redline | hxxps://mega[.]nz/file/ylcXkL4D#OYrzXbo7t_dGAzkttfOi1S8O--PmvaR-5c0w6_6UhJQ

max time kernel
382s
max time network
383s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/ylcXkL4D#OYrzXbo7t_dGAzkttfOi1S8O--PmvaR-5c0w6_6UhJQ

Score

10^/10

redline 123 infostealer

Malware Config

Extracted

Family

redline

Botnet

123

147.185.221.19:64245

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1728-1027-0x0000000000D80000-0x0000000000DD4000-memory.dmp	family_redline
C:\Users\Admin\Desktop\RedLine_30\builder\build.exe	family_redline
behavioral1/memory/1780-1106-0x0000000000910000-0x0000000000962000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

playit.exebuild.exebuild.exe

pid process

2268 playit.exe
1780 build.exe
2180 build.exe
Blocklisted process makes network request 5 IoCs

Processes:

msiexec.exe

flow pid process

116 3596 msiexec.exe
118 3596 msiexec.exe
119 3596 msiexec.exe
121 3596 msiexec.exe
125 3596 msiexec.exe

pid	process
2268	playit.exe
1780	build.exe
2180	build.exe

flow	pid	process
116	3596	msiexec.exe
118	3596	msiexec.exe
119	3596	msiexec.exe
121	3596	msiexec.exe
125	3596	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created C:\Program Files\playit_gg\bin\playit.exe msiexec.exe

description	ioc	process
File created	C:\Program Files\playit_gg\bin\playit.exe	msiexec.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57e6b8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e6b6.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CCD2B416-4517-4AC6-89F2-364C9A5BF2C5}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE791.tmp	msiexec.exe
File created	C:\Windows\Installer\{CCD2B416-4517-4AC6-89F2-364C9A5BF2C5}\ProductICO	msiexec.exe
File opened for modification	C:\Windows\Installer\{CCD2B416-4517-4AC6-89F2-364C9A5BF2C5}\ProductICO	msiexec.exe
File created	C:\Windows\Installer\e57e6b6.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000081a0e6b9f9d406b40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000081a0e6b90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090081a0e6b9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d81a0e6b9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000081a0e6b900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

chrome.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133612060410920182"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies registry class 27 IoCs

Processes:

msiexec.exechrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\614B2DCC71546CA4982F63C4A9B52F5C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\PackageCode = "CCDE5D5A893E22040BC73EAC637B5429"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\Version = "983053"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\ProductIcon = "C:\\Windows\\Installer\\{CCD2B416-4517-4AC6-89F2-364C9A5BF2C5}\\ProductICO"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\SourceList\PackageName = "playit-windows-x86_64-signed.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\SourceList\Media\1 = ";CD-ROM #1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AEF046202130BD4399AB6404AFE7E2D\614B2DCC71546CA4982F63C4A9B52F5C	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\614B2DCC71546CA4982F63C4A9B52F5C\Environment = "Binaries"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\ProductName = "playit"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AEF046202130BD4399AB6404AFE7E2D	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018855536-2201274732-320770143-1000\{3C118C54-DD01-4A9B-969A-754FF87AD903}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\614B2DCC71546CA4982F63C4A9B52F5C\Binaries	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\SourceList\Media\DiskPrompt = "Playit Installation"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exemsiexec.exechrome.exePanel.exePanel.exe

pid	process
3396	chrome.exe
3396	chrome.exe
4468	msiexec.exe
4468	msiexec.exe
1980	chrome.exe
1980	chrome.exe
6092	Panel.exe
6092	Panel.exe
5432	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe
6092	Panel.exe
5432	Panel.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

chrome.exe

pid	process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXEmsiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: 33	4168	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4168	AUDIODG.EXE
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3596	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3596	msiexec.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeSecurityPrivilege	4468	msiexec.exe
Token: SeCreateTokenPrivilege	3596	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3596	msiexec.exe
Token: SeLockMemoryPrivilege	3596	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3596	msiexec.exe
Token: SeMachineAccountPrivilege	3596	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exemsiexec.exe

pid	process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3596	msiexec.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3596	msiexec.exe
3396	chrome.exe
3396	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exe

pid	process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3396 wrote to memory of 4956	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 4956	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 3068	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 1500	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 1500	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe
PID 3396 wrote to memory of 680	3396	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/ylcXkL4D#OYrzXbo7t_dGAzkttfOi1S8O--PmvaR-5c0w6_6UhJQ
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe8756ab58,0x7ffe8756ab68,0x7ffe8756ab78
2⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:2
2⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4368 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:1108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4708 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4892 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:4616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5080 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4960 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5308 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:3488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5368 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5320 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4320 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:3628

