redline | hxxps://download[.]tt2dd[.]com/

Resubmissions

22-05-2024 04:29

240522-e39m3aca78 10

11-05-2024 11:09

11-05-2024 10:59

09-05-2024 13:02

04-05-2024 06:42

02-05-2024 14:21

Analysis

max time kernel
396s
max time network
397s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02-05-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.tt2dd.com/

Score

10^/10

redline rajab discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

rajab

45.89.53.206:4663

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3032-231-0x0000000000800000-0x0000000000852000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Masturbating.pif

description pid process target process

PID 4692 created 3412 4692 Masturbating.pif Explorer.EXE
Executes dropped EXE 3 IoCs

Processes:

Setup.exeMasturbating.pifRegAsm.exe

pid process

4312 Setup.exe
4692 Masturbating.pif
3032 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4020 tasklist.exe
1936 tasklist.exe

description	pid	process	target process
PID 4692 created 3412	4692	Masturbating.pif	Explorer.EXE

pid	process
4312	Setup.exe
4692	Masturbating.pif
3032	RegAsm.exe

pid	process
4020	tasklist.exe
1936	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133591333269846389"	chrome.exe

Modifies registry class 2 IoCs

Processes:

OpenWith.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

736 PING.EXE

pid	process
736	PING.EXE

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

chrome.exechrome.exeMasturbating.pifRegAsm.exe

pid	process
1900	chrome.exe
1900	chrome.exe
3076	chrome.exe
3076	chrome.exe
4692	Masturbating.pif
4692	Masturbating.pif
4692	Masturbating.pif
4692	Masturbating.pif
4692	Masturbating.pif
4692	Masturbating.pif
4692	Masturbating.pif
4692	Masturbating.pif
4692	Masturbating.pif
4692	Masturbating.pif
4692	Masturbating.pif
4692	Masturbating.pif
4692	Masturbating.pif
4692	Masturbating.pif
3032	RegAsm.exe
3032	RegAsm.exe
3032	RegAsm.exe
3032	RegAsm.exe
3032	RegAsm.exe
3032	RegAsm.exe
3032	RegAsm.exe
3032	RegAsm.exe
3032	RegAsm.exe
3032	RegAsm.exe
3032	RegAsm.exe
3032	RegAsm.exe
3032	RegAsm.exe
3032	RegAsm.exe
3032	RegAsm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1900 chrome.exe
1900 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

chrome.exe7zG.exe7zG.exeMasturbating.pif

pid	process
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
3580	7zG.exe
3640	7zG.exe
4692	Masturbating.pif
4692	Masturbating.pif
4692	Masturbating.pif

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exeMasturbating.pif

pid	process
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
4692	Masturbating.pif
4692	Masturbating.pif
4692	Masturbating.pif

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

4132 OpenWith.exe

pid	process
4132	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1900 wrote to memory of 2640	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2640	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2092	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2684	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 2684	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1328	1900	chrome.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.tt2dd.com/
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc87b29758,0x7ffc87b29768,0x7ffc87b29778
    3⤵
    PID:2640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:2
    3⤵
    PID:2092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:8
    3⤵
    PID:2684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:8
    3⤵
    PID:1328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:1
    3⤵
    PID:2288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:1
    3⤵
    PID:2612
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:8
    3⤵
    PID:60
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:8
    3⤵
    PID:2900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2588 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:8
    3⤵
    PID:1052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:8
    3⤵
    PID:2328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4692 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3076
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\" -spe -an -ai#7zMap29300:138:7zEvent20484
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:3580
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\" -spe -an -ai#7zMap400:212:7zEvent20615
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:3640
- C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe
  "C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Flu Flu.cmd && Flu.cmd
    3⤵
    PID:1992
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4020
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:912
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1936
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:68
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 4480834
      4⤵
      PID:3160
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "SENSORSALICEECUADORJAMAICA" Massive
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Hop + Stuart + Den + Lightweight + Metallic 4480834\j
      4⤵
      PID:4848
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4480834\Masturbating.pif
      4480834\Masturbating.pif 4480834\j
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4692
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:736
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4480834\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4480834\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:3032

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:8

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
0cb50bb721cfa48d61c234fe56bd4e2e

