redline | 4f90b7c87ae9a261936b72f8062c7ffff38f5921dc58794a23084aa0ad95969d

Analysis

max time kernel
226s
max time network
227s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07/12/2024, 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RedLine Stealer (1).zip
Size

17.2MB
MD5

d3d1d5504a838b38d27bfdc29a9bf0ea
SHA1

f6c351251c4b5fa64b852dc2ae6f85cf870a1508
SHA256

4f90b7c87ae9a261936b72f8062c7ffff38f5921dc58794a23084aa0ad95969d
SHA512

7f7dd2471f6aec68b1a2d59b1ccac1cef1142ee9fd734db6b320013dddac3c8e828ec0339765aa4df864e275415862df877971dbec803a3d6b350f034982c781
SSDEEP

393216:y6AL1DWiFjy2F43KVjCybo8x8CLO0kjl2sDYSUs9Tx:y5L1rFjEKl1oNrJZYyl

Score

10^/10

redline xworm discovery infostealer rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

svchost.serveirc.com:1313

Mutex

MML7YiawHlQLefrX

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7089308942:AAHsTcsMKoz1p6-9kX7OD8cZDlRLQM_DN-A/sendMessage?chat_id=5936200928

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002ab71-142.dat	family_xworm
behavioral1/memory/1680-154-0x0000000000E90000-0x0000000000EAA000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3136-4027-0x000000001FC80000-0x000000001FC9A000-memory.dmp	family_redline

Redline family
redline
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 11 IoCs

