redline | hxxps://drive[.]google[.]com/file/d/1O0-ow5WPc-bO1RcCDfefNpFoX_Tp-QDB/view

Analysis

max time kernel
144s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/08/2023, 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1O0-ow5WPc-bO1RcCDfefNpFoX_Tp-QDB/view

Score

10^/10

redline xanaq infostealer

Malware Config

Extracted

Family

redline

Botnet

xanaq

135.181.221.187:5987

Attributes

auth_value
521962dbe99b5bb27c34a459fff4e46a

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 1 IoCs

pid	Process
4424	Kappa Agreement.scr

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4424 set thread context of 2988	4424	Kappa Agreement.scr	117

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133356571952166007"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3388	chrome.exe
3388	chrome.exe
3260	chrome.exe
3260	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeRestorePrivilege	2788	7zG.exe
Token: 35	2788	7zG.exe
Token: SeSecurityPrivilege	2788	7zG.exe
Token: SeSecurityPrivilege	2788	7zG.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
2788	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 4244	3388	chrome.exe	85
PID 3388 wrote to memory of 4244	3388	chrome.exe	85
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 3332	3388	chrome.exe	88
PID 3388 wrote to memory of 1892	3388	chrome.exe	89
PID 3388 wrote to memory of 1892	3388	chrome.exe	89
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90
PID 3388 wrote to memory of 2904	3388	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1O0-ow5WPc-bO1RcCDfefNpFoX_Tp-QDB/view
1⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb71d9758,0x7ffdb71d9768,0x7ffdb71d9778
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1876,i,13616538243491764842,8209430777427383446,131072 /prefetch:2
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1876,i,13616538243491764842,8209430777427383446,131072 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1876,i,13616538243491764842,8209430777427383446,131072 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2888 --field-trial-handle=1876,i,13616538243491764842,8209430777427383446,131072 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2880 --field-trial-handle=1876,i,13616538243491764842,8209430777427383446,131072 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4668 --field-trial-handle=1876,i,13616538243491764842,8209430777427383446,131072 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1876,i,13616538243491764842,8209430777427383446,131072 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1876,i,13616538243491764842,8209430777427383446,131072 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1876,i,13616538243491764842,8209430777427383446,131072 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2668 --field-trial-handle=1876,i,13616538243491764842,8209430777427383446,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3260

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3040

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap10185:102:7zEvent931
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2788

C:\Users\Admin\Downloads\kappa - Youtube Deal\Kappa Agreement.scr
"C:\Users\Admin\Downloads\kappa - Youtube Deal\Kappa Agreement.scr" /S
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
d19b9cedff4db643422745ee50980ab0

SHA1
dec883f919c8ebd2d191ef63e86efbd459efd17c

SHA256
c0f18217126ca4befc7ff37e80e28ae6ceaae15118e08a9802aeffd5bc0cb54b

SHA512
c6e0a1126bcf963398377dae9484e65687b6faa1162ef5031c73e44fe5e698a89dea3317a4d25f136c9500e6204f6503cd0218f3f760c1a5b4a14b7704f7710a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
9f7df73af3b6c95f0f3d01277f7c445e

SHA1
e363dcef88ba1d3f39b4c2f5f3ddf2073c0bc139

SHA256
5ef42cd17534253a8c4e3878c3b1cd4e142f105f7f8e5e6001b017a9e6ee5f43

SHA512
cbda2fb87742dc63991da2dfb970c1eb460d4c9649dfbe63a5942c6af09d1a396347f407a118e9795a8b45a46f448994f6fa5d23ae50eaa4040efd9ad79e461c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
69631fb36accca51c470b74bb35204a1

SHA1
9e6feedbdc7583ad708e81c7d1cad31a234eb76a

SHA256
458c1d33f943f7a899abe32e3f96ab1d550d2e402e45297f24c15b477efa33a7

SHA512
9108fc4e335b042d629737898977dbdddf48ab31242ab7de4cc19889cea48b92b2f417593057aea5be207e8d73b8430f85242978f2584e1bb848ce485dc0331e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cc51a68d6bbf338315496cf7d8c67c0b

SHA1
ba060b27da188505933c304de49302da8d7c7470

SHA256
2506dae21792012408405a6e7cd71cbf385a1159108844aa2f66530437de837c

SHA512
be9dc12ee99e703781a947f11c9d71e98b3fd1f5b5fdd0dd2449a5de0c658ec87faea8129ccf6e02047f365b55e08155c001b3100b986dd8a42a69ef7c0a9893

