redline | hxxps://github[.]com/KhanLevZverTigr/Kyan-Roblox-Executor4

Analysis

max time kernel
48s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/KhanLevZverTigr/Kyan-Roblox-Executor4

Score

10^/10

redline discovery infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4776-201-0x0000000000400000-0x000000000044A000-memory.dmp	family_redline

Redline family
redline

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3828 set thread context of 4776	3828	Exocuter Robl.exe	104
PID 3636 set thread context of 2956	3636	Exocuter Robl.exe	106
PID 392 set thread context of 2684	392	Exocuter Robl.exe	111

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exocuter Robl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exocuter Robl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exocuter Robl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133773036452373350"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3348	chrome.exe
3348	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeDebugPrivilege	4776	RegAsm.exe
Token: SeDebugPrivilege	2956	RegAsm.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 3280	3348	chrome.exe	82
PID 3348 wrote to memory of 3280	3348	chrome.exe	82
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1516	3348	chrome.exe	83
PID 3348 wrote to memory of 1808	3348	chrome.exe	84
PID 3348 wrote to memory of 1808	3348	chrome.exe	84
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85
PID 3348 wrote to memory of 2304	3348	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/KhanLevZverTigr/Kyan-Roblox-Executor4
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa202ecc40,0x7ffa202ecc4c,0x7ffa202ecc58
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,17189023041047982670,584716062337315675,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,17189023041047982670,584716062337315675,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,17189023041047982670,584716062337315675,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2364 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,17189023041047982670,584716062337315675,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,17189023041047982670,584716062337315675,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4636,i,17189023041047982670,584716062337315675,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,17189023041047982670,584716062337315675,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:3256

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1156

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\Temp1_Exocuter.Robl.zip\Exocuter Robl.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Exocuter.Robl.zip\Exocuter Robl.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4776

C:\Users\Admin\AppData\Local\Temp\Temp1_Exocuter.Robl.zip\Exocuter Robl.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Exocuter.Robl.zip\Exocuter Robl.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2956

C:\Users\Admin\Downloads\Exocuter Robl.exe
"C:\Users\Admin\Downloads\Exocuter Robl.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
eefb26e204ca632206050494e1c4484a

SHA1
5df25e48bf9dbec7559371356b6f8e4e14d6bc9e

SHA256
0c351060f36b3a622a25a95f561c9fab2e09204fa034c197f1d398d0b0a81018

SHA512
e662e1c51db1bcbf3a210797c1975d34d816e7dd1394367a1af92d5b4d61c7a8f02d3cc1848e2a87726a9980c5d1bbcea1dae62560def2efa86e8e6f05b403a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3cd18e64f9a3fa00b81bcdac2ebed2fd

SHA1
378c15d4d58ff18d906eb9d9b9972a659958807c

SHA256
639209877c324d973289cb8e9fa961f6d27fe9988bec12b6afc5567e575aa42b

SHA512
bd398298005a0a325ce11164ae90dafc1c93bc4a7fbf34c28439e780948aa3781cfb5ce7eac8af358e5495bef52ffed10cf918bbb1c10abf5e0dc4723e1806df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a782e5faee69365f56237f120041e043

SHA1
09e162e26f42a122798077608f0fcf7b9b2fc59f

SHA256
a6f39c2ab8e78aa69cc652c15a60319bca9c157cdc23cf2a9c956db0a8eef946

SHA512
bfce2dee16c4894c2387721819bb80856d2f03f3c18c96ecdcc7ec715379bd731df47fa3aeb9922d89abfb7e67332a2e6f562545ef51ac87659311b5192c3ad3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b801fbd22cff52ab54a57529c5f79e30

SHA1
720ca20c0782a0f3f7e5d83706d2e28e1dba5c08

SHA256
e7dfc692e778cf91bd1ddefba98b902e3707f68917a449f5d56e1716e2632fd1

SHA512
0268d805c00825fe940077589e597e65a2d86e760ed9d536c14a595bbe6e0c1c5e731e8909cd9697f4e30530bbf324603b91f66fecddee5c1377d151e23f609d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cb51758f7555d8575c4645a36c2dd5ff

SHA1
610213ea1d34a3bb3225ea3b2f8fd9415bd16ed1

SHA256
805c0e050c021add84c0267ac4178e3b9713858ee6f391ecc55b85d7a35441e0

SHA512
8cd8c27a6c54aae95b0379f942fb5e97cdafc75f970c4683d0eeb929ea10011e05a813a301777cf20763282c7eeb114f01333d38b7114a5ebb8fd9299cd3515e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
85c2e405ca1a42b68bdf026ef7543901

SHA1
f49906596fd916c1213126b434d8d24c06feea47

SHA256
def9a22a00e8e3a4a4bff1ca4fa75b99501c65689f7c84b93a1142248267465e

SHA512
d61b49002a9ae90ca276a8d8d3586aefc9e5ef3c71d755941a103c47e18ee1410c84d92ad63cda8a55d3fec5d25489eb719c502dfb4fb8ed87e72b1dac3c55ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
1e5d5d35606e45a493c97127a43ea7bb

SHA1
8aa1fe75aed78c0a1982b2ebc628fe688ab5ae6a

SHA256
ba5db04d78ee0ab84ff6b0813cc0f5db338c2da0162ed2680c485e45ea79a5b5

SHA512
4faf38463dafbd9468da1e85bb4a4c3c1db2e78e564dbccc2338d576a3cfb17deb3fed26e01a16c98c8aa0692b4cb020ec9b80377ab3975a00099a486f2e607a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
42387713835be4f3d6a9b0e63b77baf0

SHA1
0794604116bb4e66b98fb24eae5b0246ae0c76e1

SHA256
4de0424798596a47a55f09e8e0a73730db40c2bd0d03c862920a6a73336df7ea

SHA512
72eea1e8d155161d353223c524c41fedfa021147fd7b1e4a67e593b2b91f543c85d6be189ddfbadeb5c58140844486f510c2d6d5f992ca60d8fc245d2d40affb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Exocuter Robl.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\Downloads\Exocuter.Robl.zip.crdownload

Filesize
275KB

MD5
000620cb15c325d8feac06fdb7bdbc0f

SHA1
1f866a09d9aacea2030eae5dfb8260aedd5fb958

SHA256
dbccdd11a3b1911fc339bcc06f6832a9cd4bc6047a86187010a259a5e0f7e835

SHA512
8fe1947b81016de44db9356475bc6ea9beed4e5ac37a79eeaf2b259637b33cb483379e1c8200a51d0933a5c0814bd9c4c0e95719e6d6f69663faa08aad82ba73

Download Submit
memory/3828-204-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/3828-218-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/3828-198-0x0000000000470000-0x00000000004BC000-memory.dmp

Filesize
304KB

Download
memory/3828-197-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/4776-205-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/4776-206-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/4776-207-0x0000000005390000-0x000000000539A000-memory.dmp

Filesize
40KB

Download
memory/4776-208-0x00000000069C0000-0x0000000006FD8000-memory.dmp

Filesize
6.1MB

Download
memory/4776-209-0x0000000006510000-0x000000000661A000-memory.dmp

Filesize
1.0MB

Download
memory/4776-210-0x0000000006440000-0x0000000006452000-memory.dmp

Filesize
72KB

Download
memory/4776-211-0x00000000064A0000-0x00000000064DC000-memory.dmp

Filesize
240KB

Download
memory/4776-212-0x0000000006620000-0x000000000666C000-memory.dmp

Filesize
304KB

Download
memory/4776-201-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download