redline | hxxps://mega[.]nz/file/uKgzWJ6Q#ay0oXKJ4rU6Eg8FH2YwB9U44U87ES6OzcCSt95_Qu0M

Analysis

max time kernel
256s
max time network
251s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/12/2024, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/uKgzWJ6Q#ay0oXKJ4rU6Eg8FH2YwB9U44U87ES6OzcCSt95_Qu0M

Score

10^/10

redline sectoprat cheat discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

127.0.0.1:1337

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/612-4266-0x0000000020110000-0x000000002012A000-memory.dmp	family_redline
behavioral1/files/0x0008000000023ccf-8480.dat	family_redline
behavioral1/files/0x000500000000074f-8491.dat	family_redline
behavioral1/memory/2216-8493-0x0000000000110000-0x000000000012E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ccf-8480.dat	family_sectoprat
behavioral1/files/0x000500000000074f-8491.dat	family_sectoprat
behavioral1/memory/2216-8493-0x0000000000110000-0x000000000012E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Panel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Panel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Panel.exe

Executes dropped EXE 9 IoCs

pid	Process
3052	Kurome.Builder.exe
1980	Kurome.Host.exe
2772	Kurome.Loader.exe
4044	Panel.exe
612	Panel.exe
5192	Panel.exe
5672	Panel.exe
2216	build.exe
4088	Kurome.Builder.exe

Loads dropped DLL 14 IoCs

pid	Process
3052	Kurome.Builder.exe
3052	Kurome.Builder.exe
1980	Kurome.Host.exe
1980	Kurome.Host.exe
2216	build.exe
2216	build.exe
2216	build.exe
2216	build.exe
4088	Kurome.Builder.exe
4088	Kurome.Builder.exe
4088	Kurome.Builder.exe
4088	Kurome.Builder.exe
4088	Kurome.Builder.exe
4088	Kurome.Builder.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
612	Panel.exe
5192	Panel.exe
5192	Panel.exe
5192	Panel.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll	Kurome.Loader.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Builder.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133788488262095154"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
1872	NOTEPAD.EXE
2868	NOTEPAD.EXE
1972	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
556	chrome.exe
556	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
4044	Panel.exe
612	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
4044	Panel.exe
612	Panel.exe
4044	Panel.exe
4044	Panel.exe
5192	Panel.exe
5192	Panel.exe
4044	Panel.exe
5192	Panel.exe
5192	Panel.exe
5192	Panel.exe
5192	Panel.exe
5672	Panel.exe
5672	Panel.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
556	chrome.exe
556	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: 33	4160	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4160	AUDIODG.EXE
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
4564	7zG.exe
512	7zG.exe
5672	Panel.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4044	Panel.exe
612	Panel.exe
5192	Panel.exe
5672	Panel.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 1532	556	chrome.exe	82
PID 556 wrote to memory of 1532	556	chrome.exe	82
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 1536	556	chrome.exe	83
PID 556 wrote to memory of 4568	556	chrome.exe	84
PID 556 wrote to memory of 4568	556	chrome.exe	84
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85
PID 556 wrote to memory of 4204	556	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/uKgzWJ6Q#ay0oXKJ4rU6Eg8FH2YwB9U44U87ES6OzcCSt95_Qu0M
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffce886cc40,0x7ffce886cc4c,0x7ffce886cc58
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1856,i,360074064174863282,14481685391943728738,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1828 /prefetch:2
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,360074064174863282,14481685391943728738,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,360074064174863282,14481685391943728738,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2404 /prefetch:8
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,360074064174863282,14481685391943728738,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,360074064174863282,14481685391943728738,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4668,i,360074064174863282,14481685391943728738,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4876,i,360074064174863282,14481685391943728738,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,360074064174863282,14481685391943728738,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5412,i,360074064174863282,14481685391943728738,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3664

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1220

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x534 0x52c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1712

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\" -spe -an -ai#7zMap30625:174:7zEvent526
1⤵
- Suspicious use of FindShellTrayWindow
PID:4564

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Password.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1872

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\" -spe -an -ai#7zMap31247:174:7zEvent7155
1⤵
- Suspicious use of FindShellTrayWindow
PID:512

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\ReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2868

C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Builder\Kurome.Builder.exe
"C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Builder\Kurome.Builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3052

C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Host\Kurome.Host.exe
"C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Host\Kurome.Host.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1980

C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Loader\Kurome.Loader.exe
"C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Loader\Kurome.Loader.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2772

