redline | hxxps://download[.]tt2dd[.]com/

Resubmissions

22/05/2024, 04:29

240522-e39m3aca78 10

11/05/2024, 11:09

11/05/2024, 10:59

09/05/2024, 13:02

04/05/2024, 06:42

02/05/2024, 14:21

Analysis

max time kernel
315s
max time network
311s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
02/05/2024, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.tt2dd.com/

Score

10^/10

redline rajab discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

rajab

45.89.53.206:4663

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral4/memory/828-291-0x0000000000B50000-0x0000000000BA2000-memory.dmp	family_redline
behavioral4/memory/232-381-0x0000000001100000-0x0000000001152000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4216 created 3312	4216	Masturbating.pif	52
PID 3292 created 3312	3292	Masturbating.pif	52

Executes dropped EXE 6 IoCs

pid	Process
2524	Setup.exe
4216	Masturbating.pif
828	RegAsm.exe
2796	Setup.exe
3292	Masturbating.pif
232	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
476	tasklist.exe
2932	tasklist.exe
2148	tasklist.exe
3952	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133591333270173318"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	taskmgr.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar.gz:Zone.Identifier	chrome.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1716	PING.EXE
3736	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
872	chrome.exe
872	chrome.exe
4216	Masturbating.pif
4216	Masturbating.pif
4216	Masturbating.pif
4216	Masturbating.pif
4216	Masturbating.pif
4216	Masturbating.pif
4216	Masturbating.pif
4216	Masturbating.pif
4216	Masturbating.pif
4216	Masturbating.pif
4216	Masturbating.pif
4216	Masturbating.pif
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
4216	Masturbating.pif
4216	Masturbating.pif
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
828	RegAsm.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
828	RegAsm.exe
828	RegAsm.exe
828	RegAsm.exe
828	RegAsm.exe
828	RegAsm.exe
828	RegAsm.exe
828	RegAsm.exe
828	RegAsm.exe
828	RegAsm.exe
828	RegAsm.exe
828	RegAsm.exe
828	RegAsm.exe
828	RegAsm.exe
828	RegAsm.exe
828	RegAsm.exe
828	RegAsm.exe
1480	taskmgr.exe
1480	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1480	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
872	chrome.exe
872	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
1384	7zG.exe
2580	7zG.exe
4216	Masturbating.pif
4216	Masturbating.pif
4216	Masturbating.pif
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
4216	Masturbating.pif
4216	Masturbating.pif
4216	Masturbating.pif
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
3292	Masturbating.pif
3292	Masturbating.pif
3292	Masturbating.pif
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe
1480	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 2568	872	chrome.exe	79
PID 872 wrote to memory of 2568	872	chrome.exe	79
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3792	872	chrome.exe	80
PID 872 wrote to memory of 3696	872	chrome.exe	81
PID 872 wrote to memory of 3696	872	chrome.exe	81
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82
PID 872 wrote to memory of 3032	872	chrome.exe	82

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.tt2dd.com/
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff2328cc40,0x7fff2328cc4c,0x7fff2328cc58
    3⤵
    PID:2568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,13494298440538460157,10800326874028418451,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1800 /prefetch:2
    3⤵
    PID:3792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2092,i,13494298440538460157,10800326874028418451,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2084 /prefetch:3
    3⤵
    PID:3696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,13494298440538460157,10800326874028418451,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2252 /prefetch:8
    3⤵
    PID:3032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,13494298440538460157,10800326874028418451,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3104 /prefetch:1
    3⤵
    PID:1308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,13494298440538460157,10800326874028418451,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3240 /prefetch:1
    3⤵
    PID:3580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3524,i,13494298440538460157,10800326874028418451,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4508 /prefetch:8
    3⤵
    PID:1600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4524,i,13494298440538460157,10800326874028418451,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4864 /prefetch:8
    3⤵
    - NTFS ADS
    PID:4876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=212,i,13494298440538460157,10800326874028418451,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4760 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1940
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\" -spe -an -ai#7zMap11897:138:7zEvent1093
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1384
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\" -spe -an -ai#7zMap13264:212:7zEvent25481
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2580
- C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe
  "C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Flu Flu.cmd && Flu.cmd
    3⤵
    PID:1780
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:476
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:1148
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2932
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 4472604
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "SENSORSALICEECUADORJAMAICA" Massive
      4⤵
      PID:1208
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Hop + Stuart + Den + Lightweight + Metallic 4472604\j
      4⤵
      PID:3044
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4472604\Masturbating.pif
      4472604\Masturbating.pif 4472604\j
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4216
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1716
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4472604\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4472604\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:828
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1480
- C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe
  "C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Flu Flu.cmd && Flu.cmd
    3⤵
    PID:3756
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2148
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3952
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 4474174
      4⤵
      PID:4876
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "SENSORSALICEECUADORJAMAICA" Massive
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Hop + Stuart + Den + Lightweight + Metallic 4474174\j
      4⤵
      PID:2108
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4474174\Masturbating.pif
      4474174\Masturbating.pif 4474174\j
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SendNotifyMessage
      PID:3292
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3736
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4474174\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4474174\RegAsm.exe
  2⤵
  - Executes dropped EXE
  PID:232