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\playit-windows-x86_64-signed.msi"
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:3884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:1184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3168 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:5176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2712 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:5220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5628 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:2652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5964 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:5296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5912 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:5488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4888 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:5996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3168 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
- Modifies registry class
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5400 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:5392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5832 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:5192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5824 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:5436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=4084 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5320 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:5204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5952 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:5244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5952 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:4228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3144 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2672 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=1820 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:2652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=3932 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5824 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6252 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:8
2⤵
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=4308 --field-trial-handle=1900,i,15079263903094641833,15896403921749947103,131072 /prefetch:1
2⤵
PID:4568

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x414
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:5824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3628

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1960

C:\Program Files\playit_gg\bin\playit.exe
"C:\Program Files\playit_gg\bin\playit.exe"
1⤵
- Executes dropped EXE
PID:2268

C:\Users\Admin\Desktop\RedLine_30\builder\RedlineBuilder.exe
"C:\Users\Admin\Desktop\RedLine_30\builder\RedlineBuilder.exe"
1⤵
PID:1728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\RedLine_30\builder\builder.bat"
1⤵
PID:5124

C:\Users\Admin\Desktop\RedLine_30\builder\RedlineBuilder.exe
RedlineBuilder.exe -ip 147.185.221.19:64245 -id 123 -by_parts -msg "123" -key 123
2⤵
PID:4968

C:\Users\Admin\Desktop\RedLine_30\Panel\Panel.exe
"C:\Users\Admin\Desktop\RedLine_30\Panel\Panel.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:6092

C:\Users\Admin\Desktop\RedLine_30\Panel\Panel.exe
"C:\Users\Admin\Desktop\RedLine_30\Panel\Panel.exe" "--monitor"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5432

C:\Users\Admin\Desktop\RedLine_30\builder\build.exe
"C:\Users\Admin\Desktop\RedLine_30\builder\build.exe"
1⤵
- Executes dropped EXE
PID:1780

C:\Users\Admin\Desktop\RedLine_30\builder\build.exe
"C:\Users\Admin\Desktop\RedLine_30\builder\build.exe"
1⤵
- Executes dropped EXE
PID:2180

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e6b7.rbs
Filesize
9KB

MD5
6ab6eaad29865a114ccf164c5d8a6607

SHA1
692a2a026861e37167afb603e517a1cbfca58bbf

SHA256
8ba19a11983f11a5a58f978c245f256df20ff07aa1cbc7b6d91d3c6836c207b9

SHA512
c74897608cf87d46e62fe988c27b67393e5d565157ae37f9ebb7a157d39ef9412a6760e491703abbe7cd4ebe5a821fad0f925ec6e4a765b5ef97e301473e36e6

Download Submit
C:\Program Files\playit_gg\bin\playit.exe
Filesize
4.4MB

MD5
b52b1b1b92b4c4e96a9352becdc372b5

SHA1
0ae0aa823e4daa2f644c574f64281fd4f3a36d31

SHA256
7dcc38a9820ccb0de9c5652fda9976d9f649f4239ac5e746a419f3076b324dd7

SHA512
9e0ef219b2a8afffbaf21100c00a491a218e5a38690b7c033ce6c049544a85f12414b0f3be4099ed55cc69b05c4f0f6fac28392e91a70e4b4ccd255a4101b4fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05
Filesize
56KB

MD5
cfe1ba230cc26dba25da6ed56da4a427

SHA1
85ebcdb70daa4ca949a7b14c2910752a88391b60

SHA256
d44e05fb81ba621a7f49b16b94d4ae79523bd31ff7465a0a24f864e76a2b72da

SHA512
a28916e67a33d38c09ddeb295f945693dde986bd6950507e852d7fca239256b32804ecf2e1fda42794a75e405c05dfd2cbef7aa7f3d3e579566fca2fbbeab8fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize
727B

MD5
7a3b8457313a521e0d44f91765a4e041

SHA1
4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

SHA256
2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

SHA512
7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05
Filesize
314B

MD5
d467452468a47d1ebb703a023d1e3ef4

SHA1
59849e1c395f03474fc96cfd856c165b287aee15

SHA256
fe4a4484a78eba2e0fb7dd4c2fac8e9bf02754e61059d19b887c99d19c65b565

SHA512
a6947fb1c385a762395cb571404848fd4ca18575586e565988f7f60c4cd22e26e211b4e8f82699ccf26bd6f141403787d9bb3b797e31c25881df26b1ff42d79e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize
478B

