redline | hxxps://download[.]tt2dd[.]com/

Resubmissions

22/05/2024, 04:29

240522-e39m3aca78 10

11/05/2024, 11:09

11/05/2024, 10:59

09/05/2024, 13:02

04/05/2024, 06:42

02/05/2024, 14:21

Analysis

max time kernel
255s
max time network
263s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.tt2dd.com/

Score

10^/10

redline rajab discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

rajab

45.89.53.206:4663

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral3/memory/2252-397-0x0000000000790000-0x00000000007E2000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1360 created 3360	1360	Infected.pif	57

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 5 IoCs

pid	Process
2092	Setup.exe
1360	Infected.pif
2252	RegAsm.exe
1312	Setup.exe
4628	Infected.pif

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
1404	tasklist.exe
1816	tasklist.exe
4956	tasklist.exe
3116	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608257720821626"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2740	PING.EXE
3416	PING.EXE

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
4392	chrome.exe
4392	chrome.exe
1360	Infected.pif
1360	Infected.pif
1360	Infected.pif
1360	Infected.pif
1360	Infected.pif
1360	Infected.pif
1360	Infected.pif
1360	Infected.pif
4628	Infected.pif
4628	Infected.pif
4628	Infected.pif
4628	Infected.pif
4628	Infected.pif
4628	Infected.pif
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
540	7zFM.exe
5100	7zG.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
1360	Infected.pif
1360	Infected.pif
1360	Infected.pif
4628	Infected.pif
4628	Infected.pif
4628	Infected.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 1900	3148	chrome.exe	91
PID 3148 wrote to memory of 1900	3148	chrome.exe	91
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 2572	3148	chrome.exe	93
PID 3148 wrote to memory of 4556	3148	chrome.exe	94
PID 3148 wrote to memory of 4556	3148	chrome.exe	94
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95
PID 3148 wrote to memory of 4704	3148	chrome.exe	95

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.tt2dd.com/
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae9d69758,0x7ffae9d69768,0x7ffae9d69778
    3⤵
    PID:1900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1872,i,4931932117149217809,16026523109890597456,131072 /prefetch:2
    3⤵
    PID:2572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1872,i,4931932117149217809,16026523109890597456,131072 /prefetch:8
    3⤵
    PID:4556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 --field-trial-handle=1872,i,4931932117149217809,16026523109890597456,131072 /prefetch:8
    3⤵
    PID:4704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1872,i,4931932117149217809,16026523109890597456,131072 /prefetch:1
    3⤵
    PID:872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3308 --field-trial-handle=1872,i,4931932117149217809,16026523109890597456,131072 /prefetch:1
    3⤵
    PID:912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=1872,i,4931932117149217809,16026523109890597456,131072 /prefetch:8
    3⤵
    PID:1976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 --field-trial-handle=1872,i,4931932117149217809,16026523109890597456,131072 /prefetch:8
    3⤵
    PID:4492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4052 --field-trial-handle=1872,i,4931932117149217809,16026523109890597456,131072 /prefetch:1
    3⤵
    PID:4216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3304 --field-trial-handle=1872,i,4931932117149217809,16026523109890597456,131072 /prefetch:1
    3⤵
    PID:4280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 --field-trial-handle=1872,i,4931932117149217809,16026523109890597456,131072 /prefetch:8
    3⤵
    PID:4460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1744 --field-trial-handle=1872,i,4931932117149217809,16026523109890597456,131072 /prefetch:8
    3⤵
    PID:4444
- - C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05182024-278753659075324982.rar"
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2456 --field-trial-handle=1872,i,4931932117149217809,16026523109890597456,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4392
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05182024-278753659075324982\" -spe -an -ai#7zMap32369:188:7zEvent3213
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:5100
- C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05182024-278753659075324982\Setup.exe
  "C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05182024-278753659075324982\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k copy Inch Inch.cmd & Inch.cmd & exit
    3⤵
    PID:3704
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1404
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:4328
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1816
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:1332
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 4164384
      4⤵
      PID:4628
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "TemplatesJunkFinancialBlocking" Innovation
      4⤵
      PID:3620
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Locks + Marble + Irs + Ray 4164384\X
      4⤵
      PID:3532
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4164384\Infected.pif
      4164384\Infected.pif 4164384\X
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SendNotifyMessage
      PID:1360
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2740
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4164384\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4164384\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:2252
- C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05182024-278753659075324982\Setup.exe
  "C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05182024-278753659075324982\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k copy Inch Inch.cmd & Inch.cmd & exit
    3⤵
    PID:2392
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4956
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3116
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:3312
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 4166384
      4⤵
      PID:4496
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "TemplatesJunkFinancialBlocking" Innovation
      4⤵
      PID:440
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Locks + Marble + Irs + Ray 4166384\X
      4⤵
      PID:3356
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4166384\Infected.pif
      4166384\Infected.pif 4166384\X
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SendNotifyMessage
      PID:4628
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3416