C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe
"C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4044
- C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe
  "C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe" "--monitor"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:612
- - C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe
    "C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAyI5ikfUN1EixUEOaXy9aPQAAAAACAAAAAAAQZgAAAAEAACAAAACSYdr+Wa0a5mmZF01Im0dqQ+d0P7IsKak0q+2rWEraYwAAAAAOgAAAAAIAACAAAAD0q2kA0pDLYXD2QK/O2BDrrGlnSh/+MlZEvAFsJJN+/BAAAAB/6FNJAyvYwZ6JWuVdal1PQAAAAB5wjt8pdW5IOpSI8o5nOk8VyXHXtRXt5jqMwwRLOc+t8a9PZ7liV45YVm6C6Aa2HYs0Ik2cRMSclUP9K4P5/p0=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAyI5ikfUN1EixUEOaXy9aPQAAAAACAAAAAAAQZgAAAAEAACAAAAB7vO93cfN4Q7Q+ZXFom5LZ+YaEOUlBjNGsjys2f5qCugAAAAAOgAAAAAIAACAAAAAjX89yc/VnGMRd2UYvs13zwRUC6vGacLasQAo+EJtHqBAAAACT967t8PTvGOBr+VHsSrNmQAAAAEqIgTu0lUpkGxzUyiXTpLrCBz0NRCLzikrCUJ4H7xC8n6IIkNIymq2APpaBFOJJpoX1aiFFpGo31HJoByV5sbE="
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5192
  - - C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe
      "C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAyI5ikfUN1EixUEOaXy9aPQAAAAACAAAAAAAQZgAAAAEAACAAAACSYdr+Wa0a5mmZF01Im0dqQ+d0P7IsKak0q+2rWEraYwAAAAAOgAAAAAIAACAAAAD0q2kA0pDLYXD2QK/O2BDrrGlnSh/+MlZEvAFsJJN+/BAAAAB/6FNJAyvYwZ6JWuVdal1PQAAAAB5wjt8pdW5IOpSI8o5nOk8VyXHXtRXt5jqMwwRLOc+t8a9PZ7liV45YVm6C6Aa2HYs0Ik2cRMSclUP9K4P5/p0=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAyI5ikfUN1EixUEOaXy9aPQAAAAACAAAAAAAQZgAAAAEAACAAAAB7vO93cfN4Q7Q+ZXFom5LZ+YaEOUlBjNGsjys2f5qCugAAAAAOgAAAAAIAACAAAAAjX89yc/VnGMRd2UYvs13zwRUC6vGacLasQAo+EJtHqBAAAACT967t8PTvGOBr+VHsSrNmQAAAAEqIgTu0lUpkGxzUyiXTpLrCBz0NRCLzikrCUJ4H7xC8n6IIkNIymq2APpaBFOJJpoX1aiFFpGo31HJoByV5sbE=" "--monitor"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:5672

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\ReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1972

C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Builder\build.exe
"C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Builder\build.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2216

C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Builder\Kurome.Builder.exe
"C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Builder\Kurome.Builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
052c9760f211d7e7ac3721ab8e5d7a13

SHA1
659b7ed9d8c82de3fbd9df3371778bc098d195b1

SHA256
6f43433d0be2d42591705d01faa9d85056c3d8add406909c1b8c1d6036e5c631

SHA512
20d998c798e7c6cc9143b113e9799e12095b1bf25ba2263f398fe4f67ec882b6dc41550dc6bad6e9032bc5143459c0232bbd85ba5d873959d8b0674fd07615a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
988e18544c19c9d46547eeca7ae78e62

SHA1
b6c4c9f424641623903d6cfee4dbd63714555bc7

SHA256
6ccf8f42c459e30fec1ebc9ee5323d01908b11f671d6943f14c2548b335a207d

SHA512
6194e6f5ea44bae1b198e0b8d43c9fde382c35f6a18861990474b6e9c3c7666e97aad7401e2eda19212fbfc89a22dff71a2c716868b51268010e22376db9b94b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0d2c3ef44c3f746b204715b4106ee6b7

SHA1
8533100e32b73f2d197670ebf0e8bde0b5960206

SHA256
dd528b77050fd6c1418247e6220adf38b015e895e1c13f5b573cda0d172d2bec

SHA512
b4167a6a05fcc98641ab30a58e6868349e1f89847965a331b7ffe3b4877e769e41c192400e2c547d1c06949f1fd35e953b017317832e4bf96bbc427dfc1bb42f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
882bb20deaa9041f67df56af736169f9