MD5
83e45f37ed2000a10c99b8b742ef8104

SHA1
110d9b6cc775b60ef7625181fe139b621293c517

SHA256
fbda95a0c8c2ea466222ddea3555bdee1d8add3e1f62b1fc3fe9afdc51e1140b

SHA512
a22e046de53920f4ff6120e20b877bef7a7c62234635397500c2feb8428ba076e574a2aa4ee7e5af7d33ac117407521f718f15aa088b8401463ca55c2652439a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\61ca0639-56d7-4151-b662-0d91ba56c16e.tmp
Filesize
102KB

MD5
bfbc35550c19636367804369f017cfcf

SHA1
74a351ad008bd3057ba4bc0e80658bfc84697e92

SHA256
c349c7a0d6ec4181f14c197288e3fbc7f4e8484df200e40ec06e7c1dfb3a8a1d

SHA512
6fac75deb768db9faa613eb9b17add125f31d9cf51261773284edf8e425d8091957aeeb9859b6673f9e73c8e8fb441f03cd114d120932ca6b37fd6830cc8aff3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028
Filesize
59KB

MD5
7626aade5004330bfb65f1e1f790df0c

SHA1
97dca3e04f19cfe55b010c13f10a81ffe8b8374b

SHA256
cdeaef4fa58a99edcdd3c26ced28e6d512704d3a326a03a61d072d3a287fd60e

SHA512
f7b1b34430546788a7451e723a78186c4738b3906cb2bca2a6ae94b1a70f9f863b2bfa7947cc897dfb88b6a3fe98030aa58101f5f656812ff10837e7585e3f74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
09f40336e0c752f31dde09319891b1d7

SHA1
8ebe5c34a454e371b08bf737c89706f2607515dc

SHA256
b1d85e13257e2a5939c9e7d6a443155912a8d78d59c9353d6a187c3ccd8ab1f2

SHA512
c903b17ec97b4f76cc0643239509e15b71d4f5775f99aad3fd004e34b549e4e7cd06d8e61fe487bbb5b8573cbd821eec390e5a4f834222034c4d4fc40f359c82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
384B

MD5
0d6d16b1619a9b58dad2543747e47ff2

SHA1
bd026632d99785865e2c7387d376ed5241da4878

SHA256
1a51a99c6afb5ca028e0f9d7cd43cb239594bf3e10c8be66dc768ce38f690467

SHA512
f881f0a38e88036593e036e202f5082ce1b39238e603dfc2915d5a78f4878d3ec2064bfac8f522ee8a2d17d748d0f52ddb71db3398be701c91b849a5fc113679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
430574393f95871bf034a3503b8f0421

SHA1
2650e595ce551c429a2f0976da858b3593995192

SHA256
e088f504b9a7dc51b949077de7cfaa75a78f54d3bb0cb820e268c63b0a1235a9

SHA512
95e3ead754579ad6b067a7a8b43e2b2be5b33190b800e95e118e0761522f68a672c7c928790d05a482fc0a894576f98b517d7f152cc6aea9d8846408c6b37a53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
89972b928067fc5dc419412d5e8a94d3

SHA1
bd9cd16956be8fb2320ff6708f3930f7d31503fe

SHA256
9e15be9494ceb8055476ca87bc2b49c69ea1a785d851e45a4c3d22129d541fcb

SHA512
1dc0edc5e6f5b2406defd6593aa77cfe3b7d38f7d9a144d84d73ed1cf682e2fea555f3dba25c340865f57b01ce1a8b7ad0f1968233787353634ade2638341f6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
2b61e6d89e1315d92e79d37d5034207d

SHA1
27ad8791781b52c29457360dfa21ce65f0b723ac

SHA256
bcb6a70c8ce94ba144bb8301fcc1616c873654e6b5fa0f383d34e31e17fe550c

SHA512
29d97c8b71905ff69c4f977aee0d2c7b55cce6c9d9d983e5a98c098eb47c31adae0b0b7540a76bdd1164486c57447c4e0b0bfc95da6f34284d4e3870fdd69054

