dcrat | f01393937f06be201400703d1dbfb35397c4a5162f16278ba9d9bb63ddcbcc78

Analysis

max time kernel
1042s
max time network
1018s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
23-08-2023 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

panel.exe
Size

16.4MB
MD5

1246b7d115005ce9fcc96848c5595d72
SHA1

fa3777c7fe670cea2a4e8267945c3137091c64b5
SHA256

f01393937f06be201400703d1dbfb35397c4a5162f16278ba9d9bb63ddcbcc78
SHA512

5bf90904cf74a8c3775498578d856dd9f4837077928cd7ce24e4a6ccec00827bcfb28c2079498ba682a4f53204d7ad2bb8de2489005c429dc968e75e26d29101
SSDEEP

393216:gyOsihmjY/uAKJkDk4x/aQsY3K/jRsBp:FOLhmjY/utek4x/aQsyKLuBp

Score

10^/10

dcrat redline sectoprat cheat infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

127.0.0.1:1337

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	2868	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	3116	schtasks.exe	178
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6944	3116	schtasks.exe	178
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	3116	schtasks.exe	178
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	3116	schtasks.exe	178
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	3116	schtasks.exe	178
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	3116	schtasks.exe	178
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	3116	schtasks.exe	178
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	3116	schtasks.exe	178
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7164	3116	schtasks.exe	178
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7080	3116	schtasks.exe	178
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5704	3116	schtasks.exe	178
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7088	3116	schtasks.exe	178
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7108	3116	schtasks.exe	178

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b10b-1041.dat	family_redline
behavioral1/files/0x000600000001b129-1045.dat	family_redline
behavioral1/files/0x000600000001b129-1046.dat	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b10b-1041.dat	family_sectoprat
behavioral1/files/0x000600000001b129-1045.dat	family_sectoprat
behavioral1/files/0x000600000001b129-1046.dat	family_sectoprat

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/4724-178-0x0000000000140000-0x000000000057C000-memory.dmp	dcrat
behavioral1/memory/4724-272-0x0000000000140000-0x000000000057C000-memory.dmp	dcrat
behavioral1/memory/4856-274-0x0000000000AA0000-0x0000000000EDC000-memory.dmp	dcrat
behavioral1/memory/4856-276-0x0000000000AA0000-0x0000000000EDC000-memory.dmp	dcrat
behavioral1/memory/4856-327-0x0000000000AA0000-0x0000000000EDC000-memory.dmp	dcrat

Deletes itself 1 IoCs

pid	Process
4056	panel.exe

Executes dropped EXE 64 IoCs

pid	Process
4724	mssurrogateProvider_protected.exe
4856	Idle.exe
7084	Kurome.Loader.exe
3120	Kurome.Loader.exe
5632	Kurome.Loader.exe
6332	Kurome.Host.exe
4984	Kurome.Builder.exe
6652	build.exe
4056	panel.exe
2596	mssurrogateProvider_protected.exe
2632	Panel.exe
5632	unsecapp.exe
5268	panel.exe
3412	mssurrogateProvider_protected.exe
1184	panel.exe
2056	mssurrogateProvider_protected.exe
6204	fontdrvhost.exe
5764	NetFramework48.exe
1920	Setup.exe
5396	Panel.exe
5824	firefox.exe
6096	SetupUtility.exe
6176	SetupUtility.exe
7100	panel.exe
5848	mssurrogateProvider_protected.exe
5264	Panel.exe
6940	sihost.exe
4300	Panel.exe
3492	dismhost.exe
6856	smss.exe
4716	conhost.exe
1380	spoolsv.exe
6792	taskhostw.exe
4768	Kurome.Loader.exe
3820	Kurome.Builder.exe
6440	build.exe
6228	RuntimeBroker.exe
6732	panel.exe
5940	mssurrogateProvider_protected.exe
4316	Panel.exe
1884	fontdrvhost.exe
6124	ApplicationFrameHost.exe
5136	panel.exe
904	mssurrogateProvider_protected.exe
3892	Panel.exe
6036	panel.exe
5072	explorer.exe
2680	panel.exe
4744	mssurrogateProvider_protected.exe
2636	Panel.exe
6564	mssurrogateProvider_protected.exe
4676	sysmon.exe
4544	panel.exe
4800	mssurrogateProvider_protected.exe
5076	panel.exe
6524	mssurrogateProvider_protected.exe
6020	panel.exe
5748	taskhostw.exe
6872	mssurrogateProvider_protected.exe
2620	Panel.exe
4100	dllhost.exe
4168	unsecapp.exe
6820	conhost.exe
2248	firefox.exe