pid	Process
1508	Krumo.Loader.exe
1560	Rarqxqlarwy.exe
3100	Eihb.exe
3400	Kurome.Host.exe
4960	Panel.exe
2116	Panel.exe
1680	svchost.exe
3136	Panel.exe
2688	Panel.exe
2328	Panel.exe
1384	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
3400	Kurome.Host.exe
3400	Kurome.Host.exe
3400	Kurome.Host.exe
3400	Kurome.Host.exe
3400	Kurome.Host.exe
3400	Kurome.Host.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
3136	Panel.exe
2688	Panel.exe
2688	Panel.exe
2688	Panel.exe
2688	Panel.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll	Rarqxqlarwy.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
452	3100	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eihb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rarqxqlarwy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Host.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133780594753639196"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1 = 50003100000000008759a67c10004c6f63616c003c0009000400efbe4759495e8759a67c2e00000048570200000001000000000000000000000000000000b0e3de004c006f00630061006c00000014000000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 0100000000000000ffffffff	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "9"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\MRUListEx = 00000000ffffffff	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Downloads"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000000a343014af18db01fed9e7f7bd48db01fed9e7f7bd48db0114000000	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\0	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\0\NodeSlot = "8"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Panel.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
2116	Panel.exe
3136	Panel.exe
2116	Panel.exe
2116	Panel.exe
3136	Panel.exe
2116	Panel.exe
3136	Panel.exe
3136	Panel.exe
2116	Panel.exe
3136	Panel.exe
3136	Panel.exe
2116	Panel.exe
3136	Panel.exe
2116	Panel.exe
3136	Panel.exe
2116	Panel.exe
3136	Panel.exe
2116	Panel.exe
3136	Panel.exe
2116	Panel.exe
3136	Panel.exe
2116	Panel.exe
3136	Panel.exe
2116	Panel.exe
3136	Panel.exe
2116	Panel.exe
3136	Panel.exe
2116	Panel.exe
3136	Panel.exe
2116	Panel.exe
2688	Panel.exe
2116	Panel.exe
2116	Panel.exe
2688	Panel.exe
2688	Panel.exe
2688	Panel.exe
2688	Panel.exe
2688	Panel.exe
2328	Panel.exe
2688	Panel.exe
2328	Panel.exe
2688	Panel.exe
2688	Panel.exe
2328	Panel.exe
2328	Panel.exe
2328	Panel.exe
2328	Panel.exe
2688	Panel.exe
2328	Panel.exe
2688	Panel.exe
2688	Panel.exe
2328	Panel.exe
2688	Panel.exe
2328	Panel.exe
2688	Panel.exe
2328	Panel.exe
2688	Panel.exe
2328	Panel.exe
2688	Panel.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
872	7zFM.exe
2328	Panel.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	872	7zFM.exe
Token: 35	872	7zFM.exe
Token: SeSecurityPrivilege	872	7zFM.exe
Token: SeDebugPrivilege	1560	Rarqxqlarwy.exe
Token: SeDebugPrivilege	3100	Eihb.exe
Token: SeDebugPrivilege	3400	Kurome.Host.exe
Token: SeDebugPrivilege	1680	svchost.exe
Token: SeDebugPrivilege	2116	Panel.exe
Token: SeDebugPrivilege	1680	svchost.exe
Token: SeDebugPrivilege	3136	Panel.exe
Token: 33	3136	Panel.exe
Token: SeIncBasePriorityPrivilege	3136	Panel.exe
Token: 33	3136	Panel.exe
Token: SeIncBasePriorityPrivilege	3136	Panel.exe
Token: 33	3136	Panel.exe
Token: SeIncBasePriorityPrivilege	3136	Panel.exe
Token: 33	3136	Panel.exe
Token: SeIncBasePriorityPrivilege	3136	Panel.exe
Token: SeDebugPrivilege	2688	Panel.exe
Token: SeDebugPrivilege	2328	Panel.exe
Token: SeDebugPrivilege	1384	svchost.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe
Token: SeIncBasePriorityPrivilege	2328	Panel.exe
Token: 33	2328	Panel.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
872	7zFM.exe
872	7zFM.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2116	Panel.exe
3136	Panel.exe
2688	Panel.exe
2328	Panel.exe
2328	Panel.exe
2328	Panel.exe
2328	Panel.exe
2328	Panel.exe
2328	Panel.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1560	1508	Krumo.Loader.exe	83
PID 1508 wrote to memory of 1560	1508	Krumo.Loader.exe	83
PID 1508 wrote to memory of 1560	1508	Krumo.Loader.exe	83
PID 1508 wrote to memory of 3100	1508	Krumo.Loader.exe	84
PID 1508 wrote to memory of 3100	1508	Krumo.Loader.exe	84
PID 1508 wrote to memory of 3100	1508	Krumo.Loader.exe	84
PID 4960 wrote to memory of 2116	4960	Panel.exe	92
PID 4960 wrote to memory of 2116	4960	Panel.exe	92
PID 4960 wrote to memory of 1680	4960	Panel.exe	93
PID 4960 wrote to memory of 1680	4960	Panel.exe	93
PID 1680 wrote to memory of 3872	1680	svchost.exe	94
PID 1680 wrote to memory of 3872	1680	svchost.exe	94
PID 2116 wrote to memory of 3136	2116	Panel.exe	96
PID 2116 wrote to memory of 3136	2116	Panel.exe	96
PID 3136 wrote to memory of 2688	3136	Panel.exe	98
PID 3136 wrote to memory of 2688	3136	Panel.exe	98
PID 2688 wrote to memory of 2328	2688	Panel.exe	99
PID 2688 wrote to memory of 2328	2688	Panel.exe	99
PID 5068 wrote to memory of 5812	5068	chrome.exe	103
PID 5068 wrote to memory of 5812	5068	chrome.exe	103
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 3908	5068	chrome.exe	104
PID 5068 wrote to memory of 5352	5068	chrome.exe	105
PID 5068 wrote to memory of 5352	5068	chrome.exe	105
PID 5068 wrote to memory of 4272	5068	chrome.exe	106
PID 5068 wrote to memory of 4272	5068	chrome.exe	106
PID 5068 wrote to memory of 4272	5068	chrome.exe	106
PID 5068 wrote to memory of 4272	5068	chrome.exe	106
PID 5068 wrote to memory of 4272	5068	chrome.exe	106
PID 5068 wrote to memory of 4272	5068	chrome.exe	106
PID 5068 wrote to memory of 4272	5068	chrome.exe	106
PID 5068 wrote to memory of 4272	5068	chrome.exe	106
PID 5068 wrote to memory of 4272	5068	chrome.exe	106
PID 5068 wrote to memory of 4272	5068	chrome.exe	106
PID 5068 wrote to memory of 4272	5068	chrome.exe	106
PID 5068 wrote to memory of 4272	5068	chrome.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RedLine Stealer (1).zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3744