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\00\00000000
Filesize
4.5MB

MD5
a1b1845c79c6b9626272e30eb599014b

SHA1
e4f96c9c662b1d6f277b5eac4a764e9bd91a23c5

SHA256
c35bf5bc5a95d9698f36ce56ab13d00b5a5202e5bb8c37b83fc494909382cde0

SHA512
753dd5ee1edda24f313da08f137bfe2115f496aa85bd4f6861846e9989452b430fcd8b26bcfece5824a828ea159e9c5f04810ea7b50e43e13451d18d1c01326b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\000003.log
Filesize
100KB

MD5
23f3f1ea9224b21e40746b430e2250fe

SHA1
8110be29f1b36d22567ca222c5b3bd98c0a6d900

SHA256
01e674380a959c5f004cc0162e84ef868d5e761de118f7e19f99063af0501fe4

SHA512
93cf86dcc100053b87afb781b2ab7e33a1ebb17ecb7e4126ff45bd2f8fcd82e13fa28e8a20511a475d01cbf20e537cb059128813e4a4f3c127ba99c6f50e7db1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize
376B

MD5
49510159c6a141a1a1f17161f0e7bb61

SHA1
5302399e8aa242904953ab308d254a055f118934

SHA256
6d8a2e7b23ad33fb970cab88a1c26e1315e304938ab2959f54f2a09ae6985c5b

SHA512
7015aa8bc3647e53dc755f0b93958574a6238927397174d83c614c9e90337dd5a74082120f3d8e084492f13eff316875fc6906285dd3d6ac6fde13fa872a1243

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize
376B

MD5
441f62525f5b572d78619505eb2b29af

SHA1
8ff4da47ff42ab80d7081ccecb91050b6612be03

SHA256
842305f5e13603dc9744b1d8974ba9aeee88b6865ddd651e68cbb25867a965f6

SHA512
4b8ba386d76ceccb05105178d8e2de0b8ae7f266c939061cc20bbed92a2aa091bf6f054ebf64a0c5b18b32d56e2e9d045871e81e1177360ec9e8309737dd8834

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize
376B

MD5
bdd1997319dafa02c9ca4d50c92d10bf

SHA1
2a7351083d166713d9bbcf56b7bf11052516c902

SHA256
afbae43919a9a0f4d59f4223dc97e86bcfaecd4e27a7a1ca316802d042718000

SHA512
a746a299c12915f2f5c734d651868667302aa78c5bdb00f038957136d2822138b935068d202e72e459201858b88fe93b858a58d80f6d75c658a5d41fcc7219ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old~RFe575cb6.TMP
Filesize
333B

MD5
8c327685861cccd6fa23e0384e982f46

SHA1
d57355e17248c043b39c94020af503ea6ad41b9c

SHA256
dc150182b3108902241f8b006fa5247d1d810bcf426b1be6448a9b64913518a2

SHA512
903614884ecb753dfa54124e035437335f7e80097fd0caa6d26dd71b8add62f5afcc35a8453ace5a00caf8a5f1f2c8d8adb79fbbc43d2d4a608adf4a11d8a1fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001
Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
169240018998e1d150019b9ec326d60e

SHA1
f7b3f7cd5c58aff596435e76d80e208f4aea35c9

SHA256
1c192356385beab89cdac26ef35b09821d60671b430d5ec2b3e22198dd780165

SHA512
5ea3ca32e15343d6e18f2c4dc56856e1164ded6eb3b5723840fc22791088af0c15632c8785bb1da01b4c2279b7f84f4dcd5f997e17482c25e8e91ac9663d4d4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
c3e892eb2c79090eb0c30991c3e436a8

SHA1
04bc1aeb3d8d43e47c45d1e8668200520c658355

SHA256
95700f4cd2909b19f996b4ab56f74615fc9668952a8c96bce38c8c4333bd8185

SHA512
b8338061528fd9982f3ef91b5a544fecfdd0d0d44a605601151ebb5939732efa839d22c96be9f75afe0a62a809d9a471bc46033e0020c5e91b302986880ba9d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
fbd4a354ef1b3591d61b764ee2e4f27a

SHA1
c4f011d27099a1972759c7496892eaa46dc773b0

SHA256
91941620b768b491587226ed19f8976f2418e10305789aab875d3a463cc0f455

SHA512
3d4340f08531d29ebfbeb2d15b554fb3df073a7ba6afab00a80e10579d0aa3d24b6357a4d5d2a5594f3975cad492488364ea0ff1cc1694be2a47c40a313be98d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
61ead0eb8faa7119c9c8b046d9e8376c