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\12743002-f6ba-4dff-84fa-61f2d8a70cfa.tmp

Filesize
9KB

MD5
be25a0f2486c8b2fd7d8ac5bd6528c4e

SHA1
64626fb5ee73372ff88e9406022d7d7b7b1c718e

SHA256
9a6b6ee0e78436957edd73195ba1192ff9ddff1e6503e7f04de58d57bd81f044

SHA512
6c2486102f9d654b8d52f08f406c58bacf21f6f9284406404866b9e66e80f09f171476bb2efa5f56815b3d037721a9340ff492f277bab6d7be3dde630b8e75de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9b5bbe79622d45dc4e931c979a0a0dea

SHA1
d7ab38e3af868f1ca0b966752df9a3bee4b5ce96

SHA256
c80b8ea514d90a5b83677eee3718869eefef1c806e7dab65c1b37d953d2ede46

SHA512
8da56963151a851ac1c8035dab158c3c22229d4454a51e9ace577cba3dc1ca403a8096fe7580d5b54cbc0c1557503746e814455a5c713df84448e172667e2244

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
b29bd20f97fab37886d1c59bfe538ebb

SHA1
50aa9d3e21db2b86fd1d84cd3b4599317c081b2c

SHA256
a022af7bde687d0d857d94aab4985e1be31e2a7022c342ae8b971938fe9e1a13

SHA512
e52915f16a16fcf85e29b9abf763ff9b734ecaa55901489153987680b37c8a6749e553d44a7a3c2a7b66167a3b6388b200421946675f2060c93e3bc6e12fda63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0d50de0a2c675ea56f1c72000126e147

SHA1
3452abe93a606f3104d187b8222ddab4fc8ad2c0

SHA256
3f99e670f395d1b02b968bdb4df888739a819fcc020f11b2e3f5fecba9f73a64

SHA512
ee4a230846f1a9dc74d191c61a57b57f9d29f0138f68f0cd5f8b4ee9c80013396dc9845c77149c6a66dad2585272672e461709e0bacd74ad4fe45669a647700a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
49df5f39745df2cb505ad2485ec37792

SHA1
843e26d3be7d3934f750947e548086c01402c1f8

SHA256
95b4ac0d33c9e978bcffa16da9e28da37e659ba676e8baa9da96b128ff10663e

SHA512
a5a3d9c6ac22dcdfc1e568ce380e365d40174a325319524fcdb9cd30c993150817ff718dcbe50cfbc49df4cb951e4928adc026a203a557abd18fe699d8371352

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
517B

MD5
b7452661f19d4d69bc3f437c3338bc44

SHA1
8272202a40d709bfd4e9f61f6a83a302d3474290

SHA256
26cca34138f7333f719eb8b8c598c7fc2a8c33c8c40369bdde202e2f7da95270

SHA512
78ff7215c0ec315a0eb6a48b1b8e2478ec03c5dbd06cf97bf6001e9a68298759de470a2d78bae8860f7b6b9aa4b98fb62bb83a9c19b8e23c65191982bec09d1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9be257ac0227af885e0030d7853da877

SHA1
a1a7d2e2f1a113048f783f2d0771f03118dc629e

SHA256
bdd74d5324df386bc3bf7b81d1954c382291bc1d8d114f89b56a929d4004d2ec

SHA512
b15ce4e78db8ebac54a05eaafb7ddd9030afda90de1aeee86f9edd2cbfd394280fc44fc09f30ae5cfa504cebf5c16751bd4ced53fde97f733a710d03b2161741

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4c936c5e008768a2fc4d86b43366b625