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8f8f47ed3ff025352b8b463f04a45dbf

SHA1
5333a478592d88b63e7e27c607fa1c39da670c2a

SHA256
a7f1c17d52985eca4122c416702a321ac4fd193c6429646bca630608eaf537d6

SHA512
42af50423edfc3a0bde7dc163a0f62548bd4b2d32ef2734f6415d0d39c0cc2fc1b0a89e83ff678f17e6e6a6a7609f1205cb7561397dccb78c005bc357881d6d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
775f61047116e9757eefff2b6f329399

SHA1
ac810a98496f9e899d316a3bd3ea0de7452e3dc9

SHA256
75c412c18c459f6bef4267e69c3e5243a8f21e1df0948aaa02b28d14154dc3b6

SHA512
b8e2f505551b347f76628e05a82b15117aa7a8a4473103e3314855f39ce52bf28d69561497692c0dc013191afd0251a9e2f996b3c1078108ebc3a33e93775245

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
645712cd441ac6a4c9128d7efe761903

SHA1
fa6fdce721ad5bce41377fac1868843580be878c

SHA256
1c5d6e7a1ccc7cec28fcabe765624aa6be49cdee10a15a4a086253f923fd9cd5

SHA512
16203fc5398de77f22d5f489e3b9beea9e20bd2639d9775bc26bb6faaa1687ca1d4ab102eabc25b2dc03c2c75d0ff2fbe7dc37a28e829eca452f4277748500e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\kappa - Youtube Deal.zip

Filesize
21.6MB

MD5
80cd4700a3d4691610fbefa10c3f8ff9

SHA1
4498dc8122453d8000332421a2839b3f371a833d

SHA256
20d2c3eba078f331a0f79dc1be995a2d268c6e843d9ec4aeda227c803b55c346

SHA512
38c10b4cf65e80563dcc361f8595f18351827a32bff7ad240649cb5184d56e0da59ded34b1d1141d160f42f2ab30f7ae879ee37508648dca3137c572d79b4e08

Download Submit
C:\Users\Admin\Downloads\kappa - Youtube Deal\Kappa Agreement.scr

Filesize
421.9MB

MD5
01b9fb8499c9416b7206f9ab316c5180

SHA1
7a961971c7d31d158ccdda1f7608293f3f928d3e

SHA256
ca04fdb2f5bf609aafefb24ae36f78b5d66979d5f05c2ed922974dd69fdb4893

SHA512
a8a2000f7f72ce72dbc147bb9bdcc8777f304ddd7cc447062a8d725ea8c8636c44aa1b7590d460c8bb7864515c306a638b56b706f0d554e9c2306dde1aec7fbf

Download Submit
C:\Users\Admin\Downloads\kappa - Youtube Deal\Kappa Agreement.scr

Filesize
419.6MB

MD5
aaa3a931db147323a3362972fba0833b

SHA1
01237e32908d367ffab4486037e821b3a377c5a8

SHA256
62de7f21b0958d33f0c8c5a17336096d844cfa534d12ef587fc78c721e421bcc

SHA512
19050939ddbddc510da8c6400c5a3eecc5c9412a4af27089193623f89d5f962f94fa3965e744c76fa807d23a534e3d44d794789fd2720ba4da207be67d625788

Download Submit
memory/2988-268-0x00000000054E0000-0x00000000055EA000-memory.dmp

Filesize
1.0MB

Download
memory/2988-270-0x0000000005220000-0x0000000005232000-memory.dmp

Filesize
72KB

Download
memory/2988-260-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2988-276-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/2988-262-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/2988-264-0x00000000059F0000-0x0000000006008000-memory.dmp

Filesize
6.1MB

Download
memory/2988-275-0x00000000058F0000-0x0000000005982000-memory.dmp

Filesize
584KB

Download
memory/2988-274-0x00000000057D0000-0x0000000005846000-memory.dmp

Filesize
472KB

Download
memory/2988-269-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/2988-273-0x0000000005280000-0x00000000052BC000-memory.dmp

Filesize
240KB

Download
memory/4424-259-0x0000000005F70000-0x0000000005F80000-memory.dmp

Filesize
64KB

Download
memory/4424-258-0x0000000000DD0000-0x00000000015DE000-memory.dmp

Filesize
8.1MB

Download
memory/4424-263-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/4424-257-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download