SHA1
8c2397a948e45e402344cc2c2e00e78e89971d4c

SHA256
514438fa535dc2e814e81a42a0cb8047ff7dc072f0c1f1e564251110bc2d6f3d

SHA512
42ef1272c4a7abea1aef5606e1b31d3fbe5b39a6d7321bfb06c33ca85346cd5c506f2baaa08a295ea5e6c0f96173c2aca3df190c3dc08a54924036c1c7dc1f27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6ba7173c0f664de52e22c2d798c91a77

SHA1
0b1be4fd23d1ed1896dff108f15eb9d17c6d7d63

SHA256
a122c63d4d2210f595891ee41d1cc14fe453d6892e85a761089f5f1a69c3e32d

SHA512
9f75a06b54ce402f962af9549ea1797b273d4b4892d6e1054a0431c108c587e67b2e4d6e59edb2103bcf3ef9fe5ff80a464afdf286e1408b1fd2f1740848d73a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
31863ef195e9a9df3fd7f958038fa9ac

SHA1
ad7f04d08d9adc4bde28eec8bc3f59046985d45f

SHA256
5f00a51448a57cef8fd02b5506d67b64a5cde1a62c293595a20d54b2d09ccb15

SHA512
b7c6f5c15620bc476fb8de17a36e89921eb464709e5a573fcd4d656893b747f9e34a5e0feb88b08f7074ebc9618aa3b29320afe75e3dd43011736bf5513fadce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bb5cea6c2523c0ff39fb48d82831c5b9

SHA1
e3bcfcd46cce60215764f20bafb3f31e8f4a682a

SHA256
369bda70a51cc9aa2874554dd0d5ab9ea7f1c5514b7a70dd4f28a02b7962c934

SHA512
233cff645aa26bf3a7e652daae02781e4e4e43d189c64a6201d80c271bd624eeeced471e3826b1ddf23ecc4f5d985738fa98f977ff8cc3ab7f0735e8a34892b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b515bb1d1a06ef67cffc955664774962

SHA1
85fbc17079bcee83a9538960c6340dd176269979

SHA256
9f02658d673eb52d7712b6af72f8dda7ce38c8b9f267608275803c919d99dd66

SHA512
4069809398296a5789134e5038a9c66aa68227d5fe44b1d6648d0e328ba3c3117c604f0b77db83644a2582b0a95d301bc224d64852492f9c04a3eaaece6a91dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
74ae064dd4504cc7cf9fd7a75aad6eb9

SHA1
0013d7996d99d86b245f82e41f7212098db8cd38

SHA256
3136e44c98c2e20cd3b0abf8ee959de806e05c6b25b30827af55b9b9a7275009

SHA512
11ad09fe15a3eb3ffb9dc3e7702cab3047c63400218c76f6050c2e86b733124b3218ef1b446f77f24c748f7249cb7b0ac65d0a077b9afc71913a2848e06126e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2ae2e952acdc864dde4d09e1de7dbcdf

SHA1
bffa78bd82b69bf98674a144ef6ec88f98f23e16

SHA256
b9e4a828bd39f0834564c901246b44368fcd4da2d3496ed4aeb291ceba6a2766

SHA512
5e85630f98dce710a86c349058aba46440cbe461e50edfa64190f0e7a1ed4fd2cfac7ebf35cc2421410757790fe08e50ec5908eceb5adfb57ae256ebb1a7578c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
30070f9188c3bd71cc00dfac5578454d

SHA1
8b785c3605924e28859d10e702360bae3d346b5d

SHA256
7ac6fa3526a19b83b532f93efc17ede2765c477643f60c63bb7749ee59ec0984

SHA512
da7a60637ac7ba271a2ec5dd9882a0537adb09fdf5b410666b0ceeb86ebaf1dbe1c5eb46699bc4b711695783703dbc893880a16818430a388797b9c9efd1454f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
505390362be1799ec32529de511107d4

SHA1
ecb2ee71a34deb0587f13e06c09e273ed33a8eb8

SHA256
12dc8316c5ef19218be94c78799afeb4dfa1c238d54345bebb0dab5c5b67646d

SHA512
811ed0ca275d5809a91cab0d404d83b0baa99ebdc0a700836e8b6b3c68a32b5995807660b973aa4750e51a9db5c9b58c363378f4475b8b5bcc9b2d0cbaaa6c0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1ca2d5e359f6b15d9c256e3de297ea23