SHA1
9bfb0bdc15eaa505531cc4c614d4b449867ed78f

SHA256
05d4e0afd2c55f0444d353abdbf0f328e60a9d20a947bdbc07ba8111d305d1e8

SHA512
cbad5f07a77f79f974b32eb3008889e47f7c0098b853e111416b46c688495bd3ca04df69e8104f5a9b19e503cd4700bae7d6ee8ea218da596b84d91cd42d3925

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6a0f7d52ab9c913f1a2d6a6befe1e63c

SHA1
7cfbf9d759e767ba6ef4ad07337d0cca8d93f319

SHA256
f818d3bbb6b0013b14374c210e0506cb1bac1a49e4542c1af20dcda77abe6997

SHA512
9e4e0df4e0747841db92ecb9a8e61bccb02c0632b2a8f4557ff7f98eb357f6d321cb95e0aa1396b0f57c740d927b3dbd8b934810d6a8816ff4ac2178b74118aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c7f2159b14265e31fb31958abf7d3213

SHA1
e2064a4ac85b479b95833848035cf85ed4328375

SHA256
21fb42d1467568cacdded73c381c5cbbd718182de3aca4fbd5bdedbc1d7ed3a6

SHA512
98e4a5cb6431bef5dac88516c108fc99a5b107cfcaa7f01da8a0870cbed28c56bd6bec8f260af7ea34d317ba2cdb04ac3a00cf3da2b2947a054a909f84f4b9bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
536B

MD5
09b72ff632c16d87faf66b5bbb8137a1

SHA1
67d3eb9c686e04336b21ae3aef36788d8556d0e0

SHA256
1cbbf8d148e037a0bd3cf9331eddb36ca4bf7d116fc4a9f5cce4ebc4aedd0a1e

SHA512
f8649237b6d848dc2bee0dfa2b8732d9e982d7cb6e67bc4166a1832465f97300e5f0277e2052806f10664d7db3abac2d771c263dbcec75494f3b75415737d22d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
ec635d84773280189d4e83c7a9aaa8bd

SHA1
14be7b5dd3c19dcd081d23dcae9eabf5c512cbea

SHA256
7cb48b5c7ef8b2d9c625b8e97908fadfe2c530eec99502cc1a508f090a117336

SHA512
28d6892bf7454d9f76df3b5245aea5c70fe2153ba6a408ec69ab1995ce95d38a708f307d1d102a648aebcf4b8c93b83579b78c3b7fb0e1e2777438603b04b6f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a959f3aab81676bbd39b196f95fa73c4

SHA1
2e7f486685753323feeeb1a7065ee04216f03cb4

SHA256
c7a576354d8af6d709227370e2bc029f0f31d234a397e115794fbfeeb0e03f27

SHA512
5d0d8fa4725d2303079867cf5eeb04c02a2b21c372becef22ea73ef151238ffccfd9a0463d11bb1dc1c8b14756d566c01ab18e63fc7fcebf9ac0254174d88127

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e059fa1b8dcca3ab9f4afd98536dcd98

SHA1
233cd100f73e7bcf03c41558240ed1637d629f04

SHA256
213cfeb1f969eeb011f74e5d3d6dea4241e3ebccd050bd0e06b36471523a5f7e

SHA512
b220342f1e67142704bb5a192efd1c39b62a1816250d0e8c6f4b776af6a1cf74fa02691121a3cc2fa95c4d1078950d4f62f81a105fd6fd09bc90565a415411a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
eab6b20d22d73e75a953ed475f42f5b9

SHA1
0461d1b5e2fce7eb8c8525790201262f0e58da9d

SHA256
64a62dd6bbc0e7b256d0c12832663e4457ba99cd704c0a46146b4aa1e251259a

SHA512
d052a2e8859a685fc371103ac42f036bc0c7561023f4add2ad5ccc88a09b8c64f7fd76257a03125cc5cb1f9c361855f26d261fc26456b18d7d992d1819346fcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
65292068ce28e88dde96602d645050ff

SHA1
81c838f57e613b6d814a84cec493616bf0b234c9

SHA256
b0f8d254071b7c051130f8bb769dc64d08a1e87da41ac865729aedad54fed373

SHA512
bb3801b0ae1576ca32d68b60b9db2d2a7a5a9bb535842f72d0b3405267d945bb5352c27f16ff7a216e21e7d6a31b86291ff7d9f3e31776eba1da44ddc01ce5db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
104KB