SHA1
0d5839a81d8eca59550795dc851747fc6592b137

SHA256
f3f7ad61ed39672bafa16e86e4783e0675a476114d187efeb7e8f909ecc3b392

SHA512
ed2901d7cd4910895698d7b88738487a61bc0b94579d548cba90aad11fe07c4103d21e42ef5e7c618f6f6a173c3c0e597f8f06203f813e1ab17b4d19424fbf7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
ef17376cd5cac391cb76fcbea30bf8b8

SHA1
27124f3835e7d844418491bfb01f87872c573994

SHA256
de8f502c47e1524537ed1c2cbd9697def9bdda5982c09fe18977fcf5d55d6252

SHA512
c18719dc94570ac28d0a241f63825fb411cdd2e11dcd45f1459253a2ac83ebede02c2335ba0717bcccffa996fecb04cdc5544d106126bda9ba8ac17fed9244a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
edf4c7406e21d096d246a3ea5002ec0e

SHA1
7ad234c9325815fb1b3cdc6fa8054ac53f64167f

SHA256
66e7e6a28566c57c7ff3aa0ef8a5c6f64ccabfdd38607c898e65abc779b66547

SHA512
9506d6719a22f0781e1ce481bffed6c900d8be35e74dfb63394c6f012bc2fba0909b4f347a2c5472959b34f26ede144d77512c34aafbbfdb973ece7f723f1c88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
f2c6bdf07e7566bb6e16d3558ef657fb

SHA1
a8aee198b9b119b11e5a6ee32163a9ac99543778

SHA256
3f2d1ccaac3ce418972f7c9492eeac610036f878c22a63bea9e845cf4dcd00a7

SHA512
6b10e869b799959787cb57abece005550a65996bc4175a841bb54b469a29ba2cd8913ecb564cb051646b97639953be6f39a47806165dce0abc86d3d0d01f0404

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
b32d3eee7fd9b2cd1ba0440f598656df

SHA1
c1997c4eb1e33f742912d911f0adb7fb7db0511e

SHA256
cf012f92212785f35d7252a7296d5c17a4c959d74f900eb7218d3b19c744b0b4

SHA512
67eaba7e352e4d4431fe6963807a3616902e58c704f03838bcd4014c7e1d7952679b4e04279695fd045db8c65ae1810a1f58720ee0ae5ada44370e7c93d566bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
73bf8dedd1cd68cd8c0797afc74d2163

SHA1
1095595900f46308b02206b30a210f9f5ba4ceea

SHA256
15a1323d4247b07ad30b73112879a005823812f5fb1c353f94b96ead14d0f56d

SHA512
bb11d99a2df4110fc4b1f8bf56c43699bde527a8b3f35b8334d5c8d1ceff4559fef9ad0f533fbf26698edbd8ce1b39f3438dbfad817724e2ac1d1a62e99bce58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
248c7b0fecfbf12a1a3097c64fa520eb

SHA1
b7b58d55bd162759a3046a237ff8caf131d4b0bd

SHA256
673acaa554b60ca6aef12a89e0875ba9cf53454af5f27dff1c3dbc87f1e8a55e

SHA512
b3bb6bda04f944988d181d877f086e776906f5406397cfe462e3104ffe26e4140225589ab66e1dd84ee1eb84eb31183931163eed2c02e71188df0d93d38698f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
65f888421c9e5e84d7788fb908d619df

SHA1
3a2d4fbd3e648386bb8da0322cdc6aea6eb7f88e

SHA256
ba518d752f962fcf21413fb052df344bd3c753540dc993924654dec36b61c492

SHA512
7311ddc4b2bbcb437ca66fe4752e3e7a30be6a6629030e2fae7d6f548ef5c544ae387ccef8947ab666b72c7862c091b1bcb39c7787d82382ef064dd73c1b5949

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
7548c1ca755704ca3e8c602472c2079d

SHA1
bdf398041d5bad6eb843961772f729646e27fd56

SHA256
1afa58e8fcb76bdf95f75b585e8ebc5bf314423f0644b095068bd158ba3d1ee4

SHA512
3686c29c65776f3286412b5162a747f768abd206ecfae885330b51b4f1b7f7bd2ff29ad661713e7b5438c3e9e112f9478651d6830c805981557ea605ad22a338

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
dc7537a9312127e4e8a56e6d60365aff