SHA1
42e0ac9337d69d1d2fb11d17ef19dece7f2b5198

SHA256
fcca2245ff46dc25afd4cb894d58ba8309e36c38242791d8a23a75bf94134bed

SHA512
77a20a526fa5f69a90d2470a76755000c944ccb2abf7cdaa5866945430bd1b6032e31feef864e25df34ac1ba5597252b3fe37cefc3ff1898d052a32fc8d938ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c09e09df03c1732c0aa0cc8ea2d4f2b3

SHA1
623e81154c0d5ee083da5c00d31812e177847f5a

SHA256
6ca5bb0eaa827287a70448369e4f5774991c6327038fd302ec1a51d2539cdfd1

SHA512
db4c0040f26d7ad38df375893c9f2e113c43af4050f210926d4ba97dc476e2a545c923c7be7718846ba229a555041edbc4e9f82fa2ebf2c852b9916fad05ccdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
14b59d9cf4c8c13de062f4a268a5ea0a

SHA1
3146e20581b06c266c3925e9afc4524d33fca965

SHA256
928d63abc8502e2f07636214fd753b85f8d4c68809afdb9cd0bcd3068ed44ea5

SHA512
89ddfd3b07c152d5543cd41016fb4242024ffd3a1dcf49cde0699d37bf74bc5d9aeb9969af81892058c62d613e51a90d08b6d1a8963af5c5278714ed12642fb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cc692ca680d769d1f9ddb8c351513505

SHA1
85a59da3c72cea704b357dec5993780a79691ae7

SHA256
94bdeb781bf6799a2edca14a91a3a974da6e9579e9156341a7f494d812e8d224

SHA512
fefeec0bc945d3a2443b91f98a283a9aaa589cbb13f723d6a56b01bfea761287b576f49556e30a4021f31347d86b69f320479f9483146e1bf49f0a08c0ad3fff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dcd19b72abddf40c4d4f4011213e3d0f

SHA1
c4e48f1aabbd2848c24712f2bc5d7f27221d2ecd

SHA256
75df53142ff1c95ecfc43d32de112da1776910db9a3703fcee2f67f1b1928868

SHA512
dabb068a362371e88a19af9c5034607ebe8d6159825ab2894dbce7877c7c6eba06287036bb71c2332df38dacf56bea87c76c6a9b6424d67fecb3a606aae7f89f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ec87c8af9d6f541402330892dc831d30

SHA1
21f02b46c16b18c48ffe656b69a31ee6d039e331

SHA256
8f2b4f18604c952e4d61e8ac2712497743e1e42cfbdb5b580e7c2ab2ffc0a712

SHA512
2c09ebd97e236e5f9dae0923ae90d041b5ce60d4c38eec1d65f3206c3194b9b77a6d97ac7938ce8bea2a5d6265c0db63a6d0a5bbe6ff239c9a03203c50806aa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d4215bfaaed954f90fd1c0f4fe172fc7

SHA1
34c9309ef56f909063b365b546dc5957a04a5bd7

SHA256
b081bc01615423dc425db90ba80a4138a64b757c9a3beeb07ddd6ed0a3b30cc7

SHA512
e6f3131867fe8e6cc97289734a9ad7b0231757d604b1c4feccd1487660749c3435cdf845ebd84d1aabfbe61e1dab6504d6f4b3b20b6cc727cdb673330d164ff8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
65cc8aa199fe7275eb0734a59dd0bd67

SHA1
ecdd69808cb547a4914bd1c47d4c2565e320a8ce

SHA256
ed08cf2b33e5e123478631a4948b03a9d539bb03097fab19bbdc3a916b5ef591

SHA512
7f7cb086daf3390e2ead4e92456f9a930b8dfe5e30fa595ee266cbf8e3844aac4e6ed09efb04304fc4ebc210e46fffe04e6685bc58812f4bbae00f9b42cb4224

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
3246e3a516bdfdf77e500a31b8378d6f

SHA1
2b7e6b708bf108bf7b7d6c5dd0f3172563b57fbf

SHA256
d5220f7535d27af74a6eb70a649fd9fa80dcdd40e7f8cb860310f324d420d789

SHA512
9a104107f957d2dba3643a8ce6ce5a5d88c7d1648d4999e315ecb17a46cb6ab3cdf755972e3c65844239e2491e84d911a75e32c0862a63a4ead699c54ee4802f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e0d6cec0-a292-4c70-bb6c-d70c51b39b38.tmp