Loads dropped DLL 64 IoCs

pid	Process
3120	Kurome.Loader.exe
3120	Kurome.Loader.exe
3120	Kurome.Loader.exe
3120	Kurome.Loader.exe
5632	Kurome.Loader.exe
5632	Kurome.Loader.exe
5632	Kurome.Loader.exe
5632	Kurome.Loader.exe
6332	Kurome.Host.exe
6332	Kurome.Host.exe
6332	Kurome.Host.exe
6332	Kurome.Host.exe
6332	Kurome.Host.exe
6332	Kurome.Host.exe
4984	Kurome.Builder.exe
4984	Kurome.Builder.exe
4984	Kurome.Builder.exe
4984	Kurome.Builder.exe
4984	Kurome.Builder.exe
4984	Kurome.Builder.exe
6652	build.exe
6652	build.exe
6652	build.exe
6652	build.exe
2596	mssurrogateProvider_protected.exe
2596	mssurrogateProvider_protected.exe
2596	mssurrogateProvider_protected.exe
2596	mssurrogateProvider_protected.exe
5632	unsecapp.exe
5632	unsecapp.exe
5632	unsecapp.exe
5632	unsecapp.exe
3412	mssurrogateProvider_protected.exe
3412	mssurrogateProvider_protected.exe
3412	mssurrogateProvider_protected.exe
3412	mssurrogateProvider_protected.exe
2056	mssurrogateProvider_protected.exe
2056	mssurrogateProvider_protected.exe
2056	mssurrogateProvider_protected.exe
2056	mssurrogateProvider_protected.exe
6204	fontdrvhost.exe
6204	fontdrvhost.exe
6204	fontdrvhost.exe
6204	fontdrvhost.exe
1920	Setup.exe
1920	Setup.exe
1920	Setup.exe
1920	Setup.exe
5824	firefox.exe
5824	firefox.exe
5824	firefox.exe
5824	firefox.exe
5848	mssurrogateProvider_protected.exe
5848	mssurrogateProvider_protected.exe
5848	mssurrogateProvider_protected.exe
5848	mssurrogateProvider_protected.exe
6940	sihost.exe
6940	sihost.exe
6940	sihost.exe
6940	sihost.exe
3492	dismhost.exe
3492	dismhost.exe
3492	dismhost.exe
3492	dismhost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	Setup.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\aspnet_counters.dll	Setup.exe
File opened for modification	\??\c:\windows\system32\msvcp120_clr0400.dll	Setup.exe
File opened for modification	\??\c:\windows\system32\msvcp140_clr0400.dll	Setup.exe
File opened for modification	\??\c:\windows\SysWOW64\msvcp120_clr0400.dll	Setup.exe
File opened for modification	\??\c:\windows\syswow64\msvcr120_clr0400.dll	Setup.exe
File opened for modification	\??\c:\windows\SysWOW64\msvcr100_clr0400.dll	Setup.exe
File opened for modification	\??\c:\windows\SysWOW64\msvcr120_clr0400.dll	Setup.exe
File opened for modification	\??\c:\windows\syswow64\msvcp120_clr0400.dll	Setup.exe
File opened for modification	\??\c:\windows\system32\msvcr100_clr0400.dll	Setup.exe
File opened for modification	\??\c:\windows\system32\msvcr120_clr0400.dll	Setup.exe
File opened for modification	\??\c:\windows\system32\en-us\dfshim.dll.mui	Setup.exe
File opened for modification	\??\c:\windows\syswow64\aspnet_counters.dll	Setup.exe
File opened for modification	\??\c:\windows\SysWOW64\en-us\dfshim.dll.mui	Setup.exe
File opened for modification	\??\c:\windows\syswow64\msvcr100_clr0400.dll	Setup.exe
File opened for modification	\??\c:\windows\syswow64\vcruntime140_clr0400.dll	Setup.exe
File opened for modification	\??\c:\windows\syswow64\ucrtbase_clr0400.dll	Setup.exe
File opened for modification	\??\c:\windows\system32\ucrtbase_clr0400.dll	Setup.exe
File opened for modification	\??\c:\windows\system32\vcruntime140_clr0400.dll	Setup.exe
File opened for modification	\??\c:\windows\syswow64\msvcp140_clr0400.dll	Setup.exe
File opened for modification	\??\c:\windows\SysWOW64\aspnet_counters.dll	Setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
4724	mssurrogateProvider_protected.exe
4724	mssurrogateProvider_protected.exe
4856	Idle.exe
4856	Idle.exe
2596	mssurrogateProvider_protected.exe
2596	mssurrogateProvider_protected.exe
5632	unsecapp.exe
3412	mssurrogateProvider_protected.exe
3412	mssurrogateProvider_protected.exe
2056	mssurrogateProvider_protected.exe
6204	fontdrvhost.exe
2056	mssurrogateProvider_protected.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
6204	fontdrvhost.exe
5824	firefox.exe
5824	firefox.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe
5396	Panel.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Taskmgr.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\taskhostw.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\26c0874a440494	mssurrogateProvider_protected.exe
File created	C:\Program Files\WindowsPowerShell\6cb0b6c459d5d3	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\spoolsv.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\Panel.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\MSBuild\Microsoft\wininit.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\ea9f0e6c9e2dcd	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\sihost.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\e6c9b481da804f	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Portable Devices\winlogon.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\ea9f0e6c9e2dcd	mssurrogateProvider_protected.exe
File created	C:\Program Files\Common Files\Services\0fc223bdacedc3	mssurrogateProvider_protected.exe