SHA1
a123ceac8e57f8989c2e6eadab4fd1c859237037

SHA256
a209a5b48ca1ef2934233c2e26d172d34d68da2de42003c09ad72c3f1245a6af

SHA512
0a8c880b216a0cd20ac3e1ffb54a8402a8f629a4d0dfe556844fe718113fb1b26d73346b4177472fd198088f6e639d66728e78b2df0a4508e9df7d2148da86cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
dcf6e0c6f09afcf5866b572e475aae3c

SHA1
1e6f56b483882b842a1c740196bbae4031898dc1

SHA256
3fcbd2c2dae33d8f311c3e9058c64be6538ce54bf29075b47bca4f460752032d

SHA512
5bcb38b5523ae4f22508e537ab4243a1f402917ae96e6b458656bf80a47581edb8dc0fc5c4a2026d9cd1453d2733d69ded5d7e72946785054bfb67e4b0837dba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d48118c543600b4b824122e8ba36661e

SHA1
76c9b5285f3abe0fde2f141073f88f86f8010868

SHA256
36f7443c6fd2b8dd64029dc79027849a0dccbca0bb759abf6f413aa11b696af6

SHA512
b5f79428f62351ccaf33b173902ae036587ac241be6fb237e4d7c802b6858b98d9e52abfea09a5055a715c0c7ff20f0a6b87a2074896cf4e9cb93e526c79fea5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
b91c0971e120b6c61b012249bc7c6bca

SHA1
ef5f2fd6607240bd5a494e9651050ad7d35355c8

SHA256
44e1e78d12183123d477ce3fdbc56e747ff2efa4bafad4e1cd68ea80b3f9dbd7

SHA512
e58e6cfceca2529d3457ce8b8c180c94a42f49c481ae13b140f3ab606a3a7a0c666684ab78109864d9facdd13f1ac67669b1aa4370921d0421bc10b6a822e8b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
8f53f14c08233560f419762ad5f1ce93

SHA1
89e11c0dcccc58d40b381ed6f3de3914a150ab04

SHA256
dcc29ce45ec9fb8c672b5edd10e30ebc18f17abcbf66d9706cc3a64da9f6fe53

SHA512
c8894b024168d7a6b7501456260559802e7cdfc8b82b4c5a2c37067cf5476fa93d5f708fd3270c1bac8bb090d1947f575fd7b972dd90c1469e47dbd35265ee43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
0eef459d8d1c02bf12b0617a047535ed

SHA1
e0c7288c4ebd02235dcf2168060485eb5c0c3356

SHA256
efdb9a15efe05d4807b6e6c4acf9d253c074665a1fa4bdeca929fa635d66e50f

SHA512
5aabce0315f16a6d0dd235854352c2f8190498efd5fddba52e18a4cf26006f621cbe76a79cabe96fbb77a0ee197383f55f9cb401b3dcc79f7838fb391ebed766

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
20ab813bf91a66e21484d055fa4f06b9

SHA1
5955e966ab483363c5a39992e59a0c96b131d039

SHA256
cad29bd5cfa4df0516aff5f537efd89c63769e4111320feaf17889150a544bd1

SHA512
603e7b4ebb4f55c704108cd1fe6009e6a767715bb80e075e13966e8d94079af788574c37b8a170fe1d4d809b81acb7a615a53146279e8b086a8573a8dfe3c20f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
6b677fd09d769d080822e8d57523b8d3

SHA1
cc31a35ede3657804a6f96a7a42522aeecd701d1

SHA256
36f9ff520af3df9259b1b4d15e0d725cbaccc6600795cf0fa812a585606c3388

SHA512
d5820607076f46f13fa7ccb449a53ab3614303962a3a7263233881ca4392f9d33167e468a561623bca1e3d86b4b42871cba9b30f6848df3348a0d7c883564da3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
bc5303909693f6a1acc43987998637d9

SHA1
fc84e14272d39594b76208331eb701b7b0b2ade4

SHA256
c5881846301ef254493cac41ea2501cb1e5219fa143685741ede8cb1762cefdb

SHA512
25c06d39e602e0df1d105ed4811e8c5763301bafc244095ce4bf6a12345d6f48e365a8045f88fd7a50996bbe2851f1bea4b0604fffb07e6c7cfd332e914bff05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
847b1364a471eafdfe62b364b84ce6f9

