redline | 87a18ffc1761342775bcb5bdbc41c5427e88fa2c3735bdc729fccff9aec0396e

Resubmissions

26-11-2024 19:55

241126-ym5tqatkbr 10

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft.Web.WebView2.WinForms.dll
Size

37KB
MD5

2ee1f3ef07d12f0f0433927a3d33f7d0
SHA1

d2215cf3e0daf99d9b77db487e0ff0de9a8bfd2d
SHA256

49cc6f438ca9550e6f06252f1949bd886374f3be70f7e74f8f7fa443cde8ad87
SHA512

58291abd71ff33b139e8b20898e5a180b1d963b68f8acbd8e46deb79ed8fb45b07805982456143f3c4cf3680bd6fb6f364805472cdcf8946af392a25609eff9f
SSDEEP

768:JJpRNRbnIfWuxCRfXikLQYZDgcEST3p4Jjrjh2jeFSUyauTv1JKia5/Zi/WG4KgN:z1R+0ikQYZDgcEST3p4JjrjaeFSUyauO

Score

10^/10

redline discovery infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral16/memory/452-903-0x0000000000F50000-0x0000000000FF4000-memory.dmp	family_redline
behavioral16/memory/452-914-0x0000000005E20000-0x0000000005E2E000-memory.dmp	family_redline
behavioral16/memory/452-915-0x0000000005E60000-0x0000000005E8A000-memory.dmp	family_redline

Redline family
redline

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RedLine.MainPanel-cracked.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Redlinestealer2020-main.zip:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	firefox.exe
Token: SeDebugPrivilege	2904	firefox.exe
Token: SeDebugPrivilege	2904	firefox.exe
Token: SeDebugPrivilege	452	RedLine.MainPanel-cracked.exe
Token: SeDebugPrivilege	2904	firefox.exe
Token: SeDebugPrivilege	2904	firefox.exe
Token: SeDebugPrivilege	2904	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 2904	4664	firefox.exe	90
PID 4664 wrote to memory of 2904	4664	firefox.exe	90
PID 4664 wrote to memory of 2904	4664	firefox.exe	90
PID 4664 wrote to memory of 2904	4664	firefox.exe	90
PID 4664 wrote to memory of 2904	4664	firefox.exe	90
PID 4664 wrote to memory of 2904	4664	firefox.exe	90
PID 4664 wrote to memory of 2904	4664	firefox.exe	90
PID 4664 wrote to memory of 2904	4664	firefox.exe	90
PID 4664 wrote to memory of 2904	4664	firefox.exe	90
PID 4664 wrote to memory of 2904	4664	firefox.exe	90
PID 4664 wrote to memory of 2904	4664	firefox.exe	90
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 716	2904	firefox.exe	91
PID 2904 wrote to memory of 2532	2904	firefox.exe	92
PID 2904 wrote to memory of 2532	2904	firefox.exe	92
PID 2904 wrote to memory of 2532	2904	firefox.exe	92
PID 2904 wrote to memory of 2532	2904	firefox.exe	92
PID 2904 wrote to memory of 2532	2904	firefox.exe	92
PID 2904 wrote to memory of 2532	2904	firefox.exe	92
PID 2904 wrote to memory of 2532	2904	firefox.exe	92
PID 2904 wrote to memory of 2532	2904	firefox.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Web.WebView2.WinForms.dll,#1
1⤵
PID:100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d21ea6bf-e1b8-4f78-9d85-eb9330749a64} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" gpu
    3⤵
    PID:716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04ef1617-5de9-4998-b992-cf69b6c6ac39} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" socket
    3⤵
    PID:2532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2976 -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 3256 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dd5798e-6261-4f02-a77a-7a583356cf6c} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
    3⤵
    PID:2720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4336 -childID 2 -isForBrowser -prefsHandle 4328 -prefMapHandle 3672 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f81b1cfa-4f37-4839-8b1c-d5e9ed9eb4c8} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
    3⤵
    PID:1604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1300 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4928 -prefMapHandle 4924 -prefsLen 29144 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b20c61aa-59aa-4719-a051-c44d0770ecff} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" utility
    3⤵
    - Checks processor information in registry
    PID:4696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5276 -prefMapHandle 4168 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6f7960d-37b7-48fe-841a-db85a2a995e3} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
    3⤵
    PID:3672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5400 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {678d1722-a5ad-494d-ba72-edee6d1e8f38} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
    3⤵
    PID:2240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 5 -isForBrowser -prefsHandle 5672 -prefMapHandle 5676 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5806fab-9cd5-4c8c-a040-a73188e8b059} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
    3⤵
    PID:1020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2532 -childID 6 -isForBrowser -prefsHandle 6152 -prefMapHandle 5792 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14194696-8368-47a7-b828-bf1ed02005f3} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
    3⤵
    PID:3928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5760 -childID 7 -isForBrowser -prefsHandle 4584 -prefMapHandle 3736 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ea91ba1-c8d3-4039-84a2-a779710dff7c} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
    3⤵
    PID:4716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6316 -childID 8 -isForBrowser -prefsHandle 3564 -prefMapHandle 6380 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {646865d6-b017-4dd9-b9da-1038835c81dd} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
    3⤵
    PID:3228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2588