MD5
ba4d7469a5d06cb7651159b7d4951463

SHA1
35b007dfa1018bf95df09f908ec0a7949e0721cd

SHA256
5660fb1ff50acec57529599ba1553d2ca4886fc3b699664ad47a070331294e38

SHA512
54ff8d375449eed5024954aed95830fee5b4aca653a869211f60fd62fd2dca58256abec5bfa9825ffd741e930818486cf71534780626023299da99d153380dbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5894d8.TMP

Filesize
93KB

MD5
afc2a6d00afcb2ad3b369f75c66b6e5c

SHA1
adbbc0173839857eb1438061fd3004b6f40354e4

SHA256
0d6f07ca5ced3ccade03d4994a4f0f424e07c9b10b1a41fd9b4ad59be17c6ff6

SHA512
7b5d275b3de12faa2c66297022bbe9dfa625bca035629b10eff64932db49627bab41dd537d59bf9bb29d78de8a577a24ec99512c0cca389a4047d6992ab8dae9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4480834\Masturbating.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4480834\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4480834\j

Filesize
425KB

MD5
4b4f86ad7203f525253d3d01566391d8

SHA1
a89e684e1841e2c1bedd38234ab9d636862f177a

SHA256
120f7c4cad476f254ea5e757eb0d6cf36d64f900775c438e745007af2a735122

SHA512
b7cb135d16027182805c74679930c19e6075ecbf1d857fde735966e9273c5b4e8b5b0c5863dfe71fcb4af25c8cc68712a9238154bdc83e154b2240ee0c20eab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Americans

Filesize
166KB

MD5
f753d86ec907939c8471850ce2a79036

SHA1
22f07dc2373730f8d146ef7b9d58a212bee0c193

SHA256
6c6a50fc1900ec8d5fdb9ed6e3c337b63af96a75c74587d2e5d5c89d8d738def

SHA512
36e6146ce600bc0035eb526f6fdc6bffd90caf34a345504fb44e46100f41decc9e6a55736cecd5901152e39521418e10e2884dbe439fe2b91934447a3853d6e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Aruba

Filesize
112KB

MD5
e914b530dd18a000b39ce75d203b784e

SHA1
4e7f2d318cd32ad01b4d94071839ba9b50543212

SHA256
dec10daacfe6e37bc50bb3bb6b76550ed802892f3a71beb3449cfbfbea607259

SHA512
3d2e1b74660401c151583e78ef60f53b1168520552e4ae190853ca6eca760dd4a701280a1b2af8a2b00a81744b08caaa988aaf77afb4335a2669c41f54fd4c75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Beats

Filesize
97KB

MD5
2885880aa38707935c64f6b3c7800f96

SHA1
85ee867d80b9cfb1f138e3b0c0ea2a2f1ed6dca6

SHA256
373bbb960914f99e82bebf4fb13f6d0c16302ac73bfee987af7cc7023f799f6e

SHA512
ba0a1f2f5478db647bea242b4170d2e505f899fc98c4b11d145395a17f638ba3ac828b96fd6a7b94c744d8176152bc47c5b32b00180e489926c1f6a8e718cf16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Coordinated

Filesize
159KB

MD5
03371e3e51103446a7d61646e6f4ebcc

SHA1
dc28eaa3711df1e414821af095a76f34ad7f8e44

SHA256
7008ac7fc2af470979e94eedf52d823f9dd3b3e1ff1d5a7914cbc0828d4832d5

SHA512
ab3abcea08a0a773014c7a22db3507c01635dbb43adff7dbf2253009335a2568c5603ebba9fac4fdedc7bc49d343436d6afb01649dcb9c071fe92cda2cb2d9ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Den

Filesize
99KB

MD5
82624b0ef5a2c57dad2a45392448a9b5

SHA1
e1f7ec58be7d744ea1aabe7d729cb8ceb0646511

SHA256
b8942ea1759d5712ba6722bd2019493217283471bf09e11a393cbd21e81e954f

SHA512
5d16be6a7aeadc1ab43207643578446a2b86bb4d894d4a44c02667065de1cac22ec8a2cccb8dca1dbc42bf2e3989b59053c2671ec30193d7475e252d1748fa4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Enhancements