SHA1
9848573eda768a38b8ed0a2d28111bdf56fc80ec

SHA256
d64464365f67219435d7e267e7168877f9ce5bcc3e1e768358f9f5bac43d7695

SHA512
5819154c935b5fbf65a7d2c69f952512a68ea3915d4be4525bbe015df79708525fb0a872c857edd446ce828c4e6d730d0213b20c23f44e582d94ad541fc34449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
52ab2545277c56832e770b6b3c881874

SHA1
507a65880ec8ee94c197c1fe7bc9d777ee8b49f4

SHA256
f42fcd4c7d880de28fdfd9792cc17eabea55ed4296721aa74927bd567bc8b4fa

SHA512
294eff50fb35eb83c24a83bc441cb7cb3d1db53ea1b4af4b7603b3cfa74fa37fbf85585003aa8dd5a53167c83cc6f016123a5864971523927f4c9ffdbf282cfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
777dee608fac3fc9616e044eb5a4e709

SHA1
cdf70cf7d1f8eb3c69d6751679f4d746aead14f2

SHA256
c0e380b92ada1c06e7d6b13a85999fdaf30164ce3f319cc5577f254e31e4c88f

SHA512
1f5471f15f7122247e520fe2ee0213c3f21968372bbadd5528bd8bbb221c6fb0300cd62a4711957b7e02d87571f6bcd6a568a55d23160972b7edc03d55f1e0ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9719312d34bc7a952d9d0472082f3d6a

SHA1
625278486c321cb1473bdf63fa64514baeb6b5be

SHA256
cf27d189f1e04a845f5e8937ef5c5cca65cb284ce4e0389a15f29a2267b9ec8e

SHA512
7826f6cca2869e968154e7aec4fb840fe5174743e0e332c94ee695e71045e05f787e0d336099dc03ec0857806b3b0ea6e4ad26621750f91da58f8244c412a12b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5430aa2f13b013b68275db2066f94f2e

SHA1
c099fa2423e003a85a4b4fa3aad5f585508983bc

SHA256
9a7e95e8e0486b828813edda9468203e70118118086b1e7b255cacd685bc6ddf

SHA512
266ead0c62e8ec14d1b2c0b0891640743219123958fc4a623b4af3a0612f2098fba3a2055b89481c25d76017599ad8259ca6beab3b80a661b064c7278da6a07b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
3c776d4fc6ac3d2018ee26b56a5a8bf2

SHA1
5d4a667b61a146333d6014622407affba6686e41

SHA256
cb573939f29b9a3ff7ee821fd66517b20e6d653afe66119cc8462e505344b62e

SHA512
82d1a6ceb810c3edf640d6964c115e361c0463385c95b050d40f5dd2fcafbea1abefb35d3e7f7af028d309e9e0e9892a8c2264df86ba1ca9cfd9883a03fb996d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
00364f017bb7c39a680d0882b444b7d2

SHA1
ff18334fad02d9461a595d5380ae083a32091a4d

SHA256
82a89ef93a9e57e57a0914f258fe03344bd5a6b116a91d09e3e4a5e42e31da77

SHA512
be8f84b24390d34185b006d20336110f51eb544fae3e6c98c7149c5df36a83dd5ee522025a6f621abf416c63ccd02794bbdb84c249fe950dfc79ac30cb7fecaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
2KB

MD5
efda3630f946cbbf082e90258678f517

SHA1
892764ed662f696b5eff334a223c6a588ec3e317

SHA256
bf2b8b89f30a49928b1cfc780b0cf46053e4854902166f54bf5e50fe6902ee60

SHA512
7f1f6755892e5f73dd9dce7c1d12e664ee9fba3a910554049a14f29ca1a382849904854fb29fd9341400e0c40c7087c0f69d52a7aaf6b73d4f0297f430798dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4472604\Masturbating.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4472604\RegAsm.exe

Filesize
63KB

MD5
42ab6e035df99a43dbb879c86b620b91

SHA1
c6e116569d17d8142dbb217b1f8bfa95bc148c38

SHA256
53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b

SHA512
2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4472604\j

Filesize
425KB

MD5
4b4f86ad7203f525253d3d01566391d8

SHA1
a89e684e1841e2c1bedd38234ab9d636862f177a

SHA256
120f7c4cad476f254ea5e757eb0d6cf36d64f900775c438e745007af2a735122

SHA512
b7cb135d16027182805c74679930c19e6075ecbf1d857fde735966e9273c5b4e8b5b0c5863dfe71fcb4af25c8cc68712a9238154bdc83e154b2240ee0c20eab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Americans