Filesize
9KB

MD5
504144875ee3325d32fe8a520d1a4a07

SHA1
23337f2f6f6e30e16eee5fc97cfebc119bc40bea

SHA256
af496129aded1a3596901132bd9b147c61c68d55f85c0ec8cb2495f3b32fb5d3

SHA512
41d939c2d9875e160a89127947f70ceb31f90b500d727a681c67ab939714bc33cc743f686fd729f7c8c5a1950a917ec49a1ef424568779fad02f2129d402a0fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
3695ee3cbb0ce5902173b639bd5cc956

SHA1
f7a40b3db07a923d6b954d67f3c1423b918dfa75

SHA256
91de52655c049384007df66d69d21eb1065e24edb45fe9cd324a0d3be179303c

SHA512
86b818ea430d68f744f18e0612d7c3d20c9da5ce25c02663841c27a60fb7a55e29c025117cbd7616841cc5c81c4e23434742c468441b9e150c2fa389dfd4ac30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
2fecb3aa13876db4f157b60b4ecab866

SHA1
23802ea5a2003682a11bc84c3496c5db3ab70d0b

SHA256
4d71d564a252234026f2d6e7f6dbbf7bc5a943bf6a9ada8856ecce91172a1ce6

SHA512
288dec1103b626569e477f33f00a39a176534dc8e230d41e736e6f00b2da148b28f573a7cb43b5fba3e0a02391f24b2177fd89fafa4128482e565ffef891ee48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Panel.exe.log

Filesize
1KB

MD5
cd48530bd8e623c8c70e28bcce887e80

SHA1
578b96fc5a0917250331db16f6625eb17d2c3409

SHA256
1c051ac06c180e5b6e00291e6d489e5169de770a5662206357b37869cd427974

SHA512
9bbd097ee6f05a648a8033818ffe43fab65a69842e7dce0c221914e0e0d2e7630ced1591ffbe9059e183d56f1ac10a7f61fe9eb15f3cc90d4cd172ead3055a94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Kurome.Builder.exe.log

Filesize
1KB

MD5
7691b76d082c036117114f9bec9e9142

SHA1
63a8ed6db4700c9379b2373778a5b256f3b46766

SHA256
e74e3413956f70b36eac1225af454552017ac540bb5756ff571cc2eb6134c7ed

SHA512
8a5da9db3c9c85161030a3094120b9e32db1e9587229742e9a2729cb564ec4633804a79e818f1c12276bd743aadd2c9596a44fec023c770032009afe2cf51f9c

Download Submit
C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Builder\Kurome.Builder.exe

Filesize
137KB

MD5
cf38a4bde3fe5456dcaf2b28d3bfb709

SHA1
711518af5fa13f921f3273935510627280730543

SHA256
c47b78e566425fc4165a83b2661313e41ee8d66241f7bea7723304a6a751595e

SHA512
3302b270ee028868ff877fa291c51e6c8b12478e7d873ddb9009bb68b55bd3a08a2756619b4415a76a5b4167abd7c7c3b9cc9f44c32a29225ff0fc2f94a1a4cc

Download Submit
C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Builder\Kurome.Builder.exe.config

Filesize
189B

MD5
5a7f52d69e6fca128023469ae760c6d5

SHA1
9d7f75734a533615042f510934402c035ac492f7

SHA256
498c7f8e872f9cef0cf04f7d290cf3804c82a007202c9b484128c94d03040fd0

SHA512
4dc8ae80ae9e61d2801441b6928a85dcf9d6d73656d064ffbc0ce9ee3ad531bfb140e9f802e39da2a83af6de606b115e5ccd3da35d9078b413b1d1846cbd1b4f

Download Submit
C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Builder\Kurome.Builder.pdb

Filesize
19KB

MD5
e0468434c2489d74199641856a9c2265

SHA1
8dc34b96ba7378f93dad3e731fc438a92685b13a

SHA256
713276677bcfb9fed27d545ab0b3591bf11fa9d6dd22739a00d43cb916a1a73f

SHA512
6a0f31354b42234f6878ea0d67eb5a012676c4c052817fb5936fee5cf31c43d065820cd6be2f20cf5361d4f5020e2dfdc6368a37bff3f958b6637689d2ca1e68

Download Submit
C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Builder\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Builder\Mono.Cecil.pdb