Filesize
98KB

MD5
d698989610711e4b765d0f022feafecf

SHA1
859c28dcf1a2887606b180e8e8c5ef12e5dc18bc

SHA256
0b590a30e29b1d351a558db539a420e83bd4c490c9792f584b9f66b6ea4850e8

SHA512
f83c42df6e749664fd5e1f264cad212e6fbb666fe864e6abdb0fba0a15a465cdf62366fd83768caa70a36f881e19c3f76941b7a68835c01dbc62dba779d7961d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Flu

Filesize
18KB

MD5
7e7ce927035274de652713d2e76a48d8

SHA1
a3aaf56ebe58d2fad03a6d2adab5c6140497386d

SHA256
d8110e2ea63fc466cda2945d1ce15f3a330ff263e1e9fd99b2075e06d2132ecf

SHA512
af09e9d0de2743c976488c473cb0c71724cb2e4ff58ae37595f6df13e4c1b4e50a7d349f7b3dcd65eb2eb55e12140f927165a09e2ac402706de9d81eedd400a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Frankfurt

Filesize
202KB

MD5
23b74e5504f3aec97990cf2566590916

SHA1
5a58935fc51697df3d41e6439ecd4aba0f2732a7

SHA256
5a9cdc044add9a81bab24db70c7b8aec1c4936f4a706cbeb12d4e5cca7c98163

SHA512
941268012c574bf3411708ca932b38185535978e8149d69a9fce81b8e727471ebc063503cf40dcf70aaeb2c317e065971e1e2227f67f5a5142e729f230d95a29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hop

Filesize
64KB

MD5
7ebc57599cccec5284f3d1ddc8c8894d

SHA1
152812380c876e6083c55da5f51f05502033d48a

SHA256
bbfc1a4903a574e59b782b0c380b53fdcc6c5374708777ae6b3d6a9a5f1b10ba

SHA512
8067f2b5fb4821ca57ee00ef90ece08875356e96f62501bfec5fc2763a93e8c78919dea6d75cb6e515e94f5fb0497784ff5ca5e2d737ec02430374834d902b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lightweight

Filesize
63KB

MD5
780d5012edd68b16d7b184f4181021b5

SHA1
20f9f80a29297c85c92ee2c70d2ec36ccff87593

SHA256
40fc7cd83e83ba95fc5b1af629dbb8c7fa3020782badbb6088f0f90f52cc4cc3

SHA512
04b00d79594dd919d165117c09b65e091a49ccecb6e5a0ada1d8615c289268e69d9c0463e89986baf28d7de8a38f7920edecd1d5bae4661a28e0c83ccab67b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Massive

Filesize
132B

MD5
d1b987734c4107491262869203ea885d

SHA1
a77977d58281980a0205f883d12e5a9567ed3c57

SHA256
d52ead1f44490d46259b0be6ecfacbf12f587c3e86ca8a93f29357b50f0d834d

SHA512
239c91c71c99d6b30e503dd8c4780303bf68e0c01bccd8e1abe11b249f7413667ea7b863d9f20a39875e93ad1e80a811e79b34f386991d2f7a4ba9bc07379b91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Metallic

Filesize
100KB

MD5
f266514e1e9922b935796d012d03add5

SHA1
a5441cf2010d07a3c005c1f3f71e867789f87730

SHA256
23058c81207b6d1044c40793e021782b849245293742883a050999d98174a12a

SHA512
165e8928844e2a3e912afa09dda4356bc31bf4a2c00b54ff98dd52390c23a99b18c811ba48431d87c9b247d0850748d10906e1dff0d99ed2c28adbd004416b47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Neural

Filesize
19KB

MD5
89a81cf3771cfff9ee01f2423480907e

SHA1
a5e8faa5c7c90410416f8aed827ca5141ec5a673

SHA256
2c360e946acdf604c7b7f9fa9a3fefe55a206034e39dd1c0e92e9280c63e9dd0

SHA512
c0b37b6af7a1d44889e1ac39ff5d67b2324f14f8af9c3ea1522bcc4a8c70d364d510b61c9b70bc1d4fdd582826c400d0311f5b5cdb7415eaab13732b961648f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Spyware

Filesize
6KB

MD5
53d60db40a582d66f6f0b2c18a2a00a0

SHA1
045e8decf2c5ed2199512646ebafa2e9c3e3b08b

SHA256
9322a9ff1608d3cba130f6d09d90d33af2946f501960124e9418b603ca6e4528

SHA512
f3d4d40de2796506a0b470c6473a4cd0c17adf601078bad766a0005f91a71568472a3ae05ebcd4b31eea1530dcf84a985a1944a80860b065303bacc210fb1705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Stuart