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:1020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\43aab91f-483a-447b-b8b8-52cf1488d092.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
f9f4bfd45052747b249a710144e01b64

SHA1
dee0be0cd351938627f028148a4f46a381cf38f5

SHA256
762476a045e7aa258055dd2b09c70ad6b9800f1a4a76c2eecc812bb3cc586d7e

SHA512
fa7718dedf13d70e168d65cabb4f85f497059551626d405580994cc8bda0b240a3f97daf5a11fa52c025f691ffb5374a8f3eb8a4f1a2270ab2af0506d31a02da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
81f0226eeabeb6907d71d99be8b1af52

SHA1
ebd7b4ad7866e71aaaf1e7c0ec23190ff98cbc4c

SHA256
37e354e84de4a6dc46337d8b9be63a6531eeebfaa8524a0963da4d9ed720af8e

SHA512
fa02f3562788f180eb3de854e5374b331ef78b97822cdc503dce0a11c4f14c0d4b60bc08a793997c00169fa0f371b03a5e9507fcd833c9a4f74a241d1048873d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
24030d61ea486eeef6ef5ed05e51b86a

SHA1
c803a043f896cf99023efc3db04cc384cc2c29f0

SHA256
195350bfcc5a46a5b92b6c145cbcb7868d002660f2bab2e3c0ff727f81619e54

SHA512
619147e3c19daee56d462c4494a2775e0b45068d9ce556efe72547afe31c8677903e40115c1cc655a38ace72caafe0e560a428bbb7e93e3cb9ca4a62ab2c2e53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
701B

MD5
74dbc30a6c7a79a5122ad42efc41e7ce

SHA1
5269ded641d2b1fd1401e172aee21550ee558504

SHA256
a7bc7c6bdf348dcf05a661253ee0bdff8ea1afc757ff79c4648824a9335fd7e3

SHA512
1d48f43093a535d50afa49aac5c52fc55036adc2732e5b0bc2f3528c06dadc255f67516be40fb38b862975910a7ac3553e5429c37ab85ee62c8b4c7387f1f518

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e7ecd2f3f0d0d26e8dd7d4ccd5d08be1

SHA1
44cef373b6b258f09aa23a4073ce99387bc7e181

SHA256
a478d8006a97eb4cc9ac26c9609b92b21b545e1a79808fba47b66e2675be0f6a

SHA512
37c2cdbf73ee4a7ba89aa151f5e9335584a342c833190e50aec2cd3ce855e4cf6ce61b0f726c6415c0adaf184db28b4efab084f7090f9e09b28fdf88964af8ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4a92a7f1c2ccc7da22e90fc9afc7c7e7

SHA1
8201b99633ad7126a06228250184b0517fc892f6

SHA256
adf4521b4585d189d81d4423f124d942adfec1cb26cbce0c1fde019741f0be6b

SHA512
c1a61e88a0e08410fd4096901301fd48211dfee93c5b5219122ee3fc2f0ef939376bcebef90d3b841b918af8f06882474c82440590058d99f56ed8ad1433620c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8a5bf46b1ef0abe2281d3e5fca35efad