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RedLine Stealer\How To Use.txt
1⤵
PID:1964

C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Loader\Krumo.Loader.exe
"C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Loader\Krumo.Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\Rarqxqlarwy.exe
  "C:\Users\Admin\AppData\Local\Temp\Rarqxqlarwy.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Users\Admin\AppData\Local\Temp\Eihb.exe
  "C:\Users\Admin\AppData\Local\Temp\Eihb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 1756
    3⤵
    - Program crash
    PID:452

C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.Host.exe
"C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.Host.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3100 -ip 3100
1⤵
PID:240

C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe
"C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\Panel.exe
    "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - C:\Users\Admin\AppData\Local\Temp\Panel.exe
      "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAzXBYs4SYNUa0R/9OpRl7qgAAAAACAAAAAAAQZgAAAAEAACAAAAC8jUu/hneRNisHIVgp9OyTU8pkbf1OCIHBVWodgyAZBgAAAAAOgAAAAAIAACAAAABXNzP3zRTw6jYKVNNQZuvWG5xI8/pVYMyCMazmK/CpkRAAAACGBXvD0xHFy3e5GbSEPObGQAAAACpg0EOxYOrKye4OvoLo87XwnGasGMWtsZRAzyEN17xLTLeEQQhAHgm5sQ4qQXazrtQ8AIpJ/LjDyU6bKwklPG8=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAzXBYs4SYNUa0R/9OpRl7qgAAAAACAAAAAAAQZgAAAAEAACAAAACMWNNGs3HJbOFtMRmAEnpkBR4e2QkKDWwl/bOHDME0EAAAAAAOgAAAAAIAACAAAAAD9L5cmjl0U9e7WKVNVI8h099JCG2mVZkNDZ4WLXxtGxAAAAA/6ceazEbmOKYQS0kCVPrCQAAAAB9XCPfknumLz2p51jTFxPC03b3QfXFLnZqo6Ill7qWx0DWJBiRYjrVGPDE7zICJZvZnpMLoV3STzg6G3Odf0UY="
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Users\Admin\AppData\Local\Temp\Panel.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAzXBYs4SYNUa0R/9OpRl7qgAAAAACAAAAAAAQZgAAAAEAACAAAAC8jUu/hneRNisHIVgp9OyTU8pkbf1OCIHBVWodgyAZBgAAAAAOgAAAAAIAACAAAABXNzP3zRTw6jYKVNNQZuvWG5xI8/pVYMyCMazmK/CpkRAAAACGBXvD0xHFy3e5GbSEPObGQAAAACpg0EOxYOrKye4OvoLo87XwnGasGMWtsZRAzyEN17xLTLeEQQhAHgm5sQ4qQXazrtQ8AIpJ/LjDyU6bKwklPG8=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAzXBYs4SYNUa0R/9OpRl7qgAAAAACAAAAAAAQZgAAAAEAACAAAACMWNNGs3HJbOFtMRmAEnpkBR4e2QkKDWwl/bOHDME0EAAAAAAOgAAAAAIAACAAAAAD9L5cmjl0U9e7WKVNVI8h099JCG2mVZkNDZ4WLXxtGxAAAAA/6ceazEbmOKYQS0kCVPrCQAAAAB9XCPfknumLz2p51jTFxPC03b3QfXFLnZqo6Ill7qWx0DWJBiRYjrVGPDE7zICJZvZnpMLoV3STzg6G3Odf0UY=" "--monitor"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2328
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3872

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd20abcc40,0x7ffd20abcc4c,0x7ffd20abcc58
  2⤵
  PID:5812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,17589041765642898140,2362619242031687891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,17589041765642898140,2362619242031687891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:5352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,17589041765642898140,2362619242031687891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,17589041765642898140,2362619242031687891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3364,i,17589041765642898140,2362619242031687891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,17589041765642898140,2362619242031687891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4780,i,17589041765642898140,2362619242031687891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,17589041765642898140,2362619242031687891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,17589041765642898140,2362619242031687891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5144,i,17589041765642898140,2362619242031687891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4980,i,17589041765642898140,2362619242031687891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4964,i,17589041765642898140,2362619242031687891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:5944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5316,i,17589041765642898140,2362619242031687891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5204 /prefetch:2
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5492,i,17589041765642898140,2362619242031687891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4360 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4864,i,17589041765642898140,2362619242031687891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,17589041765642898140,2362619242031687891,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:4712