C:\Users\Admin\Downloads\Redlinestealer2020-main\Redlinestealer2020-main\RedLine.MainPanel-cracked.exe
"C:\Users\Admin\Downloads\Redlinestealer2020-main\Redlinestealer2020-main\RedLine.MainPanel-cracked.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
599a5100edcdb1340e1b6016b2627c04

SHA1
dd11dde3646e70eb909dd12615ce3c81d906f203

SHA256
38739d3746472b979a6eaeef2e486ef5afd38a1908d98996fa3e3a4f580f99c1

SHA512
3ccb7c4b4a57ce3c1149c2f8ef6bd1ef3276e8e97fae90d513254936b32b17a652f4eca7445b52dc234e2383d87df01f0595444fa2dd5443ec59a89011239822

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0

Filesize
792KB

MD5
46495cb20a8d3de2478963c3c4b0ad11

SHA1
360d4461ef960f6db56f80136cded95099180c28

SHA256
a9cc8645814b34ce7f9e4fe03f7efffe025f37103eed2359011d48701cd54dbb

SHA512
b9b4f7eb3667fdb09ff21374d32d06671a2c4703fee920fff6aff31460fe995d7819618a41588a1475ebc5949e3bd2b5961a2536419e3a87272e4e167bac5eb3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\2D53DC86EC805E3FED3983CF4856BD056706B752

Filesize
637KB

MD5
d75f8b999daeb49bc5ab67f1c902cbf0

SHA1
31e25b013979ba33ef02338cd4b65f20cdcda15d

SHA256
d99226ef1695edb8bdf26c5f597c7203f991ccaeafbf742cefc10e52f74cd6a4

SHA512
c4fd02f0aad4bf6d12ea15510e27b89b4b04f47e4872d57105e8d308279a7b98220a6c60c7c223a708decb8ac6a39a41eb55cc1f48cf8dbf0002982f28875a8f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\4A48EDB115414203854E0D30A3D6DD147B65E431

Filesize
114KB

MD5
78e19123a7812d0939a3330ec51f7c43

SHA1
2b4cc5511c862c753c42d8bc5a0cadf2a292ed1f

SHA256
426735081e019c135c2c6cadba543cb29802ec1ed188c15ea57b2053570a163e

SHA512
08f3a45913a8fdd5bc01e9650b22d4a92bca3e1e8ed54d34ac1469ce7f0b1f5688008fd120e06b298ba0e222feaa4ee736d799995ff699a7061b081a32a772ae

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\549C94847E35BE89DCE95DF86EA39378F22E5078

Filesize
1.0MB

MD5
b53d7aff5a1000037c601cd7f9e208d7

SHA1
e64d4f276571895efb0c1d8430d349fd7a0a4348

SHA256
6b4a221e35fdda7fbfc7f023f029e306f1795e68abb7750c5f0a2fef3e65cddb

SHA512
691f3f6222e2bf666eb979788d806cec6255d0a95842834268a3a83ec2f2f185a1d1ffac4351110fef2e2dd5bd8de365a4c40ac81a758687adf363dc199efa2a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\838231ABECC09F6502925A716AEDBE19B431B359

Filesize
163KB

MD5
54425345c351cafe78a6c11106dc1860

SHA1
514d67bb2d4dc1887c07cd05cf3e2bb9e1a01ca4

SHA256
1802b3f0530b29fc23f4e7a21922c7274a9014acf6c9aace73f17a77deb29edd

SHA512
683bd3c1255cf7442f5eba0561038427a557c3a755467d850f9d0523ae3fb67515641d652723a8eb2ed2a3b44a86d925f4298200a958967e64ff0059204eea5c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\A03E3E61B5B0A23F2BD68515B245FF480863548A

