheduledTask -TaskName 'Um9ibG94Nzk4' -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe') -Trigger (New-ScheduledTaskTrigger -At (Get-Date).AddMinutes(1) -Once) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable) -Force"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Users\Admin\AppData\Roaming\Lua\bin\lua.dll", init
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\system32\rundll32.exe
rundll32 "C:\Users\Admin\AppData\Roaming\Lua\bin\lua.dll", init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Register-ScheduledTask -TaskName 'Um9ibG94ODAw' -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe') -Trigger (New-ScheduledTaskTrigger -At (Get-Date).AddMinutes(1) -Once) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable) -Force"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe
C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920

C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe
C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
281B

MD5
2db5345850c203829dc2d4c66b441ac6

SHA1
25e5cbaffdfe0456301188b304106baea4750535

SHA256
2716710828b2390a73099b978e2ca941a8bce3fdc275fa58d511be7177e150ca

SHA512
c36e197ca81a2d9786d822d1058e1817600e82763c2027213ea67abbc0eb1257d48893163550cb6d46205e282c101efdfee9388d1457e30e78dee34e5b1e0ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
a7b131770791b58fe90a1186abb62e8f

SHA1
72b0fef4549737ab00ba534b7513dd97e06b6dba

SHA256
94fac9fc889bb22bba4b0db7c144b87ba12a29f7e148af5bfd017c09ee1cf80b

SHA512
d6b3758d5fe3d3b81771f498996a34a3cb849a47055b3a5601281bc1ef39c885f1a008379e3d03525c2e0c8af45d9969934938a844c74de9f716cd500092ff00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
979B

MD5
6f78c82189354eefda54e26116fa17e0

SHA1
2033b822b309c8aac2898766d3201db89885d703

SHA256
50788f1b1b8eaa6ba6d5f2d206573128e10a403290b907969f892d4dd0f47edc

SHA512
7a5cd6871a6c84c02e148ca44cc1f56048b195bc0d8b5578aff2e01744338b65eae36530fd97346432d9ada97dbbcf655a3d598630753d007f10527abd47e5a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
a4bae28bb2e23e486f9c1aa562a58823

SHA1
c200627a1eeb1217bcd1be85fdadf133e5033b6d

SHA256
37acdd7fc40ae1e1238ccde843516ccba1598d0d0d129541711a645716cfbc1a

SHA512
d30ca73ef53911fbb08c90e67ed01a4ebffdeeee6b3079af568e8bc566163f07346d54d0baeb005a95fcbb48673235208fd071c666f52fd789e7af1144701077

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
480B

MD5
2bc9ff5c3f4b86593a421595a463b2c8

SHA1
28e0f9be18a6f7fd0a1014d897b3267c601e9c32

SHA256
dc7255e4621629178e6b835f3295c3ab39026ee1c8006573153e8b1f47abc5c6

SHA512
341dcc1a7167ba577597e1cfd861db9518a68756c28c377791d989d98afa1ede902730bd0f47e476daecbcfc7f889209ff87b032b15ae7bf197ea4a1c3fe739d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
68be1c07470106e35a3498204140940e

SHA1
28b48d06647df036ac0e765e0d23c5dc09de927c

SHA256
a98758a48a0ab5bd70bdea140b0e3dc8424bb5a377c8b896794cc7357c199005

SHA512
3248e2293421679f51f4e6694a75c35825ed082f7d5ffbbbe1e364dce16771ddf63f27cac2312e69955f565b30d09805a122fba7ff3a40d81c77b07038c41ad4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
3f1f64ef1ac2505c491a9179aabcf161

SHA1
2dbc58127a0f9cc955fe14eb6cb092a667e5df69

SHA256
035147a855c81d2b3995721aa288fd84466f0e95314344966bbfea68bf828228

SHA512
ee7085c9cc64f634fe624d08e634a7531e709b1a1191808e72c0467427e269e64250b047d9e57fd4221d3088c6b9671deb000e668a0bf274063959f47d31e681

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
28bd5ad01c84d7a87d7cebfb443ee983