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
070524687e073c544ffbeb8a386453fd

SHA1
97211f1da0f8b0d50123784fb3bdc57059fcbad3

SHA256
312156762e0222a220a2702551ffff1d095bdfad7086c5360a43fcc141c6b6d9

SHA512
0a18ef8530a25d097cdd10da0f70cc3b91eae04844a1ec1ae099b565874f38bbff1b8513dc347bf703abaec1523561f0db3973bf6fbf2d480110dc8cc1f5c49f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
252cc6893f0d43a4def8ee906abe695e

SHA1
50af49108c77197e622dbbefb731b631e23b24a4

SHA256
2b786133a97f8b01c2328b7eee96fbb6a2f7e5d5dd72e06a928f47d97fdb080a

SHA512
0d8975d630db17d15f28dda8f92de13e06f2bb80edcabf54f34fef04a4c7101240fe0964c1b2d9f3bd5443b222aeeb2341bd8fcb4b55f2cde1d7dcfba4e2f067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\62626552-cbc7-4b04-b93c-f41b6d2cc557.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
d313668b8bcf635963e6289084266fe4

SHA1
ceb15f236e807e37b5013acc28c52b1da96f5a50

SHA256
7efd9553294926f2a4406cff9a9b26b683bc6bb4ec089c1e98574a1152008a37

SHA512
20095c7354d500c18b72cad68eff3b2d9376861c7fd3e1b600fae83930631a6d1a3785919d114f101dded10f0a729b41c8d59e4e97a69472066d8770574f573c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
09aa7a52ea0ab54fb829c9f987cf4d3a

SHA1
35b8e5edf288635f52d3fc44ca12b5fffc15216d

SHA256
4d4590e159e3c9eefdf5425ca63c6024dac1022e533d4c5825742e6e42bbc305

SHA512
c24b23ab88e336bebc080baccb120c5c77020bc0457d07b38a6a9a720c90ab7c52eb919b849faf05eefcd9a4a25fcff4c145a941395f3351f450a07bb59a9760

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
110d33f2a390b9bb2742d44daf4238b9

SHA1
084c1e0eb7c6f7e9faf19ff2493b1f234fe836ea

SHA256
0dc1d307aa6378b166e21c53255bdae8252e17dbe8f1d088d01fecebafb28851

SHA512
d37655d581a1481d29a06bf97d9ef15321071ea7f723baf5b943d29ed64f2bc86aa1a0a8b14a6cee7d37d478ef680057c93e662b975d1d2de5f883a34744d6dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
29463c9180eeeaaf0d2f386307116908

SHA1
f21d63fb93b1000c2b61cd77728704958db79a3e

SHA256
0b9afd6c3db5af745f71edc769ca2fef61b6680040e333b05b1400a6bbd3ba6f

SHA512
79e11de28d01fd523e6f89fe7d81e472680c3f04adf2331682fc9f7736efa8d5f78a1a9a922bf2b63247bdb274db07d0b8316b0535f68a06092c0d2d3f8d355a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
00833693508efd9c726e4d3b073ab2ae

SHA1
052f23009930f19f3a396e913353882f46862bd4

SHA256
e05e33632d9c9243bd7af172732c8d5af01c6c8ba99b2d953da60464092b6f9d

SHA512
03d9c77a8fb16acd991b7c4c4ae409209ac9730c3d46f9853c35279407dfde05b882659b5bd3400e70b123acff6024c23ea2f0b13e874302b815ba9c28fec85b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
29c076f24682b375ffb87343453b9cb8

SHA1
b29b0e0b6ec90ac593c91e88d7af7136e3cdc2bf

SHA256
4595e5db98e63075cb13bd3fda7271b2524cb64631173092f8dca2eb8efca675

SHA512
7c67408094524f215af092bbcc6a4e4e0d2ded3655b4f024bc6a358842f53c0f911853397439d1313e547cb23b2a7955927e7a153a7ac143c3f94fb9d3b6e808

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
20580a19ce6b571729f53f8bd79af0c0