Filesize
166KB

MD5
f753d86ec907939c8471850ce2a79036

SHA1
22f07dc2373730f8d146ef7b9d58a212bee0c193

SHA256
6c6a50fc1900ec8d5fdb9ed6e3c337b63af96a75c74587d2e5d5c89d8d738def

SHA512
36e6146ce600bc0035eb526f6fdc6bffd90caf34a345504fb44e46100f41decc9e6a55736cecd5901152e39521418e10e2884dbe439fe2b91934447a3853d6e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Aruba

Filesize
112KB

MD5
e914b530dd18a000b39ce75d203b784e

SHA1
4e7f2d318cd32ad01b4d94071839ba9b50543212

SHA256
dec10daacfe6e37bc50bb3bb6b76550ed802892f3a71beb3449cfbfbea607259

SHA512
3d2e1b74660401c151583e78ef60f53b1168520552e4ae190853ca6eca760dd4a701280a1b2af8a2b00a81744b08caaa988aaf77afb4335a2669c41f54fd4c75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Beats

Filesize
97KB

MD5
2885880aa38707935c64f6b3c7800f96

SHA1
85ee867d80b9cfb1f138e3b0c0ea2a2f1ed6dca6

SHA256
373bbb960914f99e82bebf4fb13f6d0c16302ac73bfee987af7cc7023f799f6e

SHA512
ba0a1f2f5478db647bea242b4170d2e505f899fc98c4b11d145395a17f638ba3ac828b96fd6a7b94c744d8176152bc47c5b32b00180e489926c1f6a8e718cf16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Coordinated

Filesize
159KB

MD5
03371e3e51103446a7d61646e6f4ebcc

SHA1
dc28eaa3711df1e414821af095a76f34ad7f8e44

SHA256
7008ac7fc2af470979e94eedf52d823f9dd3b3e1ff1d5a7914cbc0828d4832d5

SHA512
ab3abcea08a0a773014c7a22db3507c01635dbb43adff7dbf2253009335a2568c5603ebba9fac4fdedc7bc49d343436d6afb01649dcb9c071fe92cda2cb2d9ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Den

Filesize
99KB

MD5
82624b0ef5a2c57dad2a45392448a9b5

SHA1
e1f7ec58be7d744ea1aabe7d729cb8ceb0646511

SHA256
b8942ea1759d5712ba6722bd2019493217283471bf09e11a393cbd21e81e954f

SHA512
5d16be6a7aeadc1ab43207643578446a2b86bb4d894d4a44c02667065de1cac22ec8a2cccb8dca1dbc42bf2e3989b59053c2671ec30193d7475e252d1748fa4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Enhancements

Filesize
98KB

MD5
d698989610711e4b765d0f022feafecf

SHA1
859c28dcf1a2887606b180e8e8c5ef12e5dc18bc

SHA256
0b590a30e29b1d351a558db539a420e83bd4c490c9792f584b9f66b6ea4850e8

SHA512
f83c42df6e749664fd5e1f264cad212e6fbb666fe864e6abdb0fba0a15a465cdf62366fd83768caa70a36f881e19c3f76941b7a68835c01dbc62dba779d7961d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Flu

Filesize
18KB

MD5
7e7ce927035274de652713d2e76a48d8

SHA1
a3aaf56ebe58d2fad03a6d2adab5c6140497386d

SHA256
d8110e2ea63fc466cda2945d1ce15f3a330ff263e1e9fd99b2075e06d2132ecf

SHA512
af09e9d0de2743c976488c473cb0c71724cb2e4ff58ae37595f6df13e4c1b4e50a7d349f7b3dcd65eb2eb55e12140f927165a09e2ac402706de9d81eedd400a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Frankfurt

Filesize
202KB

MD5
23b74e5504f3aec97990cf2566590916

SHA1
5a58935fc51697df3d41e6439ecd4aba0f2732a7

SHA256
5a9cdc044add9a81bab24db70c7b8aec1c4936f4a706cbeb12d4e5cca7c98163

SHA512
941268012c574bf3411708ca932b38185535978e8149d69a9fce81b8e727471ebc063503cf40dcf70aaeb2c317e065971e1e2227f67f5a5142e729f230d95a29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hop

Filesize
64KB

MD5
7ebc57599cccec5284f3d1ddc8c8894d

SHA1
152812380c876e6083c55da5f51f05502033d48a

SHA256
bbfc1a4903a574e59b782b0c380b53fdcc6c5374708777ae6b3d6a9a5f1b10ba

SHA512
8067f2b5fb4821ca57ee00ef90ece08875356e96f62501bfec5fc2763a93e8c78919dea6d75cb6e515e94f5fb0497784ff5ca5e2d737ec02430374834d902b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lightweight