Filesize
179KB

MD5
9a345fce8746876db39aa5622a771163

SHA1
0ef737ac80d795638e3d1daeb218dd4f88a0e344

SHA256
ecf13638359a5a9fe271966924cf543c4b440c2dc274e9d94069ef50bbc95482

SHA512
d5cb744998ef5e54ed95e75e9f7acecd0ad02e466f618a13f485d287dcfb9890f17685010891795646e25a289c63a70c721b5069a5c1803290363a76612781d0

Download Submit
C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Builder\build.exe

Filesize
95KB

MD5
ca8b99c9d67aee4b846581461ec6bb2b

SHA1
7c0fd208b99bc69aaf003693aeafbe73cde4658f

SHA256
d53b5ccdc46e2575b7c917ae6414b93028b9fe4df2deda7107a7a470080a9f3a

SHA512
027f3e669560a0668706665101bfb7ca258943f80cc660085428516015fb7a106266b34334afabfd95bf43c348d53d2fe6f9cbf7a6a737314d19524e4bc36a83

Download Submit
C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Builder\stub.dll

Filesize
96KB

MD5
625ed01fd1f2dc43b3c2492956fddc68

SHA1
48461ef33711d0080d7c520f79a0ec540bda6254

SHA256
6824c2c92eb7cee929f9c6b91e75c8c1fc3bfe80495eba4fa27118d40ad82b2b

SHA512
1889c7cee50092fe7a66469eb255b4013624615bac3a9579c4287bf870310bdc9018b0991f0ad7a9227c79c9bd08fd0c6fc7ebe97f21c16b7c06236f3755a665

Download Submit
C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Host\Kurome.Host.exe

Filesize
119KB

MD5
4fde0f80c408af27a8d3ddeffea12251

SHA1
e834291127af150ce287443c5ea607a7ae337484

SHA256
1b644cdb1c7247c07d810c0ea10bec34dc5600f3645589690a219de08cf2dedb

SHA512
3693aeaa2cc276060b899f21f6f57f435b75fec5bcd7725b2dd79043b341c12ebc29bd43b287eb22a3e31fd2b50c4fa36bf020f9f3db5e2f75fe8cc747eca5f5

Download Submit
C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Host\Kurome.WCF.dll

Filesize
123KB

MD5
e3d39e30e0cdb76a939905da91fe72c8

SHA1
433fc7dc929380625c8a6077d3a697e22db8ed14

SHA256
4bfa493b75361920e6403c3d85d91a454c16ddda89a97c425257e92b352edd74

SHA512
9bb3477023193496ad20b7d11357e510ba3d02b036d6f35f57d061b1fc4d0f6cb3055ae040d78232c8a732d9241699ddcfac83cc377230109bf193736d9f92b8

Download Submit
C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Loader\Kurome.Loader.exe

Filesize
2.2MB

MD5
a3ec05d5872f45528bbd05aeecf0a4ba

SHA1
68486279c63457b0579d86cd44dd65279f22d36f

SHA256
d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e

SHA512
b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e

Download Submit
C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Kurome.Loader\Kurome.Loader.exe.config

Filesize
186B

MD5
9070d769fd43fb9def7e9954fba4c033

SHA1
de4699cdf9ad03aef060470c856f44d3faa7ea7f

SHA256
cbaf2ae95b1133026c58ab6362af2f7fb2a1871d7ad58b87bd73137598228d9b

SHA512
170028b66c5d2db2b8c90105b77b0b691bf9528dc9f07d4b3983d93e9e37ea1154095aaf264fb8b5e67c167239697337cc9e585e87ef35faa65a969cac1aa518

Download Submit
C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe

Filesize
9.3MB

MD5
f4e19b67ef27af1434151a512860574e

SHA1
56304fc2729974124341e697f3b21c84a8dd242a

SHA256
c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a

SHA512
a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77

Download Submit
C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe.config

Filesize
26KB

MD5
494890d393a5a8c54771186a87b0265e

SHA1
162fa5909c1c3f84d34bda5d3370a957fe58c9c8

SHA256
f2a5a06359713226aeacfe239eeb8ae8606f4588d8e58a19947c3a190efbdfc7

SHA512
40fbd033f288fee074fc36e899796efb30d3c582784b834fc583706f19a0b8d5a134c6d1405afe563d2676072e4eefc4e169b2087867cab77a3fa1aa1a7c9395

Download Submit
C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\Panel\RedLine_20_2\Panel\serviceSettings.json