SHA1
521141dc5d5e70d22b61d99ed42bf015409a4a5c

SHA256
37ed0743350e5b36013d09dfc46c62838c72b886801729cfa1715710b3d91087

SHA512
568177228e8461de84cbf245adb4ac2546923ef247fcfcc34e0504fc3c305a0294d381b00467b4e1be6730d890fd88ce4a0f2eb14bcc5010c1f552b27a1561dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d608bc6e2b097db6f45fcfa6df340ac4

SHA1
cf74d6694cdd7680b4bd262586a1de786966269c

SHA256
c0095c904d3084fa95430389bda6725491fc70b1816425ce07f7d3f57914ce68

SHA512
d8fad2b729c3ee47533741583111fe657d17227b03396c5a90e7fd391a744007323ae472603c0b996db3c090f1a9a2991c9770fad0eae11eee133c7824814940

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d1b36664be212c08a1a324a2a524414c

SHA1
645453bff8d58758987dee24ed09685f82456a9e

SHA256
4450eb99e341a0e55983e622c655b067fc8feba05c60e77d80b39865cfeac181

SHA512
c390d26613232f750c015a83c775fb71cd3516d99c2510aba20fa4ec3960d563828e7e3cc33761eac36ea55920a38b291ed735a259cc6b918b3587b1e6d39a89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c67e21b5963ff6e5e00f03d436ae6a5e

SHA1
a73dd754c4620354608f5b85a9eb3788f5d15122

SHA256
41611bd0b3aabe7c240e41e6879608c9394eceb43f133d5d8e3030ecd2cb2ed3

SHA512
7061d6a7539f29706ad87434f529f56cf64c0e2c9c464cdaf2f934da90563cf45931937dce2f003e56a78806180e32931b814f6beff3e97a595aa8b79f651f4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
ff54fd4006c2ed6f5620ed9fb5bc7f7b

SHA1
ff729e265a329b620a3556b40afeace56aaca8dd

SHA256
fd0f7f2a645ac7b66a7cd0bb0e3a844065bfe1988c9ac4f863a32a74998ef3fb

SHA512
994caab045cf3fe6d63ba9f197d06c82dfc98930de11ae0d128dacf0785ff5e164f2d33737340df95c4ef32b0b490e9c54f30fa665574b769ff1b54f6b639c05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
a12b00a66903bf619707b0fb97fb2fda

SHA1
647cf56e01b36d3a75f10f818df8b422162be4b6

SHA256
cc72ac426df54bd59ca273e6e4b7155a48810de72fe72db80324b10509f61bad

SHA512
eabbbb1a44b3390b481bb7db810baeceeab6f03ea77a64278c12e49b90fc384f1bb92caa27c3e0d4ee00e6302d0373c0d20e2258510975c2f9d6d15fb227311d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
bb4eb78bee88b3b4158cc22727d1b052

SHA1
b605cb251232702d641b066b687859fd1618fc90

SHA256
6a9f094ad044e73964327630378dfb2780ce964f731979e16d8025a96a188f0e

SHA512
8cb04856994f373314be9e213de88154e3836be78bbd7e6ba17b440debd88833482189994e6684246c10c4acf69d3f9ae4641a175594d577aedfa3999ad1869e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Panel.exe.log

Filesize
306B

MD5
33f89887a1b3559f9c8fe974b797212a

SHA1
e33f9884f22fde8d27b30ec05885d8736a110220

SHA256
adc0a94f591acdf86ae9fc01bc4b83fcd4dfb57aadc85b9e0041e7e5a59ccbd4

SHA512
6eab2ddfb4429089e85186d6a1197dd231e515b9557b94fabd90ee47976efc817ce762420657da5a37f57ef6787f1c48fbfb314304265f44cec234facbea86fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eihb.exe

Filesize
118KB

MD5
677073949945ca09fe971682561c5f11

SHA1
cb33238550faa82cb5d3b5e4116a8c721a4fc96c

SHA256
571d22f4659932c89344baf33e0e53dcb790fa9cb196ad7a937ce17f567f5062

SHA512
006c596edb2c6cef589319917c70531e0672cd8831a4d6852c0641e9cc9a90d351f687884da67a02055706c334e94b68a17c8a0cf9f6041b633f8f85cd9185f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Panel.exe

