redline | hxxps://mega[.]nz/file/ylcXkL4D#OYrzXbo7t_dGAzkttfOi1S8O--PmvaR-5c0w6_6UhJQ

max time kernel
224s
max time network
222s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/ylcXkL4D#OYrzXbo7t_dGAzkttfOi1S8O--PmvaR-5c0w6_6UhJQ

Score

10^/10

redline 123 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

123

127.0.0.1:1912

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2812-355-0x0000000000520000-0x0000000000574000-memory.dmp	family_redline
C:\Users\Admin\Desktop\RedLine_30\builder\build.exe	family_redline
behavioral1/memory/1972-387-0x0000000000B90000-0x0000000000BE2000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

Processes:

build.exe

pid process

1972 build.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1972	build.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133612056176441098"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exePanel.exePanel.exechrome.exe

pid	process
5024	chrome.exe
5024	chrome.exe
4632	Panel.exe
4632	Panel.exe
844	Panel.exe
844	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
3516	chrome.exe
3516	chrome.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe
4632	Panel.exe
844	Panel.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

5024 chrome.exe
5024 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: 33	2428	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2428	AUDIODG.EXE
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 5024 wrote to memory of 3848	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3848	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2028	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2720	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 2720	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe
PID 5024 wrote to memory of 3660	5024	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/ylcXkL4D#OYrzXbo7t_dGAzkttfOi1S8O--PmvaR-5c0w6_6UhJQ
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa63efab58,0x7ffa63efab68,0x7ffa63efab78
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1836,i,9987054778649562048,3419923292876505724,131072 /prefetch:2
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1836,i,9987054778649562048,3419923292876505724,131072 /prefetch:8
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1836,i,9987054778649562048,3419923292876505724,131072 /prefetch:8
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1836,i,9987054778649562048,3419923292876505724,131072 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1836,i,9987054778649562048,3419923292876505724,131072 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 --field-trial-handle=1836,i,9987054778649562048,3419923292876505724,131072 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4416 --field-trial-handle=1836,i,9987054778649562048,3419923292876505724,131072 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4864 --field-trial-handle=1836,i,9987054778649562048,3419923292876505724,131072 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=1836,i,9987054778649562048,3419923292876505724,131072 /prefetch:8
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1836,i,9987054778649562048,3419923292876505724,131072 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=1836,i,9987054778649562048,3419923292876505724,131072 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 --field-trial-handle=1836,i,9987054778649562048,3419923292876505724,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3516

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3648

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4908

C:\Users\Admin\Desktop\RedLine_30\builder\RedlineBuilder.exe
"C:\Users\Admin\Desktop\RedLine_30\builder\RedlineBuilder.exe"
1⤵
PID:2812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\RedLine_30\builder\builder.bat"
1⤵
PID:668
- C:\Users\Admin\Desktop\RedLine_30\builder\RedlineBuilder.exe
  RedlineBuilder.exe -ip 127.0.0.1:1912 -id 123 -by_parts -key 123
  2⤵
  PID:4004

C:\Users\Admin\Desktop\RedLine_30\Panel\Panel.exe
"C:\Users\Admin\Desktop\RedLine_30\Panel\Panel.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4632
- C:\Users\Admin\Desktop\RedLine_30\Panel\Panel.exe
  "C:\Users\Admin\Desktop\RedLine_30\Panel\Panel.exe" "--monitor"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:844

C:\Users\Admin\Desktop\RedLine_30\builder\build.exe
"C:\Users\Admin\Desktop\RedLine_30\builder\build.exe"
1⤵
- Executes dropped EXE
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
92527fa51fcf68ecbc6d6623220ac0c9

SHA1
e499fd9849bcb1031987ab44b57cb6b75c49f138

SHA256
79bdc1a180852562156241139aa75eedc082130b66b23490b8fbd7792eb83547

SHA512
5a9c892833bdd2cad5c816df3e0fe24a29165cef067ef5c1499d8bb9f5b2445ce7d9ddc8adf2c753eba436a587ac422cbe4ae4cfd0d9d2610c42afe60f5b72f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\00\00000000

Filesize
4.5MB

MD5
a1b1845c79c6b9626272e30eb599014b

SHA1
e4f96c9c662b1d6f277b5eac4a764e9bd91a23c5

SHA256
c35bf5bc5a95d9698f36ce56ab13d00b5a5202e5bb8c37b83fc494909382cde0

SHA512
753dd5ee1edda24f313da08f137bfe2115f496aa85bd4f6861846e9989452b430fcd8b26bcfece5824a828ea159e9c5f04810ea7b50e43e13451d18d1c01326b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\000003.log