SHA1
ac5d1e51c089a599fe851507f79527a20e27a24a

SHA256
13ed0f7b5adec8b30a28f1ac8987e7f624de5089247268e85e96f6d38831b211

SHA512
34c9fd8470c1f78e39ae9636ee7eeb333ee440bd86dd959c8116865d08d3ab46712f80e25fd8a5cee15de076a5818d8e5365b33805d21dd5c7b0973fb66c4cb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
c2a808b4bf3268385600ae6a11ebfcde

SHA1
daf53d90f4acd207f17964269fde57a99f862ffe

SHA256
806e26ed858192f2c5ddf4e146cc7a9b03a4f00e5d85e99b9f416c315af33188

SHA512
5be861af97ad6e643976834a848818c6e69341f0413d7b2e5a2432a4188a1746f008d0a809a10f1b5a6aae018da0e3a40e27412d103c5662d22ee4cc5f8b1838

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
9e93dbed1a766fe5021f3c2072da4463

SHA1
c44a81e84413192b4b30abe6c4cbe7b80e8dcb21

SHA256
c4c352720dd2911188d597bd968e7ade176119a88bec16ba014538df8e438fbd

SHA512
b61646d6f4ad38bf60a42bc918d216ae52f81901642ca88385fd5f0146107df2862edcc8a81c7dcf56c48362cc2b36d04bd8c22d391f6c21de5527dcc390d676

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
088490e6e5508c71eec96367bfd77fae

SHA1
2d97ed1ed9bb27420a9ca244b21eddca1891f877

SHA256
8ee428281e789d12f6bdafbab42226821293f3204c0aeabfb57e618a940a7f3f

SHA512
e39ba6ac2e5e87a6cc7846b0c5394c422c5553bfced628b2dce5eb470f8d8479022cbad349738deb0069f7f2810b813f0b68fd1544b12e943bdbdd3eb19fc401

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59ae28.TMP

Filesize
102KB

MD5
faa003eafc8c15245745c4f5f23aaa57

SHA1
86a513bc84e5cbfa6c100086606c93464bac6a8d

SHA256
fbc43c55ad556e32b552fdb77279d3a3abcb7904ac83f8cef7e01ba3d02d01fb

SHA512
876fa26d3a867c107b7183267d8fa035078ab2bdebfe44c0f192a92e378612e8e0ca76b83bcd375fd1d67de94b8471c6cfe37f4257adef177a71f0f943d1cd56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4164384\Infected.pif

Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4164384\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4164384\X

Filesize
384KB

MD5
564fcef4278786869d9e7f8606d17f47

SHA1
d36470b9a08322aa27014fc9ae97a69829ae4d54

SHA256
7ecd3748e97c574c643cad0722725983ac377a780f8e5442c383ce7a3b2205bc

SHA512
983ebba8851235fbfe515aa9b4156eca079914bb9c126d5f31c592bcb0025d26c54e2fd50b9f153b9eb687b0cae4361aedee61634004296680d5d454ad0022e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Beef

Filesize
31KB

MD5
654f7945c1c6e8cf978cccce420e373b

SHA1
5e53a3e35f09ca36692a566a0735a398e1e541c8

SHA256
b56604fbe129b7f4c4ed303747f006541a46c0194871c92edac85bef7a192189

SHA512
ae05c90eaa2580db92c102f0de514a0226504d3679eb7ec3be6b01a5f7e8f704a5411370c588b8fc92aa930e699abad3ff6b3c9869c88a9370b72096e8703ab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Breakfast

Filesize
13KB

MD5
099088c7bdbeb6b0c025727492dd71cc

SHA1
3b186caff335362dacaf494a37f5c0bd8a42d5a8

SHA256
20883cfb559483c21725fbbc28934ddfe1a2bd9d3889fc0b2a925d41638c818d

SHA512
8897621fbcf8aec2409704dfa419edaff7a4321e2d5b0e7ecb47a1025fc3f8bcf1ea0a0e2ffa8bcdff13197fc427de395601607e8fa400e07d8c4f759173e46d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ce