Filesize
9.3MB

MD5
f4e19b67ef27af1434151a512860574e

SHA1
56304fc2729974124341e697f3b21c84a8dd242a

SHA256
c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a

SHA512
a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rarqxqlarwy.exe

Filesize
2.2MB

MD5
a3ec05d5872f45528bbd05aeecf0a4ba

SHA1
68486279c63457b0579d86cd44dd65279f22d36f

SHA256
d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e

SHA512
b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5068_827766930\84cb8305-17be-4a1f-b815-4acbe8532f40.tmp

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5068_827766930\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\serviceSettings.json

Filesize
74B

MD5
5a9ab332058db6e935e28f1fe4c911d2

SHA1
92d37d6938faa3a4770c25e78a4ed8060a9da641

SHA256
8f99cc32c19aadf87f78c0e92a2c173094aacddd36a126b2ff60688c39c1bb60

SHA512
de2add222fec896b4420f8f63ada36091cd783c25c3df02f84249411ddc716b393ddabea7a0cb8ad89f530f5ea4dc7473f0ebe479876ed131dd11c677176a576

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
80KB

MD5
84bec3b8c6db81ad3f26c2796b02a2b5

SHA1
7b3e8f34510e196754eb6a21812d96976a24c351

SHA256
263251f3218d9e250a8a741ecfa1c5182030d75b75dac3314bdde8c050b2e301

SHA512
5690eb7c9dde782ef635edbcf1beab61166bcc651f00334ae1b3554af56b5455c5486c5dc0a70cb7e5bb72bc9742ec77be450ff0f4d5fcdd984e52f9db87aed4

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer\How To Use.txt

Filesize
725B

MD5
b7de1d805c991602041a05dbcf222f24

SHA1
f1e1516b3f0a17f670abd475b2e51ccd82591a30

SHA256
d5964507a22c93f848a86b3eb4c9f39f658bfa6971474f1e60fc0c734501f9a7

SHA512
d6b42edbe026c0b3b6938fe8bc93828913ba476db86c842fd4869edc50376aacaaf42e84314bda9c0347db16cd19d431a660a14416a4f15d3cf8b9a40e35faf8

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.Host.exe

Filesize
119KB

MD5
4fde0f80c408af27a8d3ddeffea12251

SHA1
e834291127af150ce287443c5ea607a7ae337484

SHA256
1b644cdb1c7247c07d810c0ea10bec34dc5600f3645589690a219de08cf2dedb

SHA512
3693aeaa2cc276060b899f21f6f57f435b75fec5bcd7725b2dd79043b341c12ebc29bd43b287eb22a3e31fd2b50c4fa36bf020f9f3db5e2f75fe8cc747eca5f5

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.Host.exe.config

Filesize
189B

MD5
5a7f52d69e6fca128023469ae760c6d5

SHA1
9d7f75734a533615042f510934402c035ac492f7

SHA256
498c7f8e872f9cef0cf04f7d290cf3804c82a007202c9b484128c94d03040fd0

SHA512
4dc8ae80ae9e61d2801441b6928a85dcf9d6d73656d064ffbc0ce9ee3ad531bfb140e9f802e39da2a83af6de606b115e5ccd3da35d9078b413b1d1846cbd1b4f

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.WCF.dll

Filesize
123KB

MD5
e3d39e30e0cdb76a939905da91fe72c8

SHA1
433fc7dc929380625c8a6077d3a697e22db8ed14

SHA256
4bfa493b75361920e6403c3d85d91a454c16ddda89a97c425257e92b352edd74

SHA512
9bb3477023193496ad20b7d11357e510ba3d02b036d6f35f57d061b1fc4d0f6cb3055ae040d78232c8a732d9241699ddcfac83cc377230109bf193736d9f92b8

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Loader\Krumo.Loader.exe

Filesize
2.2MB

MD5
eac11bc16c0fda030e431a794119473f

SHA1
7ccff2bbb88f35e6cee7c58ec264abee962aa556

SHA256
8fb55b92f639950c9bbc3c3920a5780ca2d58100e03388d4568dfb48b006372e

SHA512
72ae606ca6267cd1ee9dc4f339367d969dd5ee419d91faa757023cb3d3104f0d2eb55ba83208a308bdc5cfcd6d75b7c3fc9966a87d2e77d2f3ab3f87bfb28d25