Filesize
11KB

MD5
2bc0761143ae029323e320a82de7462e

SHA1
1d0d616157561bb46878cfff70ac35dc81cb8d56

SHA256
9147a52c82d913c7158c221df065fc4e2c5cb0169027e9a611474e4cb3a2933e

SHA512
95fb574d2e0a7d9a8a2d79f19e95ac261788f6d93ec874e35f5e837b27e85ca30ab9b293ff3442572bf00efe8e1d8c20e810e372a376ddb3e72fad1929ce5116

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
373B

MD5
a65ee9b2a61e3aec2b5491e5eaab1a8d

SHA1
3f34153943a988d144f63a0f8c381d513a544445

SHA256
0bbf30201f85c134599e804367f33e402972cb2590fe89dd33f9180d343b8334

SHA512
3e69afc8312c273f59cdf4e24f0801b54b53a7df12a5f3f31fe4b013c11a28e902b05aa2caee36f5d00bf9a700bcbd8d10eb1054080cd9cbfe6405f857cb28bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
373B

MD5
78fc7d1ad98795df18ceef8c49230ada

SHA1
dcd4a3817358c8b0475220c0c19b74edec17a588

SHA256
85b6f6046531c18305d21ea4ab6fe7ba3bb3e734e74b4f460a21277f0ff1f59e

SHA512
1b328fb7ffc0cec62ec87592ea481fed9fe693ac371d3f08a4a922b3d0af4610bf204a44427a68376cb5c18df9018333a45c331ae39195427d583f50f780855c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
373B

MD5
0c320a648ae1e2c7e11912aff742efd3

SHA1
866d484618beeb03c5c666b3eafd5a3ddc5e68a9

SHA256
9fabee8fb82cf05fba77ebeccef7b98be5f1284f1762018b9633d61d9c6e44d0

SHA512
6643d02c4ac1d3867e9dd9ce85b23275bb258bb28715f22a8e457f6759c3abb3328533443da855a2c4673e29557ebf470ee86b81166ddf12c6eddc3f1254f2dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
373B

MD5
7f6d64f764d124357d349678a556ae73

SHA1
82ca255e4db802a32321cdec537d1857d9f4b271

SHA256
b3986ecf7dc7fb5caaf66b3391d31f64d039efbc8220c8ff18158d401df5f533

SHA512
8ddfcdb4cde8213eea6024699950d2326db55cade09f5cdc011087e0820fb0d7755e276723368588be6f543672ea118fbcbef20076b75b46a0667394cd7ba63d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
373B

MD5
ef9c30b9ff887082adb8b28fbdb2d75b

SHA1
5659055af1881fe3451ca8a4368510baaeb09d14

SHA256
f040738583b26747f9e1b991227ac21fd3ee0329462f7a4408230a6db3168b03

SHA512
b16da933c1c12c202a62ca724a3c5b5cb6f9929878e2ae1b5f3bd7d7252760420fa9fd0aad08a5d412ffa3684ea83c63cc55f8cf7cca9571962f3f8d17795f6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old~RFe57661c.TMP

Filesize
333B

MD5
a4d60a859b4166fe0423a3492279fcff

SHA1
9ef197fa68f0faaf8fe5adeeffd2a467386f5539

SHA256
55cfb33f37d7df320224cd4c558994d762d2abc2d81bd6f68bd23a856750cf28

SHA512
d987662c9f4181780823ac78666dd827fa23b9edb23075b939de419aa3cdb68ef0bb8fec99ff12ad197611011d769cf0601bbd1829a12dc8eebb35e8a45836d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
23beacc06e7b6efed7b0b8d0824e5559

SHA1
1a083b4ec107e2174f4762d706440a9ed0c7a68b

SHA256
e01c6fc7bbd4763fb471c419ac660f476e8508d3bc3a343b7dcad9e352d84da0

SHA512
268deec3cacae1b5c333eaa17a04f414f2e231b1cb54e679c8295c3d508c68c01aa88d8842303fedbade9e10e4dcf9f612261442495a311b92b51be766edc546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c328a26152b55e8546fc10c4dfe1df0a

SHA1
f3b1854ee4abdfebf19872cf0cd33978f599a4c9

SHA256
a12000735afcf71d64ccfc3d178e693a17e74a4f531fb11c7ce1ae1d1cc68335

SHA512
f6214bc088dd82d345f88aef3e81610c2e9e3657556748bd23f8d48da823db9d8cd5f9664486b28f9269f6148ed70517bb9a460d0298326e922a4963529c084a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
517B