Filesize
99KB

MD5
75dfcf3a58bff19cb1e08e64cb37e672

SHA1
4ef53d554be37c3b82b54d1e4761c19ccfacb50a

SHA256
01a421b0dd3a357c5d740650c0f579c0c9e4b22bf94834ee575a0da69d5de3bc

SHA512
f6be9514b81a9353f57a571460d1a85d9473546ba2b097309ff0e6ec17d3efa432353e3232605039d44de98ba2fd42f811a9db5903b4eddea25a744e006e7f2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tone

Filesize
13KB

MD5
7b6ee2eb9f85cb183210389b0b0a5674

SHA1
3922d0f86ca2b75ca6137da65bfe10ff29474495

SHA256
b6b91987a4a2dd89040fe8f22febfbfd91a764368b192ba91eea54acc7bc946a

SHA512
ddc6090e1510d9793131e1ba4eb92fba589faba7e3e9851df337e2ce85b6952e2218194ea56ab54bc52d0a9aa156e063d0074aa8887b986fffa6dd4b15eb639e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp49AE.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar.gz.crdownload

Filesize
1.5MB

MD5
2942f277bb2cd54bb0b81996d42f7802

SHA1
abdfb88cb8b72e8a20c8fa3483c5e5dfdadf7661

SHA256
2caf0bb99ff4712b202bd2b51e24d70de8a2adb4b1aaba3d9394a40b32441254

SHA512
39a56ef1fa3cb03954c6adfe8df540f0b79aa62c043d6a1a2806b92fac774d658c1969a964cc7dab962480ec313b879f7b0657bbf19d49a959e9a625e39244ac

Download Submit
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\bin\Debug\MusicPlayerApp.vshost.exe.config

Filesize
184B

MD5
28960c034283c54b6f70673f77fd07fa

SHA1
914b9e3f9557072ea35ec5725d046b825ef8b918

SHA256
8d65429e0b2a82c11d3edc4ea04ed200aedfea1d7ef8b984e88a8e97cff54770

SHA512
d30dd93457a306d737aac32c0944880517ed4c3e8f2d1650ffca6c1d98e892082b41b40fb89ccf75d5f03d2464b0b4f943cd4b082071f0abfe978d149bd61479

Download Submit
\??\pipe\crashpad_1900_XFURHHMHWQZTMQUM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3032-254-0x0000000005FD0000-0x0000000005FEE000-memory.dmp

Filesize
120KB

Download
memory/3032-258-0x00000000060A0000-0x00000000060B2000-memory.dmp

Filesize
72KB

Download
memory/3032-235-0x0000000004D80000-0x0000000004E12000-memory.dmp

Filesize
584KB

Download
memory/3032-253-0x0000000005880000-0x00000000058F6000-memory.dmp

Filesize
472KB

Download
memory/3032-234-0x0000000005280000-0x000000000577E000-memory.dmp

Filesize
5.0MB

Download
memory/3032-256-0x0000000006600000-0x0000000006C06000-memory.dmp

Filesize
6.0MB

Download
memory/3032-257-0x0000000006170000-0x000000000627A000-memory.dmp

Filesize
1.0MB

Download
memory/3032-236-0x0000000004D10000-0x0000000004D1A000-memory.dmp

Filesize
40KB

Download
memory/3032-259-0x0000000006100000-0x000000000613E000-memory.dmp

Filesize
248KB

Download
memory/3032-260-0x0000000006280000-0x00000000062CB000-memory.dmp

Filesize
300KB

Download
memory/3032-261-0x00000000063B0000-0x0000000006416000-memory.dmp

Filesize
408KB

Download
memory/3032-264-0x0000000006E60000-0x0000000006EB0000-memory.dmp

Filesize
320KB

Download
memory/3032-266-0x00000000073D0000-0x0000000007592000-memory.dmp

Filesize
1.8MB

Download
memory/3032-267-0x0000000007FE0000-0x000000000850C000-memory.dmp

Filesize
5.2MB

Download
memory/3032-231-0x0000000000800000-0x0000000000852000-memory.dmp

Filesize
328KB

Download