Filesize
74B

MD5
f68fc275618ebda8ed1db239477fc1ec

SHA1
fa146735521c2ed91dd6a58a1e7acb4d15c29a20

SHA256
acd56cdcbac572cda4ed22a9ce959e40f8de9e6794aed66585bdf3c51e08c400

SHA512
e8e3ddb79e250eabf3ccccc4f9b7521e6a87006ff0831dd0074e1b12b20a406d6e51dd35b9a9200c8fadcc6bd3f672fed40179abdb2325ed30a32232c2563443

Download Submit
C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\ReadMe.txt

Filesize
643B

MD5
1aa5bac6cacd74746ec6c3eb28e0092b

SHA1
5ed229ae018700778a8b617c1c92baf0ceaf18c8

SHA256
e6bc141f184b9e8a476b3d79ff5b6d864b4a164915c641c7fcf1fefb95d44ac7

SHA512
7c5816c11824dadf9ff9e80b7eb8a4eb3efbfd2fd08a34b5d61ed148303ec6cfb313df4122b5d0a3151c943d8bc67ae6de9c3b1ef59371dd941da64609aa24a9

Download Submit
C:\Users\Admin\Downloads\Redline_20_2_crack\Redline_20_2_crack\Redline_20_2_crack\crack.exe

Filesize
8.1MB

MD5
f2b57b5540919c06c195d470e716a1af

SHA1
c2cb851e8554678af17fa39691937bbbf45a6c2d

SHA256
5dd0d92f643bd1ef94c4e5047b0ef81498eb3afbd2374939db8be6592423ffb9

SHA512
fd44e4bd8ad5492f8ce80504fef07bdf6c9d7cc59e95120bb98583748667559082e61e271589f07b3f18c3fe4828b2345b44afb23ce08a84c2f27b7adff011db

Download Submit
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
memory/612-4391-0x00000000256A0000-0x0000000025A09000-memory.dmp