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe

Filesize
9.4MB

MD5
31fa09a4239fb382ab8be3c30fb35f2f

SHA1
c31a3400a47a9c47e051b5f7d2f8f9e6346a121b

SHA256
ebf94a98b7f5016ddfb9c7b13a689f0c71e8b6b65c495fbd093cc874e3bb86e4

SHA512
36fd6ea03ff46b490d901bcca543d85c74fe3a02145f65b07eb2a1c4c491c48aa80e90ba98f5a5ee0a0f3c9933f27c72d42d7f71f2095b2ef74dc9e9c7ed8fe5

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe.config

Filesize
26KB

MD5
494890d393a5a8c54771186a87b0265e

SHA1
162fa5909c1c3f84d34bda5d3370a957fe58c9c8

SHA256
f2a5a06359713226aeacfe239eeb8ae8606f4588d8e58a19947c3a190efbdfc7

SHA512
40fbd033f288fee074fc36e899796efb30d3c582784b834fc583706f19a0b8d5a134c6d1405afe563d2676072e4eefc4e169b2087867cab77a3fa1aa1a7c9395

Download Submit
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
memory/1508-65-0x0000000000CF0000-0x0000000000F30000-memory.dmp

Filesize
2.2MB

Download
memory/1560-92-0x00000000075F0000-0x0000000007C00000-memory.dmp

Filesize
6.1MB

Download
memory/1560-89-0x00000000003D0000-0x0000000000606000-memory.dmp

Filesize
2.2MB

Download
memory/1680-2087-0x000000001DC70000-0x000000001DCD6000-memory.dmp

Filesize
408KB

Download
memory/1680-154-0x0000000000E90000-0x0000000000EAA000-memory.dmp

Filesize
104KB

Download
memory/1680-2099-0x000000001DF70000-0x000000001E1F6000-memory.dmp

Filesize
2.5MB

Download
memory/1680-2086-0x000000001DC00000-0x000000001DC66000-memory.dmp

Filesize
408KB

Download
memory/2116-152-0x00007FFD22450000-0x00007FFD22F12000-memory.dmp

Filesize
10.8MB

Download
memory/2116-171-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/2116-169-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/2116-167-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/2116-166-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/2116-182-0x000000001DAD0000-0x000000001DC12000-memory.dmp

Filesize
1.3MB

Download
memory/2116-190-0x000000001DEA0000-0x000000001DFE2000-memory.dmp

Filesize
1.3MB

Download
memory/2116-178-0x000000001DAD0000-0x000000001DC12000-memory.dmp

Filesize
1.3MB

Download
memory/2116-177-0x000000001DAD0000-0x000000001DC12000-memory.dmp

Filesize
1.3MB

Download
memory/2116-207-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/2116-217-0x000000001DBE0000-0x000000001DBEA000-memory.dmp

Filesize
40KB

Download
memory/2116-209-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/2116-205-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/2116-204-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/2116-218-0x00007FFD30860000-0x00007FFD309AF000-memory.dmp

Filesize
1.3MB

Download
memory/2116-223-0x000000001E9C0000-0x000000001EF66000-memory.dmp

Filesize
5.6MB

Download
memory/2116-224-0x000000001F170000-0x000000001F202000-memory.dmp

Filesize
584KB

Download
memory/2116-245-0x000000001F410000-0x000000001F42C000-memory.dmp

Filesize
112KB

Download
memory/2116-173-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/2116-156-0x000000001AE70000-0x000000001B010000-memory.dmp