Filesize
63KB

MD5
780d5012edd68b16d7b184f4181021b5

SHA1
20f9f80a29297c85c92ee2c70d2ec36ccff87593

SHA256
40fc7cd83e83ba95fc5b1af629dbb8c7fa3020782badbb6088f0f90f52cc4cc3

SHA512
04b00d79594dd919d165117c09b65e091a49ccecb6e5a0ada1d8615c289268e69d9c0463e89986baf28d7de8a38f7920edecd1d5bae4661a28e0c83ccab67b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Massive

Filesize
132B

MD5
d1b987734c4107491262869203ea885d

SHA1
a77977d58281980a0205f883d12e5a9567ed3c57

SHA256
d52ead1f44490d46259b0be6ecfacbf12f587c3e86ca8a93f29357b50f0d834d

SHA512
239c91c71c99d6b30e503dd8c4780303bf68e0c01bccd8e1abe11b249f7413667ea7b863d9f20a39875e93ad1e80a811e79b34f386991d2f7a4ba9bc07379b91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Metallic

Filesize
100KB

MD5
f266514e1e9922b935796d012d03add5

SHA1
a5441cf2010d07a3c005c1f3f71e867789f87730

SHA256
23058c81207b6d1044c40793e021782b849245293742883a050999d98174a12a

SHA512
165e8928844e2a3e912afa09dda4356bc31bf4a2c00b54ff98dd52390c23a99b18c811ba48431d87c9b247d0850748d10906e1dff0d99ed2c28adbd004416b47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Neural

Filesize
19KB

MD5
89a81cf3771cfff9ee01f2423480907e

SHA1
a5e8faa5c7c90410416f8aed827ca5141ec5a673

SHA256
2c360e946acdf604c7b7f9fa9a3fefe55a206034e39dd1c0e92e9280c63e9dd0

SHA512
c0b37b6af7a1d44889e1ac39ff5d67b2324f14f8af9c3ea1522bcc4a8c70d364d510b61c9b70bc1d4fdd582826c400d0311f5b5cdb7415eaab13732b961648f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Spyware

Filesize
6KB

MD5
53d60db40a582d66f6f0b2c18a2a00a0

SHA1
045e8decf2c5ed2199512646ebafa2e9c3e3b08b

SHA256
9322a9ff1608d3cba130f6d09d90d33af2946f501960124e9418b603ca6e4528

SHA512
f3d4d40de2796506a0b470c6473a4cd0c17adf601078bad766a0005f91a71568472a3ae05ebcd4b31eea1530dcf84a985a1944a80860b065303bacc210fb1705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Stuart

Filesize
99KB

MD5
75dfcf3a58bff19cb1e08e64cb37e672

SHA1
4ef53d554be37c3b82b54d1e4761c19ccfacb50a

SHA256
01a421b0dd3a357c5d740650c0f579c0c9e4b22bf94834ee575a0da69d5de3bc

SHA512
f6be9514b81a9353f57a571460d1a85d9473546ba2b097309ff0e6ec17d3efa432353e3232605039d44de98ba2fd42f811a9db5903b4eddea25a744e006e7f2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tone

Filesize
13KB

MD5
7b6ee2eb9f85cb183210389b0b0a5674

SHA1
3922d0f86ca2b75ca6137da65bfe10ff29474495

SHA256
b6b91987a4a2dd89040fe8f22febfbfd91a764368b192ba91eea54acc7bc946a

SHA512
ddc6090e1510d9793131e1ba4eb92fba589faba7e3e9851df337e2ce85b6952e2218194ea56ab54bc52d0a9aa156e063d0074aa8887b986fffa6dd4b15eb639e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp640F.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
27558ea2fc1e1a380e1b4afb6ba64885

SHA1
f62b86cf76e4534a3cafb028b1cbe146d8b88a0b

SHA256
13da2e03b26f782e20b073f8b654908d81561f338d723ad7e531b24797e92412

SHA512
fcd20d4f50556301b8c82ce235cb8810dc2ae568ec32aa4bab6898552442cd7d8df36c71eedbc12eca5134552540068d05a0fec989e08745d8b0a17a3f96cfcf

Download Submit
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar.gz.crdownload