Filesize
3.4MB

Download
memory/612-4386-0x0000000021E50000-0x0000000021E80000-memory.dmp

Filesize
192KB

Download
memory/612-4385-0x0000000025150000-0x000000002525A000-memory.dmp

Filesize
1.0MB

Download
memory/612-4384-0x0000000021DD0000-0x0000000021E1F000-memory.dmp

Filesize
316KB

Download
memory/612-4379-0x0000000021EB0000-0x0000000021F4C000-memory.dmp

Filesize
624KB

Download
memory/612-4390-0x0000000021FD0000-0x0000000021FF2000-memory.dmp

Filesize
136KB

Download
memory/612-4362-0x00000000244D0000-0x0000000024520000-memory.dmp

Filesize
320KB

Download
memory/612-4361-0x0000000024520000-0x000000002456A000-memory.dmp

Filesize
296KB

Download
memory/612-4347-0x0000000020AD0000-0x0000000020B44000-memory.dmp

Filesize
464KB

Download
memory/612-4270-0x0000000020890000-0x00000000208A2000-memory.dmp

Filesize
72KB

Download
memory/612-4284-0x00000000208D0000-0x00000000208E2000-memory.dmp

Filesize
72KB

Download
memory/612-4298-0x0000000020930000-0x000000002096A000-memory.dmp

Filesize
232KB

Download
memory/612-4313-0x0000000020A20000-0x0000000020AD0000-memory.dmp

Filesize
704KB

Download
memory/612-4269-0x0000000020850000-0x000000002088C000-memory.dmp

Filesize
240KB

Download
memory/612-4268-0x0000000020750000-0x0000000020850000-memory.dmp

Filesize
1024KB

Download
memory/612-4267-0x0000000020130000-0x0000000020748000-memory.dmp

Filesize
6.1MB

Download
memory/612-4266-0x0000000020110000-0x000000002012A000-memory.dmp

Filesize
104KB

Download
memory/612-4252-0x000000001FC80000-0x000000001FF06000-memory.dmp

Filesize
2.5MB

Download
memory/612-4251-0x000000001FC10000-0x000000001FC76000-memory.dmp

Filesize
408KB

Download
memory/612-4406-0x0000000022020000-0x0000000022038000-memory.dmp

Filesize
96KB

Download
memory/1980-340-0x0000000000BC0000-0x0000000000BE4000-memory.dmp

Filesize
144KB

Download
memory/1980-346-0x00000000054F0000-0x0000000005502000-memory.dmp

Filesize
72KB

Download
memory/1980-352-0x0000000005800000-0x0000000005850000-memory.dmp

Filesize
320KB

Download
memory/1980-351-0x0000000005690000-0x00000000056B8000-memory.dmp

Filesize
160KB

Download
memory/1980-350-0x0000000005910000-0x0000000005A1A000-memory.dmp

Filesize
1.0MB

Download
memory/1980-349-0x0000000005730000-0x00000000057FE000-memory.dmp

Filesize
824KB

Download
memory/1980-348-0x00000000055E0000-0x000000000562C000-memory.dmp

Filesize
304KB

Download
memory/1980-344-0x0000000005400000-0x0000000005426000-memory.dmp

Filesize
152KB

Download
memory/1980-345-0x0000000005C80000-0x0000000006298000-memory.dmp

Filesize
6.1MB

Download
memory/1980-347-0x0000000005550000-0x000000000558C000-memory.dmp

Filesize
240KB

Download
memory/2216-8500-0x0000000004EA0000-0x0000000005126000-memory.dmp

Filesize
2.5MB

Download
memory/2216-8499-0x0000000004B10000-0x0000000004C10000-memory.dmp

Filesize
1024KB

Download
memory/2216-8498-0x0000000005750000-0x0000000005AB2000-memory.dmp

Filesize
3.4MB

Download
memory/2216-8493-0x0000000000110000-0x000000000012E000-memory.dmp

Filesize
120KB

Download
memory/2216-8501-0x0000000004C10000-0x0000000004C76000-memory.dmp

Filesize
408KB

Download
memory/2216-8502-0x0000000005AC0000-0x0000000005C3C000-memory.dmp

Filesize
1.5MB

Download
memory/2772-357-0x0000000008080000-0x0000000008690000-memory.dmp

Filesize
6.1MB

Download
memory/2772-356-0x0000000000F50000-0x0000000001186000-memory.dmp

Filesize
2.2MB

Download
memory/3052-336-0x0000000005C10000-0x0000000005C6E000-memory.dmp

Filesize
376KB

Download
memory/3052-332-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/3052-331-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/3052-330-0x0000000005C80000-0x0000000006224000-memory.dmp

Filesize
5.6MB

Download
memory/3052-329-0x0000000000C70000-0x0000000000C98000-memory.dmp

Filesize
160KB

Download
memory/4044-406-0x000000001DA60000-0x000000001DBA2000-memory.dmp

Filesize
1.3MB

Download
memory/4044-410-0x000000001DA60000-0x000000001DBA2000-memory.dmp

Filesize
1.3MB

Download
memory/4044-383-0x000000001ABF0000-0x000000001AD90000-memory.dmp

Filesize
1.6MB

Download
memory/4044-385-0x000000001ABF0000-0x000000001AD90000-memory.dmp

Filesize
1.6MB

Download
memory/4044-384-0x000000001ABF0000-0x000000001AD90000-memory.dmp

Filesize
1.6MB

Download
memory/4044-401-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4044-399-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4044-397-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4044-395-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4044-394-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4044-405-0x000000001DA60000-0x000000001DBA2000-memory.dmp

Filesize
1.3MB

Download
memory/4044-381-0x00007FFCD35E0000-0x00007FFCD40A1000-memory.dmp

Filesize
10.8MB

Download
memory/4044-418-0x000000001DE30000-0x000000001DF72000-memory.dmp

Filesize
1.3MB

Download
memory/4044-453-0x000000001E910000-0x000000001EEB4000-memory.dmp

Filesize
5.6MB

Download
memory/4044-445-0x000000001DB80000-0x000000001DB8A000-memory.dmp

Filesize
40KB

Download
memory/4044-437-0x000000001DB70000-0x000000001DB7A000-memory.dmp

Filesize
40KB

Download
memory/4044-446-0x00007FFCD6940000-0x00007FFCD6A8E000-memory.dmp

Filesize
1.3MB

Download
memory/4044-435-0x000000001DB70000-0x000000001DB7A000-memory.dmp

Filesize
40KB

Download
memory/4044-433-0x000000001DB70000-0x000000001DB7A000-memory.dmp

Filesize
40KB

Download
memory/4044-432-0x000000001DB70000-0x000000001DB7A000-memory.dmp

Filesize
40KB

Download
memory/4044-452-0x000000001E5A0000-0x000000001E902000-memory.dmp

Filesize
3.4MB

Download
memory/4044-486-0x000000001F380000-0x000000001F4FC000-memory.dmp

Filesize
1.5MB

Download
memory/4044-475-0x000000001F360000-0x000000001F37C000-memory.dmp

Filesize
112KB

Download
memory/4044-454-0x000000001F0C0000-0x000000001F152000-memory.dmp

Filesize
584KB

Download