File opened for modification	\??\c:\program files (x86)\microsoft.net\redistlist\assemblylist_4_client.xml	Setup.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\24dbde2999530e	mssurrogateProvider_protected.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\6ccacd8608530f	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\lsass.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\7-Zip\6cb0b6c459d5d3	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Portable Devices\61ed303a283eee	mssurrogateProvider_protected.exe
File created	C:\Program Files\Java\mssurrogateProvider_protected.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\7-Zip\Lang\f3b6ecef712a24	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Portable Devices\cc11b995f2a76d	mssurrogateProvider_protected.exe
File created	C:\Program Files\MSBuild\Microsoft\56085415360792	mssurrogateProvider_protected.exe
File opened for modification	\??\c:\program files (x86)\microsoft.net\redistlist\assemblylist_4_extended.xml	Setup.exe
File created	C:\Program Files\Windows Portable Devices\e6c9b481da804f	mssurrogateProvider_protected.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\explorer.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\MSBuild\Microsoft\5940a34987c991	mssurrogateProvider_protected.exe
File created	C:\Program Files\7-Zip\Lang\spoolsv.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\5940a34987c991	mssurrogateProvider_protected.exe
File created	C:\Program Files\Java\61ed303a283eee	mssurrogateProvider_protected.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Idle.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\ea9f0e6c9e2dcd	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\WmiPrvSE.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Defender\Offline\f3b6ecef712a24	mssurrogateProvider_protected.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\200f98429d280b	mssurrogateProvider_protected.exe
File created	C:\Program Files\Microsoft Office\Office16\sihost.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Portable Devices\mssurrogateProvider_protected.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5940a34987c991	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Security\f3b6ecef712a24	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Google\CrashReports\Idle.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Defender\Offline\spoolsv.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\InstallAgent.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\Panel.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\Idle.exe	mssurrogateProvider_protected.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\dllhost.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\26c0874a440494	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\OfficeClickToRun.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\6ccacd8608530f	mssurrogateProvider_protected.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\dllhost.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Microsoft Office\Office16\66fc9ff0ee96c2	mssurrogateProvider_protected.exe
File created	C:\Program Files\7-Zip\Lang\sysmon.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Defender\en-US\Panel.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Microsoft.NET\ApplicationFrameHost.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\56085415360792	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\taskhostw.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Defender\en-US\26c0874a440494	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\66fc9ff0ee96c2	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\Panel.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Google\CrashReports\6ccacd8608530f	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\wininit.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\WindowsPowerShell\dwm.exe	mssurrogateProvider_protected.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\config\legacy.web_lowtrust.config	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\system.resources.resourcemanager.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\dfdll.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\system.workflow.componentmodel.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\system.web.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms.datavisualization\v4.0_4.0.0.0__31bf3856ad364e35\system.windows.forms.datavisualization.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\microsoft.workflow.compiler.exe.config	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\system.dynamic.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\installsqlstatetemplate.sql	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\system.web.extensions.design.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\system.servicemodel.servicemoniker40.dll	Setup.exe
File created	C:\Windows\Downloaded Program Files\27d1bcfc3c54e0	mssurrogateProvider_protected.exe
File opened for modification	\??\c:\windows\microsoft.net\assembly\gac_msil\system.servicemodel.nettcp\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.servicemodel.nettcp.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\1033\filetrackerui.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\microsoft.csharp.dll	Setup.exe