Filesize
1.6MB

Download
memory/2116-157-0x000000001AE70000-0x000000001B010000-memory.dmp

Filesize
1.6MB

Download
memory/2116-155-0x000000001AE70000-0x000000001B010000-memory.dmp

Filesize
1.6MB

Download
memory/3100-90-0x0000000000AC0000-0x0000000000AE4000-memory.dmp

Filesize
144KB

Download
memory/3100-91-0x0000000005A50000-0x0000000005FF6000-memory.dmp

Filesize
5.6MB

Download
memory/3136-4131-0x0000000024880000-0x00000000248A2000-memory.dmp

Filesize
136KB

Download
memory/3136-4031-0x000000001FCA0000-0x000000001FCB2000-memory.dmp

Filesize
72KB

Download
memory/3136-4074-0x0000000020AE0000-0x0000000020B90000-memory.dmp

Filesize
704KB

Download
memory/3136-4045-0x0000000020990000-0x00000000209A2000-memory.dmp

Filesize
72KB

Download
memory/3136-4059-0x00000000209F0000-0x0000000020A2A000-memory.dmp

Filesize
232KB

Download
memory/3136-4108-0x00000000210F0000-0x0000000021164000-memory.dmp

Filesize
464KB

Download
memory/3136-4122-0x0000000024810000-0x000000002485A000-memory.dmp

Filesize
296KB

Download
memory/3136-4123-0x00000000247C0000-0x0000000024810000-memory.dmp

Filesize
320KB

Download
memory/3136-4126-0x0000000024B70000-0x0000000024BBF000-memory.dmp

Filesize
316KB

Download
memory/3136-4127-0x0000000024D70000-0x0000000024E7A000-memory.dmp

Filesize
1.0MB

Download
memory/3136-4130-0x0000000024C00000-0x0000000024C30000-memory.dmp

Filesize
192KB

Download
memory/3136-4029-0x0000000020830000-0x0000000020930000-memory.dmp

Filesize
1024KB

Download
memory/3136-4132-0x0000000025CD0000-0x000000002603C000-memory.dmp

Filesize
3.4MB

Download
memory/3136-4147-0x00000000248B0000-0x00000000248C8000-memory.dmp

Filesize
96KB

Download
memory/3136-4030-0x0000000020930000-0x000000002096C000-memory.dmp

Filesize
240KB

Download
memory/3136-4028-0x0000000020210000-0x0000000020828000-memory.dmp

Filesize
6.1MB

Download
memory/3136-4027-0x000000001FC80000-0x000000001FC9A000-memory.dmp

Filesize
104KB

Download
memory/3400-114-0x00000000057D0000-0x0000000005A56000-memory.dmp

Filesize
2.5MB

Download
memory/3400-116-0x0000000005660000-0x000000000572E000-memory.dmp

Filesize
824KB

Download
memory/3400-98-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3400-104-0x0000000005050000-0x00000000053B2000-memory.dmp

Filesize
3.4MB

Download
memory/3400-121-0x0000000006190000-0x00000000061C0000-memory.dmp

Filesize
192KB

Download
memory/3400-120-0x00000000063A0000-0x00000000064A0000-memory.dmp

Filesize
1024KB

Download
memory/3400-119-0x0000000005780000-0x00000000057D0000-memory.dmp

Filesize
320KB

Download
memory/3400-118-0x00000000055F0000-0x0000000005618000-memory.dmp

Filesize
160KB

Download
memory/3400-117-0x0000000006290000-0x000000000639A000-memory.dmp

Filesize
1.0MB

Download
memory/3400-105-0x00000000053C0000-0x000000000553C000-memory.dmp

Filesize
1.5MB

Download
memory/3400-115-0x0000000005540000-0x000000000558C000-memory.dmp

Filesize
304KB

Download
memory/3400-109-0x0000000004D90000-0x0000000004DB6000-memory.dmp

Filesize
152KB

Download
memory/3400-113-0x0000000004FD0000-0x0000000005036000-memory.dmp

Filesize
408KB

Download
memory/3400-112-0x0000000004F20000-0x0000000004F5C000-memory.dmp

Filesize
240KB

Download
memory/3400-111-0x0000000004E80000-0x0000000004E92000-memory.dmp

Filesize
72KB

Download
memory/3400-110-0x0000000005B60000-0x0000000006178000-memory.dmp

Filesize
6.1MB

Download
memory/4960-128-0x000000001BD90000-0x000000001BF0C000-memory.dmp

Filesize
1.5MB

Download
memory/4960-127-0x000000001B750000-0x000000001B7EC000-memory.dmp

Filesize
624KB

Download
memory/4960-125-0x0000000000150000-0x0000000000AC6000-memory.dmp

Filesize
9.5MB

Download
memory/4960-126-0x000000001BA20000-0x000000001BD82000-memory.dmp

Filesize
3.4MB

Download