Filesize
67KB

MD5
49fb14a076bcafc86abdbc27ebafe16a

SHA1
65ee937829f08d102962d6e3922eeaea2c84c069

SHA256
9d5aed42fcd6d3d8951bb96670834267e810f84b34860e3bf351afca28e3afb1

SHA512
5dbdccd64410a36dcaabb0bdb793e6123dc61bb32ac316644df394ba4c8ab147a027c38e8f819593b689189852c1436520866afa90d1f9b6b18398060610427c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Changed

Filesize
35KB

MD5
d9f09a4c8c1043afcfc246936564ee01

SHA1
169d6920213f5b8f3cd1cb576170e9ff6344fad0

SHA256
e672668d0fa0efc8952e4ff1f9437a5281827f0c16fe6e02a6792ba0e40b5b3e

SHA512
ef054d017fb61b32bb3fba7293173694c449cbf29d87830419fa1af27f6ec2da3dba6e72e8c7d88bb784bd8297606a05bfc039ca490a47978ec99731ee98c71a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Chronicles

Filesize
14KB

MD5
cccfe820790a18ad637c8c48190a07ab

SHA1
2860eeb3aad76c4de98251c643b097452f2adbe4

SHA256
e76044935d27539fe765cf0f38d62699736b8bfc9e1f9abb4dc9db3a325308a7

SHA512
e518668dea9e6d40bf51781792a85322b0119f67eb905f1064b8b08569413460598e1cf6a31e95eddf7500e315f082b37f55e91455dd91257a08daa5c6de3200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Communications

Filesize
59KB

MD5
a78d9f9007458dad6a6288b823c02308

SHA1
6301c74ed457ea40b1f51cbd936213413db64c73

SHA256
d2410da2189f66692da2d44eb27900089b99f6433d5dbad7487a2dcaeeae5b2a

SHA512
886dd057ee869a6cdd75f7a57e3ac97ea9366d5aeae03ca7407d035d02b8eac8795122ee5a4827f8a566bdca29ad37e84e48fa1b4e14e16d8bb465cba0c9c6bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Debug

Filesize
57KB

MD5
3878f94befdeddeed4508cc91d30b775

SHA1
25dd781cba90168310653663767f51b82eae189a

SHA256
139c7c899303807f4c674d4ed2acab9043e470f3aec1598bc62f77348a3bafe5

SHA512
f12390ee74eb18557b2dfb4ea92f0875df945bd454c7b8304c5523df92ef53bb39fbb127044db29d5015e3ff5d2dedb4a2a69fe05a34be2b7200c969869d9904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Diet

Filesize
68KB

MD5
8f80a990e34a018bf985ae5ee6880892

SHA1
9ea1c5555d63159d73331044cd2466002bb4b0ae

SHA256
9c4e2822f78488e9ce0e471944802feb840ae2aac1dd70dd0b38e69d06bb9462

SHA512
2e85af9e4e3b499a8577fa51c302a2a3df10bcf03650c68e6be82f6108ed0e9f5523abcd86f9ce8fcf6fc5ef7e5e9df5588e5b2f4ac1472dc006f22176a2e32a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Disclose

Filesize
10KB

MD5
11a09faaee7bc02ace390631b890021c

SHA1
fdd4a531a3be3eba5555ea9cfe9007dda09487a0

SHA256
ab4df3d0689cf6deb9baf90f7265d3465071a6e5b2d243a637d5ee49e997faa1

SHA512
4a72289d0147e065baa8f1d325c242bb8d7996c080a71e9053d3f1a7a7e2bcc9d5d2e04603f32d85ae34f8d903de762bab421917d78f87888cbec2b04185d773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ebay

Filesize
18KB

MD5
ca0e475fb526f9bd88952e61eea23458

SHA1
aba4f6086c5f9f956059229428ab5809da1c8251

SHA256
042b18a9ccd495da456a3bbda195a91fadb37488fa3f24abe3f2a3bcc8fc500f

SHA512
a375461c6c5326a584476cf1228e0d7ec28d5e45d1af8e12a208336c4cec33885f2b668a2351d53be134aab6089c4f90b067920cb2638cd21ff7e54e073b690d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Et