Filesize
96KB

MD5
e4e8a0667ef3960ef443805922ab50ca

SHA1
8b6401f792eb4477d63c1ccb9d01e4a96ff86d6b

SHA256
4a6a254a5d7ffc5b795d600fd33274ed579ea176e770635b249b212f25d8a214

SHA512
603efc175fcb0f9cdec9a6201656fe67a68f54a7e20fc59ac729772e258aab91a1c2f4e6be4ef310f3a667f20b790d06ed6594ed45d77f71306621494426aa3b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\E8BD986722565A28F40356B72AB577075CED36B9

Filesize
2.0MB

MD5
4d20bbe4a585c8c615b14752092b8c7d

SHA1
3d885a39525eae2cf0a0cd6936b75d87f8886236

SHA256
c59b1e859fc876b525a77d791e443b1be27a3ffbec05b770df149ef391115ae4

SHA512
a5954c994fc92357f9d18600ac47f78faa68d870503483ead0c5625a28408f56484e704d144cc766f4ec7ed6ddcf829118de54392f883f8aec30d60fca56b7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
6KB

MD5
6ff260389f4f62c18beea21d57b4542d

SHA1
0959cf6e9aa07fc2211912ac1437f14168b18646

SHA256
bea1d00c69463de9eb29f136008f834b2ea2d2cdcc7bd35a659d31ee107e62d1

SHA512
d9667f7d56eb655209a312cd56160531d7aa0a5d5e0200117e22511f68324ca3b643c37eed3eaab9f355836bd655df1a8c27658acfae36a3ef3533dcadd2790c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
6KB

MD5
9b0f6d55b9b94b7c1c2e086fde1efd6d

SHA1
ad50d38a5eb0c3a4ac5164c43696df0f97a0cc4b

SHA256
c6bf431f7c02dbcd7b9e21c2e6d83bac787d3fb4c02eedba59b11ce0a316d415

SHA512
ba397e9264290c957ee75c23094dc1627483adfcc0cde133d72aca6d02c89ea9f1e28934cfcb5ccf4962f6b39fc1129d194074e13f97f732caa290db0100b8cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
18KB

MD5
9f8a3b79292b32c414786fcccd44be2c

SHA1
f895f975219247f1ff6d5a48120f7e4114c010e6

SHA256
bf8dfa35b54706494b0da80c362364710c76eae58b3ebfb961146d4d813ddfa7

SHA512
a8c4ebbf147c2e8fcd649cf2977c16c6da4f40d592866b26e4b1e8f9d8eca147b210fecaca5901b07d0ad1e770d81d7ff04dc9fba3b5db61ab6a428870a8bb70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
03cc4f5fe3cea4d8f0b7e023445a66b0

SHA1
c59dff67167d711ec89077fed87fdcdfb493ab7e

SHA256
54babf19595c5908d6717593fd7790adf023ca971d0d3e02a274b8d892e97e8a

SHA512
f17b16a71540ad629dedbd12ff7d49983660be7c51a91680b42253e1c162a7cc88002a4046d42ae1d4b3177de7747183827aed5a4eee6e072989334e8e85efde

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
56f88e0cb71160d9bcea31b09320839f

SHA1
5e6733a5c97b40455454547458281e7c8ef210b5

SHA256
57317821dbcf011a1987da2cec63010775ad99b41aa0c0ea5916251b2e8c18c7

SHA512
2508f7ff3dee71aca156da7f87eb0c848bae537970bfaeb4dfc758d6ebf2387e8a15815e3222fecf190dc3301be9cf1539afb2e5529b8c5bec83db6004993feb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
f43c3dd7a8b74f0acbd4e45eb0835033

SHA1
a63bad0fdf412d23e38c0df96f9ddc90cf6e8c82

SHA256
5574f5ad2a1a9ec8cfff58cb4fe9d82944d018060261a954e5b48c22db3446fb

SHA512
13d0477fe5b13aeb87530d98d7e566f9584d5334007b2db699ef90bcb074c4e3ea336c9ff6a3809df23fe94e3e38f995d9d9e9f42e5395f0a0a18acfe711b292

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\6a154fc2-ad13-49e0-bb70-96a04a559a09

Filesize
26KB

MD5
26092f8cbd3c78f65e53a3dbec5d9ee1

SHA1
05bbf0e5d9381e5b61d7b4e7ad878e17568ebfb2

SHA256
a9a057abd5d096df0eb4be21beee38ff3776f5aeb7aeb78a7e6e9cbf43513606

SHA512
877155b55028ec1dd8e3d85cb169ba3fc40af6ce67c7907192a5d267b952c962b8d3bedef7fd0f1522f5d99efe160d35aaf28a00e773ccf67d1a2b03ca8feb51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\779c1fba-b65a-43fc-a5ec-f8ce60d84668