File opened for modification	\??\c:\windows\inf\smsvchost 4.0.0.0\_smsvchostperfcounters.h	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\assembly\gac_64\system.web\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.web.dll	Setup.exe
File opened for modification	\??\c:\windows\inf\.net clr data\_dataperfcounters.h	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\assembly\gac_64\presentationcore\v4.0_4.0.0.0__31bf3856ad364e35\globaluserinterface.compositefont	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state_perf.ini	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\addinprocess.exe.config	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\assembly\gac_msil\system.web.extensions\v4.0_4.0.0.0__31bf3856ad364e35\system.web.extensions.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\security\wizard\app_localresources\wizardauthentication.ascx.resx	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\system.net.websockets.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\system.threading.thread.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\system.enterpriseservices.wrapper.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\addinprocess.exe	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscordacwks.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\config\browsers\gateway.browser	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\assembly\gac_msil\system.xml.xdocument\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.xml.xdocument.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\system.drawing.design.dll	Setup.exe
File opened for modification	\??\c:\windows\inf\.net memory cache 4.0\netmemorycache.ini	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\image2.gif	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\wpf\system.windows.presentation.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\system.servicemodel.routing.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\system.data.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\assembly\gac_msil\system.runtime.remoting\v4.0_4.0.0.0__b77a5c561934e089\system.runtime.remoting.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms.datavisualization.design\v4.0_4.0.0.0__31bf3856ad364e35\system.windows.forms.datavisualization.design.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\image1.gif	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\en-us\workflowservicehostperformancecounters.dll.mui	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\app_localresources\home1.aspx.resx	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\helpicon_solid.gif	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\app_localresources\webadminhelp_application.aspx.resx	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\system.runtime.windowsruntime.ui.xaml.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\system.data.services.client.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\assembly\gac_msil\system.runtime.interopservices.runtimeinformation\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.runtime.interopservices.runtimeinformation.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\jsc.exe.config	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\microsoft.internal.tasks.dataflow.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\assembly\gac_msil\system.drawing.primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.drawing.primitives.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\wpf\uiautomationtypes.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\wpf\fonts\globalserif.compositefont	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\adonetdiag.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\en-us\servicemodelregui.dll.mui	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\microsoft.build.conversion.v4.0.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\assembly\gac_msil\system.numerics\v4.0_4.0.0.0__b77a5c561934e089\system.numerics.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\system.data.services.design.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\providers\manageproviders.aspx	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\wpf\presentationframework-systemxml.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsecimpl.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\assembly\gac_msil\system.xml.readerwriter\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.xml.readerwriter.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\assembly\gac_msil\system.componentmodel.annotations\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.componentmodel.annotations.dll	Setup.exe
File opened for modification	\??\c:\windows\microsoft.net\assembly\gac_msil\system.security.securestring\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.security.securestring.dll	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4048	2632	WerFault.exe	177
1836	5264	WerFault.exe	304
3932	2620	WerFault.exe	584
6448	2636	WerFault.exe	465