SHA1
20a43932610026e67f0c9da9a3d835304ce2b08f

SHA256
4f29b5f8a03ec13635d6446f95f00fba8fda52fae63598b879e9380baf14e060

SHA512
93d03e73f86bd7feedf7ce35e45a2db0b524f1ad35c12204c5c0f3222a6f1d43c163b02e2140c6b86f24880e95f0f68668b1922d2edd22e3393d1abc8c2a2d32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
1ff829688e9a26e29414f5df91c6ce56

SHA1
2f7863809e15d77cde193ef1f16ec3b8d6ec2c8b

SHA256
538f0ea90a4c6f30544a82293c30925832603bacc3c004c5f68d04a848b5a863

SHA512
0ee9d180c0ca10581a470d3d87d919deaa5df569c3a36b13525fa6df35ab528a86c7ae42fd4c93cbffad6e9e86ba91661c5047473274b15ba794b71915b0e7f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
254de45f123a403ebdd1503b7eeeb7c5

SHA1
6bce03032aa2fc2f2eae537c8206215f1b28944e

SHA256
69445eb22b9a8f2d5ee26a553037d138899556564d287d927962da562a92519e

SHA512
1c61147c4e513b33c02689ffebd4dce690ab225d24347602bb95f0645feb4155d6264e1da6b4e25d4bbc2aee837c006f3e930bd0cd9da5fb90f4d3f107fc2f2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
6c598184cfc5247913b9400f9550e873

SHA1
c93d1b5f767ae64b1f7d895d3b0d401ddcbc8a2f

SHA256
926705b355b3c2624339a38946f4613ac3cb75b246fea26f76d41b06452e7878

SHA512
3a855f318b9443e72cfd004e12b22be24f060c40f05eaa34a228ade5ff3286cb97c0158c5c1c7354ab7a0f720eeec8eb7b3f15fef2bd6147aae39bc15d77b9fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
5046028707824f8b0dc894382b504e06

SHA1
ae87028ffc7bc275b05e21f0ea69ff26462bc09c

SHA256
7604dfef4e3a6be57944345486d14d3bc21a579f9d1c397f15cb9e30ea92dbd1

SHA512
97e42996c008279d8ccaa40c95f1b0c8c6aa171ae8986ee34ebbcb466ba8fdb1244b5449b5747ee4b2d26a16e35a9f0ffbb92e1eb384563e4134f7468a6e01d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
643ddde77615938bcb6284e0d584acd5

SHA1
30fb307aff0c9c77f4421717d771c013a39b6e4a

SHA256
cdb04371943a159013fc3962d90d2e140175718ca8048ee139da22c5e116073a

SHA512
cd7d2d31da798ba8a71e537eee8bfc061b41aad59ac9374b31338d5e49c33959f5b068de5fdbee8927c42974c224f97dd2ab30310b795a81e5ee185af25fe0f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
102KB

MD5
e1bcb7805ededa7d3bb8308ce9ffe190

SHA1
53dc690708180c666f88b60eedeb3452b4d5ecc1

SHA256
ee58ec613827ab8a3717812dcb9c29ccf453a923e3beee39001ea2f82fe58d23

SHA512
1e099a9e584a5efad8a3d4d88a8a5be6cb8a03e2a6ae82069e1c7069f69395725e8de3b23f31a474b29622e6df20b43c4b5c57aa62e97523e0aa37e648b54342

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e2af.TMP
Filesize
88KB

MD5
fd725ae771b15997b2a5bb984c3a669d

SHA1
c48a7ca26c166ae66e814c88c8f7d0252552ef91

SHA256
bca8a4bd6d7ab18a9418042b4502733b73bc1cd09ccf73cc288afdf0ca9df5e9

SHA512
d833bda776e4989d53aaf364588189a175fd9339a468c64be8c60f0254fa57185673f3c1db9fa9ca2c47bd032a9fbd186689572afc912def0498fa3980873ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RedlineBuilder.exe.log
Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Desktop\RedLine_30\builder\build.exe
Filesize
300KB

MD5
75196430992e2a5816ef27b1510cab3e

SHA1
ef1fcb7945a3528ff2f9f24e2a0ae72979b5294c

SHA256
9c8ea4188ab019c166445dc52c1f4aa33265c85723c99a075d73546db7a90c96

SHA512
872b586c0c16701f39f6de35f65d9a52b2824ab39234c144971dff7b187e1c1ea47883eaf6f4e3bb7529abe03f6578e0cde29edcdef380b406df34fe408e1c00

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 147544.crdownload
Filesize
2.3MB