MD5
127cbfa5776bcad9dad98233fead606b

SHA1
2094c8fe6fa5f2bc3ce07041459774e20c4e9668

SHA256
12a7aa3e48ac681e737733096313591f8f23ef37c9d094e6d8be2535a7df3246

SHA512
f98b7077c6bca4cf42a9cb90fc4c61427f7cf7a6c5fbfd5f980a2d25d1c7f00e7208f1a328b24904c30adae46d87ce2cce6798da0bdfcd63ffe34ba418b1a83d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
eab38c2c55c77ccf356ebe909a3e1270

SHA1
71cbcb0dd3d26c26e93fb6ac4c84df05cee34611

SHA256
61f82d742b9624bb09bb6ee5c46b4f9eb919f6f69f2ea24da57f24b350ee0712

SHA512
10055ef5e6cd456fb7177b1beafb16ee84207d7efbc4a92b0e662408feaa174f84de5f10a7536fa6c52b44c9801ce9b378d216a391444df5fb2896c17f94b60a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7ed43767dc78987739ed1bc72feb9800

SHA1
68447e48f72374c57a7663d71c390b0e29c0e8b8

SHA256
e4c069b8ece1d2568ee848e8e850220541119d7cce71abeda8d36550f4fca966

SHA512
0bb2a3cbd65fa5e0fd5698ec18e397e35ac76c7e6bc506ffdf991f20d29416bd9d0222534485631c87ad1def7177fff95eb66ae8d32ae8a821a001d63ca5697d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
850589e8985817da7e84ffd7d249efb3

SHA1
bd24ee4bd91721e226ee4531fe20c803e22081fb

SHA256
d570258373541de2c8cdc220051d7785b13beb8e7d8d10108d5e10e513bd2186

SHA512
4fea55a0dcd72c36e007b8471bb83217a2be5437340d9f10f49434ac3f3691f1d81c6394ffc10bca5285f0316fd1b0fde3f13791741cb81e081b9808d72c75af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
7bd58b63840a331c30899fd236b99f19

SHA1
bf6386e9f549a385cdb68e28cabd1c5e4423b69e

SHA256
78c4337ba6da9f1a608b5074069fe98b7ec8a239af4d3e541b6c833e8dc89b3d

SHA512
1b7475f633d47ba3e76c2956c4d0953480a43bbc37c64475813146d3efb27e507a7c88d430c2dba2fe329c22ab048b14cedca80ff997fdf27cf856f9668089a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b1dde614-d8ca-4300-9ebc-082d888b7101.tmp

Filesize
7KB

MD5
81a931f7a719aac2bd7f90ce535008d7

SHA1
7467fb4ab407e288fa79b3c131264cb86083e426

SHA256
407bebbce4e8c1916feff79ec2f1468be84df8ae9561c93803bb72ea9475ef51

SHA512
c0bf80c67f51208f2503b1f21428e611de498e408d49aea8fa431045e6715293dd0f21de7ded9e022a790542c096657f91a8004bfe3febc7bc65fd1feb2769da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
800181f4d08cc06b8e2cc10bb91c8059

SHA1
7a5beb32ae988a5e5b332e2ea7847affd0f51bef

SHA256
d6f82a58ed355b1745b450e5b943dd605f71c9b31322bf8746a71a8882f25575

SHA512
8885d2d7a689be5f287ef465ef6c3817945133790f36c3a3cf0c475d70e29465445ecf970fdc13a08232b6560cee02badba2417cafe0eedc5e9c33b1d555c61f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
7b94fe80f88cac43f8e5537b524dda77

SHA1
853e71d4ac1ea97d425f6b374a77199e01a54557

SHA256
1b6ef75f88219ddfb0a86451d675533801b3da80edc0160212e92f9285f3d6e2

SHA512
63f538c6bb0f9926c2345a3e0f5c280c454bdaa0f2fd84ab81c4dedfb5cad0d055ef1a894d49a179c87895621d3d6141497f37f5e686fefc9458aaeb08858585

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
b2ecf5cec744bfe0e2ab37f16e4a1ad3

SHA1
7e0cc7a68ce5c0d6afd42c82a8ab5e39bb557d28

SHA256
930ebde30fb06701e0fff77a334d099fb2beb6899401f03cddacfbe2d64696c8

SHA512
79d44e95048bd0bb026b21e5bce31d5f8956c3ee3be5057d8d8eb5d97675c353d0710749124c7f8332daf1e9205d6ecb4a5b7185e755ca47e1d17bca9b07c0ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5802d9.TMP