SHA1
bd7d86173e9be252d361753e6339136bddad0ec4

SHA256
10e0f924e04c6d72ce5b14ee2c9789c4befc8cc608c6be8eb4f251d8c1d393c4

SHA512
0399e6a9840d50d9008ad04b679274f2f94a5726e31feb5aab6ab3fed308f81911fd37970d097106842895e6ae80938b203d35cf6f40d7d3c248c06742a5d04a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
2KB

MD5
60ad21e008a8447fc1130a9c9c155148

SHA1
5dfa21d14dc33de3cc93a463688fe1d640b01730

SHA256
bb65e24fd8681e7af464e115fba42ff7713e933683cbd654a124c0e564530bb9

SHA512
42a2753f717a4984967907fa69200e8a464068a6d4a226803cf9503ffb7fee540ffc611b4c905cc84f3623639a6aa93003b390f9c38e601b59f171a9e90bd9b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\json[1].json

Filesize
297B

MD5
bd0c2d8e6b0fe0de4a3869c02ee43a85

SHA1
21d8cca90ea489f88c2953156e6c3dec6945388b

SHA256
3a3e433f615f99529721ee766ad453b75d73fe213cb1ab74ccbb4c0e32dcd533

SHA512
496b1285f1e78d50dd79b05fa2cbf4a0b655bb3e4515646be3a7c7cdf85d7db6ab35577aa1e294f3d515d707ca341652b5ae9d4b22197e4480226ef8440294b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\packet[1].log

Filesize
4.1MB

MD5
0ffd3bd05a9281981db2330e5a7291c1

SHA1
fabbfea6c072f68692b81571d38e8eab72de1362

SHA256
286dca4423a65cbd5d23e9bf002e584ec16a88c0a5edf4cfdc6b639d982593ad

SHA512
54ff1df237207e4fe70808583b96a07d0366887ed7e3389527eaadb6c3e045c19c4ba1621a47e24fa661f52b504274b46af91acd1b562bc15b1e51518846c333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGYR01BB\loss[1].txt

Filesize
1.4MB

MD5
b46245811322e05ce45fd8c1427425da

SHA1
25e5494776d13a77fe4d50b3aaa91a8030bd9d23

SHA256
e42f79eebc439a67b73389e0cb8dd6015aba862bf2e6731e4df243055fc6a9be

SHA512
2155679928b9241a3d7d451deca34ff671d1d5a7b672cae25fabda520849f20168fa3cdae384af5c7335836580de4ae711b2cfed1e6267d97fef9dbee75c7f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
12c7cf9253e930baf098eefe2f0d8cf1

SHA1
e1c23a3483f7c4168483789084cd56276a41ab77

SHA256
5f3397fc0e285bc9728e22f78f52f27767121d766aaa479cb00395ea7da28955

SHA512
fceec1e9b2d72f73bab283dd4077e88eb1b306f3519b50a36c0c0c6024e4c4ad9dda5385e3ea7366b4ec5cc03301adf61bb9d0daab7b5e7e4fa4f813ebb6db38

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u2hvzgri.qzb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Pictures\39FBC0DFD4964AE0B1D7BDE60E245D90

Filesize
3KB

MD5
dcfd2c000eb1a7981a52ca9b9747a677

SHA1
fb78027f6adcb20c83af72023436060d8ac25b51

SHA256
5328e0a22b2a5bc1624cc71ce933eea57366ae45119b6a823764cc9b667775ad

SHA512
7b4d80d18519a25d8152ceaaf8e29bc69062a7be403af0cd27b8aedded29307367006f75e5c0f581da5659ce5f286e60df7325cfede895a40c5b4c0408fb5c28

Download Submit
memory/2368-29-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-1-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-51-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-50-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-49-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-46-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-45-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-44-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-42-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-41-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-40-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-39-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-38-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-37-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-36-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-35-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-34-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-31-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-30-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-26-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-28-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-27-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-25-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-78-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2368-77-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2368-76-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2368-24-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-23-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-19-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-18-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-17-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-16-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-15-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-14-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-12-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-10-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-8-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-7-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-6-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-5-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-48-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-47-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-43-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-33-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-53-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-32-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-21-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-22-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-20-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-13-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-11-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-3-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-2-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-52-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-0-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-178-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2368-4-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-9-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-63-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-62-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-61-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-60-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-59-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-58-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-57-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-56-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-55-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2368-54-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/2764-417-0x000001EB23200000-0x000001EB23222000-memory.dmp