MD5
93b91c8721ca2951ecceb0fc0e739cc8

SHA1
f5ac76bae778acde000f72d5630d1a8983948705

SHA256
727679568706156f635be9b786c61b8fecaf55894b902a014aa6a2a691fc3108

SHA512
3887537ef47bf8adf0d5b137a7bfe52610eb1e6f3c37d6d3e778290cd88fe4f6643e50387b2a154cd370b71def316340c62046263054ade27ff5a3df1865ab65

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.7MB

MD5
9ab30fe5bbc5998d212598f9608dfe3c

SHA1
df58322b00bfc648dfe79d99adfb915a7f579289

SHA256
db677be283e5597cb133b9a19d77e53495be4e54c45fa15d5e3398384a76a8f4

SHA512
7f48e60ef1b680b0da46b285a7eefc8dba033e455b9210321c428b49538a1bbd85a70385b16751b35495b16179e5fa8d48c6a2ccaa715ff7dca84a1184ca1584

Download Submit
\??\Volume{b9e6a081-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9035e321-8852-4ff5-a2e0-e868006c1ae6}_OnDiskSnapshotProp
Filesize
6KB

MD5
7e95717b2fb19d1ace2d7bf3d4813ec6

SHA1
0940880d4d6bb5fa04ce844823db71273614dc22

SHA256
511eaf0abf14a69e0a19aa0ed04a251dfcde8024b5bdf20ba14b84d4e0593739

SHA512
ad10fcc938b67e12ab9365f8abe272fc4224da09b2b56140ca40c6bcd3f9df6fbef9bf2a8893ad96019f84035731a38d713f9fa2ee6f483ade8b4ed94e8a3d59

Download Submit
\??\pipe\crashpad_3396_XNZZRGIELGUAPRLJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1728-1028-0x00000000056C0000-0x00000000057E6000-memory.dmp

Filesize
1.1MB

Download
memory/1728-1027-0x0000000000D80000-0x0000000000DD4000-memory.dmp

Filesize
336KB

Download
memory/1780-1115-0x0000000006430000-0x000000000647C000-memory.dmp

Filesize
304KB

Download
memory/1780-1113-0x00000000061D0000-0x00000000061E2000-memory.dmp

Filesize
72KB

Download
memory/1780-1114-0x0000000006230000-0x000000000626C000-memory.dmp

Filesize
240KB

Download
memory/1780-1112-0x0000000006290000-0x000000000639A000-memory.dmp

Filesize
1.0MB

Download
memory/1780-1111-0x0000000006710000-0x0000000006D28000-memory.dmp

Filesize
6.1MB

Download
memory/1780-1109-0x0000000005250000-0x000000000525A000-memory.dmp

Filesize
40KB

Download
memory/1780-1108-0x0000000005290000-0x0000000005322000-memory.dmp

Filesize
584KB

Download
memory/1780-1107-0x0000000005840000-0x0000000005DE4000-memory.dmp

Filesize
5.6MB

Download
memory/1780-1106-0x0000000000910000-0x0000000000962000-memory.dmp

Filesize
328KB

Download
memory/5432-1069-0x0000021925F70000-0x0000021925FAA000-memory.dmp

Filesize
232KB

Download
memory/5432-1091-0x0000021926E10000-0x0000021926E20000-memory.dmp

Filesize
64KB

Download
memory/5432-1090-0x0000021926E50000-0x0000021926E8C000-memory.dmp

Filesize
240KB

Download
memory/5432-1089-0x0000021926DF0000-0x0000021926E02000-memory.dmp

Filesize
72KB

Download
memory/5432-1085-0x0000021926020000-0x0000021926030000-memory.dmp

Filesize
64KB

Download
memory/5432-1075-0x0000021926680000-0x0000021926698000-memory.dmp

Filesize
96KB

Download
memory/5432-1074-0x0000021929940000-0x000002192998A000-memory.dmp

Filesize
296KB

Download
memory/5432-1073-0x0000021926470000-0x00000219264E4000-memory.dmp

Filesize
464KB

Download
memory/5432-1072-0x000002190D600000-0x000002190D612000-memory.dmp

Filesize
72KB

Download
memory/5432-1071-0x0000021925FB0000-0x0000021925FD2000-memory.dmp

Filesize
136KB

Download
memory/5432-1070-0x00000219260D0000-0x0000021926180000-memory.dmp

Filesize
704KB

Download
memory/6092-1068-0x000001BE9CC50000-0x000001BE9CE00000-memory.dmp

Filesize
1.7MB

Download