Filesize
671B

MD5
a16a3b8f5b9660e97d24f28c4674837b

SHA1
33195b9209bac904c66ed0c61aa81ae65dbd5087

SHA256
23ec2142157680e1bc0ded811e29ca2eeed008426f54a4cfc86b089d8e5b4a4a

SHA512
dc96ad6ba519659f5a2705cad36c36e23b243c82839f531b69a53fc39aaa368e860be817ad49820064a438a9fc56f912e84444252e23694b13a19708f5adc33d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\f0cc774b-e47b-4ba1-8130-7d792ad0b587

Filesize
982B

MD5
2fdca2852232b7ca5add75af989eb438

SHA1
d55e993503e2d1d365bec8767148e3d20ab3f01c

SHA256
3b40e08e3425df28dfd253185eb46c7a2c0215922513caa6858680fc08555a36

SHA512
a626327e4fa9873b323878cd5876cec6d401f8768e086e1850d05e911ea872dc51be4146213b856c5bde99e42091e1d94d43198dc1bc5b512c1b135fc02a3b7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

Filesize
10KB

MD5
1fa189e1631a35666e04e48ff45e4429

SHA1
fb2a966cfbec99aee26b4abe7957ce1a46758433

SHA256
5103be13b47e9b74f4aa33175ce309a4d0ad18caedd245877c9904f8575e7f67

SHA512
855f42056c804ee2dc442fa5f45bbf3481019a47c52e7e69e7cd6b9d39eb38e3d9d2f4ce00104ae36cc5699401873cd9243081b897b1e98c4125f6a8c5984823

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

Filesize
11KB

MD5
16dfc46eaa73057e8c14096c7f2e929d

SHA1
62aadddc6a81833ffda5e31ebd1c20593817f3da

SHA256
9e73bdbed6b1bcb818ba77be503d83181219f7661f026322620ddf6425e402b7

SHA512
15d00e5a418a34b66b1593c77370e7e97768762380edf4ef099d5ed623448b6423305f06a55e1ae6e28b9d94fe8d41e93bfb8680af06d07bbc95a3a8a42f33a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js

Filesize
10KB

MD5
c28b7343a7dc51593307b0f9b4d07288

SHA1
4cf6146980e6cf57efaabc4764fc715eb0460b41

SHA256
8a1544282fb62e9773defc80195f84d5d2194a8094b22b44a1b4f8f1234f6596

SHA512
1e5630ae5889c73685b09659506aca7ecfc201e90a49f7c858f26109d9bc0ac782593af15ecaaf58797d689db46ac7e3005fe93c52bb92c272a1f3b16fc3b03d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
0c34b3417d6efa87d9260fcb57f9bf5e

SHA1
b7a91697ca106de1d8f5999115ec1bbf89ee1177

SHA256
81338bea13e3048bd0836c22f821e5ed6b91dc73e2765c6e24b4f3ceff20466f

SHA512
6782f362c6e691736a36ddf73b77264afd09374f0993e4b4b11b9226c58f105774b7a4e75c4b0d4f2554d23553335b568fa602e0ac576ec87d40abb3dd673258

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
b1830b4f59a8766d9bb873bdcde0d7d8

SHA1
1925b245c39759ed181e36cdce586d57920c7afa

SHA256
9338c34d7ee126c4f4d3e2b2c723b7bbabee6ec980cb0005c00ae5de9794988e

SHA512
8ab1b63a2bf0b6b967e83b861eb498168d91f15b67afdc5f7173e348f7d0eb60e0ad3fd6fd170de5b4a5d459b751591312116877fa1465e5771a8f999579d79b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
847ea12f43202a11db712592e2fdf2a0

SHA1
01758ebc8ef6d698ec8b89c602991187733be77f

SHA256
3752abd500beb2c7974be69e19e8bd053641127a45dc6fae23279e77dd112c97

SHA512
b83eab4308b05500979ad3f4f3558b3f0868ac7e81b7f5284649da6abf6f7c11d3e03e7999bee4d67f3b14af73996ab12601e33107bda15f5a43beb4f7316531

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
17aaa918fe8c76a80f856e456dc312fe