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5508	schtasks.exe
888	schtasks.exe
2572	schtasks.exe
3680	schtasks.exe
2920	schtasks.exe
5188	schtasks.exe
5524	schtasks.exe
6356	schtasks.exe
4848	schtasks.exe
6948	schtasks.exe
3120	schtasks.exe
1532	schtasks.exe
4188	schtasks.exe
6084	schtasks.exe
4176	schtasks.exe
6740	schtasks.exe
5976	schtasks.exe
5132	schtasks.exe
6420	schtasks.exe
5820	schtasks.exe
5080	schtasks.exe
6880	schtasks.exe
5272	schtasks.exe
5928	schtasks.exe
4112	schtasks.exe
6276	schtasks.exe
5200	schtasks.exe
4048	schtasks.exe
5704	schtasks.exe
6400	schtasks.exe
2296	schtasks.exe
2012	schtasks.exe
5612	schtasks.exe
4684	schtasks.exe
1656	schtasks.exe
4328	schtasks.exe
744	schtasks.exe
4456	schtasks.exe
5048	schtasks.exe
2404	schtasks.exe
5924	schtasks.exe
6140	schtasks.exe
2848	schtasks.exe
5688	schtasks.exe
4964	schtasks.exe
6524	schtasks.exe
5636	schtasks.exe
5244	schtasks.exe
5048	schtasks.exe
3468	schtasks.exe
5660	schtasks.exe
5852	schtasks.exe
5268	schtasks.exe
6280	schtasks.exe
6920	schtasks.exe
3396	schtasks.exe
5740	schtasks.exe
4140	schtasks.exe
4792	schtasks.exe
3396	schtasks.exe
4724	schtasks.exe
5764	schtasks.exe
5536	schtasks.exe
6476	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings	mssurrogateProvider_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	mssurrogateProvider_protected.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	mssurrogateProvider_protected.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings	mssurrogateProvider_protected.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	mssurrogateProvider_protected.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings	mssurrogateProvider_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings	mssurrogateProvider_protected.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings	mssurrogateProvider_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings	mssurrogateProvider_protected.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	mssurrogateProvider_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings	mssurrogateProvider_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Redline-crack-by-rzt.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4724	mssurrogateProvider_protected.exe
4724	mssurrogateProvider_protected.exe
4724	mssurrogateProvider_protected.exe
4724	mssurrogateProvider_protected.exe
4724	mssurrogateProvider_protected.exe
4724	mssurrogateProvider_protected.exe
4724	mssurrogateProvider_protected.exe
4724	mssurrogateProvider_protected.exe
4724	mssurrogateProvider_protected.exe
4724	mssurrogateProvider_protected.exe
4724	mssurrogateProvider_protected.exe
4724	mssurrogateProvider_protected.exe
4724	mssurrogateProvider_protected.exe
4856	Idle.exe
2596	mssurrogateProvider_protected.exe
2596	mssurrogateProvider_protected.exe
2596	mssurrogateProvider_protected.exe
2596	mssurrogateProvider_protected.exe
5632	unsecapp.exe
5632	unsecapp.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
3412	mssurrogateProvider_protected.exe
3412	mssurrogateProvider_protected.exe
2632	Panel.exe
3412	mssurrogateProvider_protected.exe
3412	mssurrogateProvider_protected.exe
3412	mssurrogateProvider_protected.exe
3412	mssurrogateProvider_protected.exe
2632	Panel.exe
3412	mssurrogateProvider_protected.exe
3412	mssurrogateProvider_protected.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2632	Panel.exe
2056	mssurrogateProvider_protected.exe
2056	mssurrogateProvider_protected.exe
2632	Panel.exe
2056	mssurrogateProvider_protected.exe
2056	mssurrogateProvider_protected.exe
2632	Panel.exe
2056	mssurrogateProvider_protected.exe
2056	mssurrogateProvider_protected.exe
2632	Panel.exe
2632	Panel.exe
1920	Setup.exe
1920	Setup.exe
1920	Setup.exe
1920	Setup.exe
1920	Setup.exe
1920	Setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6864	taskmgr.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
628	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4724	mssurrogateProvider_protected.exe
Token: SeDebugPrivilege	4856	Idle.exe
Token: SeDebugPrivilege	2320	firefox.exe
Token: SeDebugPrivilege	2320	firefox.exe
Token: SeDebugPrivilege	2320	firefox.exe
Token: SeRestorePrivilege	6788	7zG.exe
Token: 35	6788	7zG.exe
Token: SeSecurityPrivilege	6788	7zG.exe
Token: SeSecurityPrivilege	6788	7zG.exe
Token: SeDebugPrivilege	7084	Kurome.Loader.exe
Token: SeDebugPrivilege	3120	Kurome.Loader.exe
Token: SeDebugPrivilege	5632	Kurome.Loader.exe
Token: SeDebugPrivilege	6332	Kurome.Host.exe
Token: SeDebugPrivilege	4984	Kurome.Builder.exe
Token: SeDebugPrivilege	6652	build.exe
Token: SeDebugPrivilege	6824	firefox.exe
Token: SeDebugPrivilege	6824	firefox.exe
Token: SeDebugPrivilege	2596	mssurrogateProvider_protected.exe
Token: SeDebugPrivilege	2632	Panel.exe
Token: SeDebugPrivilege	5632	unsecapp.exe