Filesize
136KB

Download
memory/4784-204-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/4784-199-0x0000000005E20000-0x0000000006174000-memory.dmp

Filesize
3.3MB

Download
memory/4784-217-0x00000000736C0000-0x0000000073E70000-memory.dmp

Filesize
7.7MB

Download
memory/4784-180-0x00000000736C0000-0x0000000073E70000-memory.dmp

Filesize
7.7MB

Download
memory/4784-218-0x0000000007CE0000-0x000000000835A000-memory.dmp

Filesize
6.5MB

Download
memory/4784-219-0x0000000007660000-0x000000000767A000-memory.dmp

Filesize
104KB

Download
memory/4784-220-0x00000000076B0000-0x00000000076BA000-memory.dmp

Filesize
40KB

Download
memory/4784-221-0x00000000078C0000-0x0000000007956000-memory.dmp

Filesize
600KB

Download
memory/4784-203-0x00000000068E0000-0x0000000006912000-memory.dmp

Filesize
200KB

Download
memory/4784-201-0x00000000063C0000-0x000000000640C000-memory.dmp

Filesize
304KB

Download
memory/4784-200-0x0000000006310000-0x000000000632E000-memory.dmp

Filesize
120KB

Download
memory/4784-179-0x0000000004D50000-0x0000000004D86000-memory.dmp

Filesize
216KB

Download
memory/4784-188-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/4784-189-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/4784-187-0x0000000005BA0000-0x0000000005BC2000-memory.dmp

Filesize
136KB

Download
memory/4784-182-0x00000000736C0000-0x0000000073E70000-memory.dmp

Filesize
7.7MB

Download
memory/4784-181-0x00000000053F0000-0x0000000005A18000-memory.dmp

Filesize
6.2MB

Download
memory/4784-214-0x0000000006920000-0x000000000693E000-memory.dmp

Filesize
120KB

Download
memory/4784-215-0x0000000007330000-0x00000000073D3000-memory.dmp

Filesize
652KB

Download
memory/4784-216-0x00000000736C0000-0x0000000073E70000-memory.dmp

Filesize
7.7MB

Download
memory/4784-224-0x00000000736C0000-0x0000000073E70000-memory.dmp

Filesize
7.7MB

Download
memory/4784-223-0x0000000007850000-0x0000000007861000-memory.dmp

Filesize
68KB

Download
memory/4784-227-0x00000000736C0000-0x0000000073E70000-memory.dmp

Filesize
7.7MB

Download
memory/4784-177-0x00000000736CE000-0x00000000736CF000-memory.dmp

Filesize
4KB

Download
memory/4920-461-0x0000000008200000-0x000000000872C000-memory.dmp

Filesize
5.2MB

Download
memory/4920-451-0x0000000005020000-0x00000000050B2000-memory.dmp

Filesize
584KB

Download
memory/4920-452-0x00000000051B0000-0x00000000051BA000-memory.dmp

Filesize
40KB

Download
memory/4920-453-0x0000000006680000-0x0000000006C98000-memory.dmp

Filesize
6.1MB

Download
memory/4920-454-0x00000000061B0000-0x00000000062BA000-memory.dmp

Filesize
1.0MB

Download
memory/4920-457-0x00000000062C0000-0x000000000630C000-memory.dmp

Filesize
304KB

Download
memory/4920-456-0x0000000006130000-0x000000000616C000-memory.dmp

Filesize
240KB

Download
memory/4920-455-0x00000000060D0000-0x00000000060E2000-memory.dmp

Filesize
72KB

Download
memory/4920-458-0x0000000006F20000-0x0000000006F96000-memory.dmp

Filesize
472KB

Download
memory/4920-459-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/4920-460-0x0000000007A00000-0x0000000007BC2000-memory.dmp

Filesize
1.8MB

Download
memory/4920-450-0x00000000054F0000-0x0000000005A94000-memory.dmp

Filesize
5.6MB

Download
memory/4920-449-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download