Filesize
88KB

MD5
7971c01e882baca2a5187b1f7787dc41

SHA1
7ad762891285250c932cda42065d2f53086bae72

SHA256
b2e6ca41b12e0b40bcdced4f3b053965b59bc37a97a9dc32dfe4f9e7112a7989

SHA512
47c59f12e18d8506b405454c910991e71b68709501b7856da79787369ed6c9e39fa6b14444055dacde136c61015fab1210e3069d9794e22992c9f52d64c49304

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RedlineBuilder.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\Desktop\RedLine_30\builder\build.exe

Filesize
300KB

MD5
90a47d9af413f808e91dbb19814b72d1

SHA1
f844ad38687f36d89fb6674383a10f4df9bae245

SHA256
61549160a1eb772ae966054402b3237e4c934022366a1d16078d2b1f45f95bec

SHA512
4f6845dfba68187ce7f64d21b63ceb59be70937dd1f7612ca891f2c4e4836dc3f6a4225ea1cbfb9e18ecee0feae3cd746969059891c631c9768a6140b1de0902

Download Submit
\??\pipe\crashpad_5024_SZXQKBBWVFPJRENN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/844-373-0x000001A3FE200000-0x000001A3FE23C000-memory.dmp

Filesize
240KB

Download
memory/844-374-0x000001A3FDC60000-0x000001A3FDC70000-memory.dmp

Filesize
64KB

Download
memory/844-362-0x000001A3FE020000-0x000001A3FE0D0000-memory.dmp

Filesize
704KB

Download
memory/844-361-0x000001A3FDC70000-0x000001A3FDCAA000-memory.dmp

Filesize
232KB

Download
memory/844-363-0x000001A3FDCE0000-0x000001A3FDD02000-memory.dmp

Filesize
136KB

Download
memory/844-364-0x000001A3FDCB0000-0x000001A3FDCC2000-memory.dmp

Filesize
72KB

Download
memory/844-365-0x000001A3FE240000-0x000001A3FE2B4000-memory.dmp

Filesize
464KB

Download
memory/844-366-0x000001A3FE4C0000-0x000001A3FE50A000-memory.dmp

Filesize
296KB

Download
memory/844-367-0x000001A3FDFB0000-0x000001A3FDFC8000-memory.dmp

Filesize
96KB

Download
memory/844-368-0x000001A3FDC50000-0x000001A3FDC60000-memory.dmp

Filesize
64KB

Download
memory/844-372-0x000001A3FE000000-0x000001A3FE012000-memory.dmp

Filesize
72KB

Download
memory/1972-387-0x0000000000B90000-0x0000000000BE2000-memory.dmp

Filesize
328KB

Download
memory/1972-393-0x0000000005880000-0x0000000005892000-memory.dmp

Filesize
72KB

Download
memory/1972-401-0x0000000007740000-0x0000000007790000-memory.dmp

Filesize
320KB

Download
memory/1972-399-0x0000000007A70000-0x0000000007F9C000-memory.dmp

Filesize
5.2MB

Download
memory/1972-388-0x0000000005B30000-0x00000000060D4000-memory.dmp

Filesize
5.6MB

Download
memory/1972-389-0x00000000054A0000-0x0000000005532000-memory.dmp

Filesize
584KB

Download
memory/1972-390-0x0000000005560000-0x000000000556A000-memory.dmp

Filesize
40KB

Download
memory/1972-391-0x0000000006700000-0x0000000006D18000-memory.dmp

Filesize
6.1MB

Download
memory/1972-392-0x0000000005950000-0x0000000005A5A000-memory.dmp

Filesize
1.0MB

Download
memory/1972-398-0x0000000007370000-0x0000000007532000-memory.dmp

Filesize
1.8MB

Download
memory/1972-394-0x00000000058E0000-0x000000000591C000-memory.dmp

Filesize
240KB

Download
memory/1972-395-0x0000000005A60000-0x0000000005AAC000-memory.dmp

Filesize
304KB

Download
memory/1972-396-0x0000000006290000-0x00000000062F6000-memory.dmp

Filesize
408KB

Download
memory/2812-355-0x0000000000520000-0x0000000000574000-memory.dmp

Filesize
336KB

Download
memory/2812-354-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download
memory/2812-356-0x0000000004E70000-0x0000000004F96000-memory.dmp

Filesize
1.1MB

Download
memory/4632-360-0x00000271FAEE0000-0x00000271FB090000-memory.dmp

Filesize
1.7MB

Download