Filesize
1.5MB

MD5
2942f277bb2cd54bb0b81996d42f7802

SHA1
abdfb88cb8b72e8a20c8fa3483c5e5dfdadf7661

SHA256
2caf0bb99ff4712b202bd2b51e24d70de8a2adb4b1aaba3d9394a40b32441254

SHA512
39a56ef1fa3cb03954c6adfe8df540f0b79aa62c043d6a1a2806b92fac774d658c1969a964cc7dab962480ec313b879f7b0657bbf19d49a959e9a625e39244ac

Download Submit
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar.gz:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\bin\Debug\MusicPlayerApp.vshost.exe.config

Filesize
184B

MD5
28960c034283c54b6f70673f77fd07fa

SHA1
914b9e3f9557072ea35ec5725d046b825ef8b918

SHA256
8d65429e0b2a82c11d3edc4ea04ed200aedfea1d7ef8b984e88a8e97cff54770

SHA512
d30dd93457a306d737aac32c0944880517ed4c3e8f2d1650ffca6c1d98e892082b41b40fb89ccf75d5f03d2464b0b4f943cd4b082071f0abfe978d149bd61479

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
db0c47ecd0100d932cddfcfdc1771bb9

SHA1
aebae048bcb40790ae256a9ae1bdceb341fc1890

SHA256
edb03ca496c56fcdcc3c10e77a5b50d9023e497dee6f2c1f0e360e279cd44a01

SHA512
8ce2128d11da81251914b14a1bbb00d0098ce99d5218846261f438f98b70d20acd5a36aa7f20726970110ab2a3c7c6a411d60c162dae46c58890d10982e2700b

Download Submit
memory/232-402-0x0000000006EE0000-0x0000000006F2C000-memory.dmp

Filesize
304KB

Download
memory/232-381-0x0000000001100000-0x0000000001152000-memory.dmp

Filesize
328KB

Download
memory/828-322-0x00000000075F0000-0x0000000007640000-memory.dmp

Filesize
320KB

Download
memory/828-318-0x0000000006B30000-0x0000000006B7C000-memory.dmp

Filesize
304KB

Download
memory/828-291-0x0000000000B50000-0x0000000000BA2000-memory.dmp

Filesize
328KB

Download
memory/828-293-0x0000000005A50000-0x0000000005FF6000-memory.dmp

Filesize
5.6MB

Download
memory/828-294-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/828-295-0x0000000005750000-0x000000000575A000-memory.dmp

Filesize
40KB

Download
memory/828-334-0x0000000008BB0000-0x00000000090DC000-memory.dmp

Filesize
5.2MB

Download
memory/828-310-0x0000000006100000-0x0000000006176000-memory.dmp

Filesize
472KB

Download
memory/828-311-0x0000000006790000-0x00000000067AE000-memory.dmp

Filesize
120KB

Download
memory/828-314-0x0000000006ED0000-0x00000000074E8000-memory.dmp

Filesize
6.1MB

Download
memory/828-315-0x0000000006A20000-0x0000000006B2A000-memory.dmp

Filesize
1.0MB

Download
memory/828-316-0x0000000006960000-0x0000000006972000-memory.dmp

Filesize
72KB

Download
memory/828-317-0x00000000069C0000-0x00000000069FC000-memory.dmp

Filesize
240KB

Download
memory/828-333-0x0000000007D30000-0x0000000007EF2000-memory.dmp

Filesize
1.8MB

Download
memory/828-319-0x0000000006C80000-0x0000000006CE6000-memory.dmp

Filesize
408KB

Download
memory/1480-286-0x000001E008840000-0x000001E008841000-memory.dmp

Filesize
4KB

Download
memory/1480-287-0x000001E008840000-0x000001E008841000-memory.dmp

Filesize
4KB

Download
memory/1480-284-0x000001E008840000-0x000001E008841000-memory.dmp

Filesize
4KB

Download
memory/1480-285-0x000001E008840000-0x000001E008841000-memory.dmp

Filesize
4KB

Download
memory/1480-288-0x000001E008840000-0x000001E008841000-memory.dmp

Filesize
4KB

Download
memory/1480-289-0x000001E008840000-0x000001E008841000-memory.dmp

Filesize
4KB

Download
memory/1480-290-0x000001E008840000-0x000001E008841000-memory.dmp

Filesize
4KB

Download
memory/1480-279-0x000001E008840000-0x000001E008841000-memory.dmp

Filesize
4KB

Download
memory/1480-280-0x000001E008840000-0x000001E008841000-memory.dmp

Filesize
4KB

Download
memory/1480-278-0x000001E008840000-0x000001E008841000-memory.dmp

Filesize
4KB

Download