Filesize
54KB

MD5
af2e88cb701298b419c76ac6e2d29138

SHA1
bf164d6fc81cbdf1350dc4cd12326a207ce26987

SHA256
02bea5cbe6052966fab2a8777c7be1927f70c57c57e64c46163288345e31ca80

SHA512
06c9d449eaebadd21a30f6960b6f3fe989f4316dc6119acbb5366624575d9cc7cac16d6825a08b286fedeb4cdf134e469f91e23e895833bb254c7bca60d7724e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hammer

Filesize
64KB

MD5
a594248941cb800e60aa32730e5afb2f

SHA1
b0f9230e670211942c750d3c68b148e2164947d1

SHA256
0df59af13668eca5be679c3e3a3da05185a59b2fd9778f2aecf3a3f353b9616d

SHA512
44923dcfbe8769895fa1be73bececefda9f78bfd40c18f0a44427225297f3edf28718becce133b0c883bd5f878bba82ccc0f658982eb187dd810ab2f43a53b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Inch

Filesize
5KB

MD5
c5ee4dcc9184a60b60f76481af4529b7

SHA1
7bbac90ca2bec5b295fed1c845dbec6ffddb727f

SHA256
7863ead1f7df1a80fc847a1751d02d99700714b9a4848401028bc7d36c4ba0d0

SHA512
c8cc6005194b041381a20ab0f02f7b35148fbf04c9b1b32d36dc4fa3aabfa5cc0f2db12163cb727ce48bb4db72fdf31a0e676045306cd72b9f6c625c1fad24d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Innovation

Filesize
204B

MD5
a159d27c920ba255b699838eaffccddd

SHA1
07e71d8b5084395931df7acd1771b2e9609e4ebd

SHA256
105b7b26ab1b62e5d3f32bfb07fbb8f91ad3e434a41ebc55c9d4d3befa82528d

SHA512
7bb0119fa06d4b6cc214015b2f87e05e9c1f1d139d7c85089c28a3ed36254d41dfb4ab8b19e471424f6d487159e497f5488bd8607d005402ed0820fbbdc0225d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Irs

Filesize
56KB

MD5
cdbf87ed2611759361edcf2d1c36cb8d

SHA1
fde07776b66674be84f7e112b080c4b20a6972cb

SHA256
4a2afbcbf160bf24e04c3b9aa72267ffe589a7126aedad36e8fd22126fb79ffd

SHA512
e1b1faec18c602f5d89c64488c148ba943dbfb014e4e2f030a00830d032c58ba95f79d135c39a4cf7346dd815f1996a8f863642f96f37ec9745dd46f42b6e32e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Issue

Filesize
68KB

MD5
c2a3acd5ffb5894a56f6d3546d5f9e57

SHA1
76c605744596cd2ece89fb6b7a6ab02379379eff

SHA256
f2bfdcb7a8fe95b531c796bd581258b9b61d1fbe815311f6dc2a633b0f80d8e9

SHA512
681ce12931591165b40bd46235bcb9d2fd2913aa9f3841d3d0b51c1276d951b85b30b50c0d92437191fc79522aba017c56849fa35826e71387401a716c6c01da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Locks

Filesize
144KB

MD5
1659a7eb3dba9d9143f98def92dbbb88

SHA1
3338d23d47256b6c4bd475bd953dcb7b6de13f87

SHA256
8271297087605f98d4351eff05198533a63924f7b666754b85894392aa9327dc

SHA512
c473fc5b74a1877e29f2e904955bd1bb270932cb40148c25c49d5dd7f6d1932a1e70692083176c00eea82adc73e3bac860847bce7bab5d1ce1ed259415fd795f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Marble

Filesize
176KB

MD5
955750a52c9c524e3b1df558e4e598e1

SHA1
6362a9a195fc6446cedb85ecc8df0ba82a9a40b9

SHA256
f233ec33624377ac70388bd8738bab20538b7f8cae46dd1e8bfaf3c87014580f

SHA512
1d7e2fa136a618deffa215fec63b24ca1918c0d2f467c28572a6907e1cedc2c9356536ee111f9d9e0f917d5e38f3322cfcbb0d590c94a526fd9a98e3057b188a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ml