SHA1
9c0710181d346144b71ac707233434cc14767493

SHA256
e571e381bac6d2dcf3dbbf7ae222e46e3b1bd21a97798f7f7133dea2f84a67ea

SHA512
590149061e0ae952b6186aa0d9006962afb660735e7bd3dadff68fa816202cbc4fa9afdd3efd5ced2c2688a5a7c9aeead5839efbd27329fc2671c63bdaebc74f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
368KB

MD5
7aa16d4ca07a987b9d3d7643f699f31f

SHA1
cb27eb1c90e94565d835ead380476cdb9631bde4

SHA256
f960390742d2f35627722ed7c03ee308de9bcc74f19e05a1520230e5798a398b

SHA512
54685a5282fa8fec9ba08bfac71e445d9c66dcf1688ce09d6344905d66ee840f0d4ef94fc4991f4d45cbc249fb543432bf5fc6f8f7dbec6c2a9726c10b12d4e6

Download Submit
C:\Users\Admin\Downloads\Redlinestealer2020-main.5GDinPBi.zip.part

Filesize
2.5MB

MD5
291c143340623d5ddd9895e3173970cf

SHA1
64603a6f1fa74412e91fa20688f213d13b1dff40

SHA256
0e486871aeddade1498c575341b53401d74af20bf4cf9103b8d1f9596d852673

SHA512
4a226b9ca9c86cedcb677830551207fb5e4fe54f1e0959e4dc97581c1375416934d9a61570ddc6a7fab7acce0ef8d9cb4251de69b70d8780891f4b8f109eb6c7

Download Submit
memory/452-902-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/452-903-0x0000000000F50000-0x0000000000FF4000-memory.dmp

Filesize
656KB

Download
memory/452-904-0x00000000032E0000-0x00000000032EA000-memory.dmp

Filesize
40KB

Download
memory/452-905-0x0000000005DE0000-0x0000000005E1E000-memory.dmp

Filesize
248KB

Download
memory/452-906-0x00000000059B0000-0x00000000059C2000-memory.dmp

Filesize
72KB

Download
memory/452-907-0x0000000005EA0000-0x0000000005F14000-memory.dmp

Filesize
464KB

Download
memory/452-908-0x0000000005F50000-0x0000000005FAA000-memory.dmp

Filesize
360KB

Download
memory/452-909-0x00000000034D0000-0x00000000034E0000-memory.dmp

Filesize
64KB

Download
memory/452-910-0x0000000005DC0000-0x0000000005DDC000-memory.dmp

Filesize
112KB

Download
memory/452-911-0x00000000059D0000-0x00000000059DE000-memory.dmp

Filesize
56KB

Download
memory/452-912-0x0000000006060000-0x0000000006110000-memory.dmp

Filesize
704KB

Download
memory/452-913-0x0000000005FB0000-0x0000000005FFA000-memory.dmp

Filesize
296KB

Download
memory/452-914-0x0000000005E20000-0x0000000005E2E000-memory.dmp

Filesize
56KB

Download
memory/452-915-0x0000000005E60000-0x0000000005E8A000-memory.dmp

Filesize
168KB

Download
memory/452-916-0x00000000063C0000-0x0000000006670000-memory.dmp

Filesize
2.7MB

Download
memory/452-917-0x0000000005F20000-0x0000000005F3A000-memory.dmp

Filesize
104KB

Download
memory/452-918-0x0000000006C20000-0x00000000071C4000-memory.dmp

Filesize
5.6MB

Download
memory/452-919-0x00000000061B0000-0x0000000006242000-memory.dmp

Filesize
584KB

Download
memory/452-920-0x00000000077F0000-0x0000000007E08000-memory.dmp

Filesize
6.1MB

Download
memory/452-921-0x00000000063A0000-0x00000000063AA000-memory.dmp

Filesize
40KB

Download
memory/452-922-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/452-923-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/452-924-0x00000000082B0000-0x00000000082C2000-memory.dmp

Filesize
72KB

Download
memory/452-925-0x0000000008310000-0x000000000834C000-memory.dmp

Filesize
240KB

Download
memory/452-926-0x0000000008350000-0x000000000839C000-memory.dmp

Filesize
304KB

Download
memory/452-927-0x000000000B210000-0x000000000B31A000-memory.dmp

Filesize
1.0MB

Download
memory/452-928-0x000000000AC00000-0x000000000AC28000-memory.dmp

Filesize
160KB

Download
memory/452-929-0x000000000B150000-0x000000000B1A0000-memory.dmp

Filesize
320KB

Download
memory/452-930-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/452-931-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/452-932-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/452-942-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download