Token: SeDebugPrivilege	3412	mssurrogateProvider_protected.exe
Token: SeDebugPrivilege	2056	mssurrogateProvider_protected.exe
Token: SeDebugPrivilege	6204	fontdrvhost.exe
Token: SeDebugPrivilege	5396	Panel.exe
Token: SeDebugPrivilege	1920	Setup.exe
Token: SeDebugPrivilege	5824	firefox.exe
Token: SeDebugPrivilege	1920	Setup.exe
Token: SeDebugPrivilege	1920	Setup.exe
Token: SeShutdownPrivilege	5228	svchost.exe
Token: SeCreatePagefilePrivilege	5228	svchost.exe
Token: SeLoadDriverPrivilege	5228	svchost.exe
Token: SeLoadDriverPrivilege	5228	svchost.exe
Token: SeLoadDriverPrivilege	5228	svchost.exe
Token: SeLoadDriverPrivilege	5228	svchost.exe
Token: SeLoadDriverPrivilege	5228	svchost.exe
Token: SeLoadDriverPrivilege	5228	svchost.exe
Token: SeLoadDriverPrivilege	5228	svchost.exe
Token: SeLoadDriverPrivilege	5228	svchost.exe
Token: SeLoadDriverPrivilege	5228	svchost.exe
Token: SeLoadDriverPrivilege	5228	svchost.exe
Token: SeLoadDriverPrivilege	5228	svchost.exe
Token: SeLoadDriverPrivilege	5228	svchost.exe
Token: SeLoadDriverPrivilege	5228	svchost.exe
Token: SeLoadDriverPrivilege	5228	svchost.exe
Token: SeLoadDriverPrivilege	5228	svchost.exe
Token: SeLoadDriverPrivilege	5228	svchost.exe
Token: 33	5396	Panel.exe
Token: SeIncBasePriorityPrivilege	5396	Panel.exe
Token: SeDebugPrivilege	1920	Setup.exe
Token: 33	5396	Panel.exe
Token: SeIncBasePriorityPrivilege	5396	Panel.exe
Token: 33	5396	Panel.exe
Token: SeIncBasePriorityPrivilege	5396	Panel.exe
Token: 33	5396	Panel.exe
Token: SeIncBasePriorityPrivilege	5396	Panel.exe
Token: 33	5396	Panel.exe
Token: SeIncBasePriorityPrivilege	5396	Panel.exe
Token: 33	5396	Panel.exe
Token: SeIncBasePriorityPrivilege	5396	Panel.exe
Token: 33	5396	Panel.exe
Token: SeIncBasePriorityPrivilege	5396	Panel.exe
Token: 33	5396	Panel.exe
Token: SeIncBasePriorityPrivilege	5396	Panel.exe
Token: 33	5396	Panel.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2320	firefox.exe
2320	firefox.exe
2320	firefox.exe
2320	firefox.exe
6788	7zG.exe
6824	firefox.exe
6824	firefox.exe
6824	firefox.exe
6824	firefox.exe
6824	firefox.exe
1920	Setup.exe
1920	Setup.exe
1920	Setup.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
4300	Panel.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2320	firefox.exe
2320	firefox.exe
2320	firefox.exe
6824	firefox.exe
6824	firefox.exe
6824	firefox.exe
6824	firefox.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe
6864	taskmgr.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
4724	mssurrogateProvider_protected.exe
4856	Idle.exe
2320	firefox.exe
2320	firefox.exe
2320	firefox.exe
2320	firefox.exe
6824	firefox.exe
6824	firefox.exe
6824	firefox.exe
6824	firefox.exe
2596	mssurrogateProvider_protected.exe
5632	unsecapp.exe
3412	mssurrogateProvider_protected.exe
2056	mssurrogateProvider_protected.exe
6204	fontdrvhost.exe
5764	NetFramework48.exe
5824	firefox.exe
5848	mssurrogateProvider_protected.exe
6940	sihost.exe
1920	Setup.exe
6856	smss.exe
4716	conhost.exe
1380	spoolsv.exe
6792	taskhostw.exe
6440	build.exe
6228	RuntimeBroker.exe
5940	mssurrogateProvider_protected.exe
1884	fontdrvhost.exe
904	mssurrogateProvider_protected.exe
6124	ApplicationFrameHost.exe
5072	explorer.exe
4744	mssurrogateProvider_protected.exe
6564	mssurrogateProvider_protected.exe
4676	sysmon.exe
4800	mssurrogateProvider_protected.exe
6524	mssurrogateProvider_protected.exe
5748	taskhostw.exe
6872	mssurrogateProvider_protected.exe
4100	dllhost.exe
4168	unsecapp.exe
6820	conhost.exe
2248	firefox.exe
5644	build.exe
32	RuntimeBroker.exe
6152	spoolsv.exe
4316	sppsvc.exe
6752	InstallAgent.exe
3812	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 4724	4516	panel.exe	70
PID 4516 wrote to memory of 4724	4516	panel.exe	70
PID 4516 wrote to memory of 4724	4516	panel.exe	70
PID 4724 wrote to memory of 4856	4724	mssurrogateProvider_protected.exe	123
PID 4724 wrote to memory of 4856	4724	mssurrogateProvider_protected.exe	123
PID 4724 wrote to memory of 4856	4724	mssurrogateProvider_protected.exe	123
PID 304 wrote to memory of 2320	304	firefox.exe	126
PID 304 wrote to memory of 2320	304	firefox.exe	126
PID 304 wrote to memory of 2320	304	firefox.exe	126
PID 304 wrote to memory of 2320	304	firefox.exe	126
PID 304 wrote to memory of 2320	304	firefox.exe	126
PID 304 wrote to memory of 2320	304	firefox.exe	126
PID 304 wrote to memory of 2320	304	firefox.exe	126
PID 304 wrote to memory of 2320	304	firefox.exe	126
PID 304 wrote to memory of 2320	304	firefox.exe	126
PID 304 wrote to memory of 2320	304	firefox.exe	126
PID 304 wrote to memory of 2320	304	firefox.exe	126
PID 2320 wrote to memory of 2296	2320	firefox.exe	127
PID 2320 wrote to memory of 2296	2320	firefox.exe	127
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128
PID 2320 wrote to memory of 4596	2320	firefox.exe	128