Filesize
8KB

MD5
edbf126b0d7e08948d224a05c9f95c99

SHA1
3669fba40d2ae16eaad5b6f35c92316d478e6d62

SHA256
8ded4af5019a2a1bc87ac8b309ba3de6595ea545cc654430804bb67ae1c38ea3

SHA512
fa75adb54353b5ae83ca072a941fb40d6efc19444e28e425e71692e7801eb9070be8967634c22148f0691743edd878605eee08867797142df1ac9c8c7f8a16ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Prev

Filesize
50KB

MD5
b38311b401517c75f606fa819430d170

SHA1
d9ed5c00db2c4c81a86602e9e66066788d87ce9a

SHA256
f4668ab86a62ae276fb3e9f0940e4a0b0456ff308b552f6e162795dd0e36b704

SHA512
5152bf7bc3eee603784dce61ee9ddd5ef9903fc6219e3052b96f7f0652133e50473ee25da4c85672a67ec3d47ab9bfb4e295a9a4c2a6f60019dfc01c65c9f3c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Probe

Filesize
21KB

MD5
227f0c2bb7513cb9549bf64d7a9b78ea

SHA1
0a9b1a053fc2a69b263a47f4b91943f60ba33ab4

SHA256
09b0812cf3a6232db410a32a7f288d2a2af53116475bd84c00cee02413798ada

SHA512
4a9180ee4eea8519cec3d082183da51aec4a0a0f1b71c1c19266056c400682a9c6bbe24b03ccc897690dc41007bdd9ab7ff3366f049ac1ab647acba9c39a12eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ray

Filesize
8KB

MD5
15b3c47ee4220a1317285551dc46df3b

SHA1
ecccbd8d0bc7616f30548bcee6179da004f64553

SHA256
9be2db11436373cbd4dabb4664297a0814ffa18be3a9637de1b583adb863ba79

SHA512
9859bda25d9eed059d9ac27d091dffcb63a1ea7a37c2dc3b7a7c8006d65e64414367021c97b4c27f1de2dd021f125d7e6451dcd07a497a05c0e0150c6f56d4d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Reservations

Filesize
55KB

MD5
03bbac1012dc934a35d46a76a50e08ca

SHA1
a5e30a19cf6158349cae5731c35c35074dab14e9

SHA256
48eae157cbce36131cd2bdb12783c54830cfd41adf64b79bf667f71bab318b72

SHA512
c8b80dfd1a0f56634c9dad9cb09672eabcfe448f7270a783724623ae08c87f2948409865e3a53c8a464ea88f51777cb037421d9112b5c3954b242bf28aa25f52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Roommate

Filesize
9KB

MD5
ad4997c14c040ff7fac72a295d80e7c2

SHA1
d4ac36b2f27ff097e90a2ebe8178ffdb238e022e

SHA256
3713b88f240265d95a532172bd41471c624126826a6176363e5256e1303bc234

SHA512
ef71df08a3b04942390976d721a175bc77365c6f725e82df102ef0d2b9a9a6f1ded8ed66f31e159f97dffe1a468413ba371883ff3e32def1f102bcd0112f71d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Smoke

Filesize
50KB

MD5
a6f632d877e85b03e384d505ea5eb42a

SHA1
2482da9e439923377d00bf481bafcb14a2fcac3b

SHA256
1b462e05740e262a67885186c277495de523d66ccfa216c2995f9209ad250b2d

SHA512
b29a73018c6029ce9cedd366d3307e351d03462d4f2dcaf9316b34e20d9d833b262f3a0cdb0741468f97599c171b25c016819be39ddbade4d3ef28ff340bcbf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Specify

Filesize
37KB

MD5
e8a0490f31dbef2d3167b57713023d79

SHA1
7856a4a2f9493d0d519700d30935f834c1c0f81a

SHA256
367162d6b910ab48099fcaeb0b15d5b2acdefe995607ffd0bdd3d2f5d5b0f2ad

SHA512
0f89df4ba61ed14b6ef1774cf8a96974b2220cc7c782451818d2395e111d6da7283c9fd2e95589a4d4f644c87ac8efa77ae9f41a17be547a8cf94bcf04e16c01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Up

Filesize
60KB

MD5
44c2a2e9389c9670587e7738cc481612

SHA1
dacec904f8f08948270f85b6496d2d0d9a291766

SHA256
4e6c972ee2bed1fb9953db12ff17d4e2b9bb3dee64362d9d182aa492e566f08e

SHA512
dfd35d87a4fb63971f6b07e3f60f387809563486a5373dd7af20a8e5245f9ea0d429837ff2ce3e9015c00036a992c1dbf0447971f192bf6e60bb51dbf14a0d94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Woods

Filesize
67KB

MD5
44814f258e71a515115ee6b5b8288d50

SHA1
a8457825e68aed5813384a763163dafdec3502d0

SHA256
29c65d8353f89236340327b3b406712f7bc167c3004c8c68ccd20cde1bc1bc35

SHA512
21afd05cdc279e459ade9343aa5e6b78bfd097bd6bc34963421c457d131fae4efb33117258d78c1fb2043df627cee9f4db60de4427c9599c8b2ced42470acebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp6454.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05182024-278753659075324982\Setup.exe

Filesize
910KB

MD5
94e7e5e1cee055f9ac963b7650d5d8bd

SHA1
f18a89aa7fa97135b1214e31f2c79877d2a04284

SHA256
94fa692514c48c66ade5a1a90d07b4114272faf810801efa472b803c49231ad3

SHA512
13f1eeb4788bf868e126e840645f7096c613d748318958116eb3cbfc44dd5876b024b85f8dfa0283921181e1ca3424c721780607480fb7a621ac4650ff6b9e99

Download Submit
C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05182024-278753659075324982\bin\Debug\MusicPlayerApp.vshost.exe.config

Filesize
184B

MD5
28960c034283c54b6f70673f77fd07fa

SHA1
914b9e3f9557072ea35ec5725d046b825ef8b918

SHA256
8d65429e0b2a82c11d3edc4ea04ed200aedfea1d7ef8b984e88a8e97cff54770

SHA512
d30dd93457a306d737aac32c0944880517ed4c3e8f2d1650ffca6c1d98e892082b41b40fb89ccf75d5f03d2464b0b4f943cd4b082071f0abfe978d149bd61479

Download Submit
memory/2252-397-0x0000000000790000-0x00000000007E2000-memory.dmp

Filesize
328KB

Download
memory/2252-590-0x00000000066D0000-0x00000000067DA000-memory.dmp

Filesize
1.0MB

Download
memory/2252-402-0x0000000005160000-0x000000000516A000-memory.dmp

Filesize
40KB

Download
memory/2252-400-0x00000000056C0000-0x0000000005C64000-memory.dmp

Filesize
5.6MB

Download
memory/2252-448-0x0000000005DF0000-0x0000000005E66000-memory.dmp

Filesize
472KB

Download
memory/2252-525-0x0000000006440000-0x000000000645E000-memory.dmp

Filesize
120KB

Download
memory/2252-589-0x0000000006B80000-0x0000000007198000-memory.dmp

Filesize
6.1MB

Download
memory/2252-401-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/2252-591-0x0000000006610000-0x0000000006622000-memory.dmp

Filesize
72KB

Download
memory/2252-592-0x0000000006670000-0x00000000066AC000-memory.dmp

Filesize
240KB

Download
memory/2252-593-0x00000000067E0000-0x000000000682C000-memory.dmp

Filesize
304KB

Download
memory/2252-600-0x0000000006920000-0x0000000006986000-memory.dmp

Filesize
408KB

Download
memory/2252-601-0x0000000007770000-0x0000000007932000-memory.dmp

Filesize
1.8MB

Download
memory/2252-602-0x0000000007E70000-0x000000000839C000-memory.dmp

Filesize
5.2MB

Download
memory/2252-603-0x00000000076E0000-0x0000000007730000-memory.dmp

Filesize
320KB

Download