C:\Users\Admin\AppData\Local\Temp\panel.exe
"C:\Users\Admin\AppData\Local\Temp\panel.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Program Files (x86)\Google\CrashReports\Idle.exe
    "C:\Program Files (x86)\Google\CrashReports\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\odt\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\ApplicationFrameHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\InstallAgent.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallAgent" /sc ONLOGON /tr "'C:\Users\Public\Pictures\InstallAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\InstallAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\odt\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\Offline\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Offline\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\Offline\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\odt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4768

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:304
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.0.1080615446\341328000" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1704 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4ecb161-9a41-4198-baf4-7970cc484740} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 1796 2161a1c1a58 gpu
    3⤵
    PID:2296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.1.1022876748\1072643368" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {811b8d0c-ff32-4480-917e-165da800715c} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 2152 2160f071658 socket
    3⤵
    PID:4596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.2.609671391\927725448" -childID 1 -isForBrowser -prefsHandle 2876 -prefMapHandle 2872 -prefsLen 21055 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e84ad08-56bd-4650-afe3-8e67b7a358db} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 2596 2161e2aae58 tab
    3⤵
    PID:3808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.3.1118136573\215199395" -childID 2 -isForBrowser -prefsHandle 3372 -prefMapHandle 3368 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4881f9d2-325e-4818-bc0a-21f3af337277} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 3388 2161ca35258 tab
    3⤵
    PID:4944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.4.1787684263\95586109" -childID 3 -isForBrowser -prefsHandle 3888 -prefMapHandle 3884 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d0c83c7-e8bc-4ed2-8aa4-f55f25003922} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 3872 2161f290458 tab
    3⤵
    PID:3476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.7.847333410\1205898704" -childID 6 -isForBrowser -prefsHandle 5004 -prefMapHandle 5008 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94406551-f031-4691-957d-bdbc903caac9} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 4996 21620678558 tab
    3⤵
    PID:4364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.6.15318859\653627524" -childID 5 -isForBrowser -prefsHandle 4856 -prefMapHandle 4860 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {013494a8-0222-44cd-8a4e-b9d3b38f14bc} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 4848 2162067b858 tab
    3⤵
    PID:1528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.5.1835695430\325431777" -childID 4 -isForBrowser -prefsHandle 4720 -prefMapHandle 4692 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2a2b06d-6eea-45f2-bf03-f6e13c16cd25} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 4704 216205d2d58 tab
    3⤵
    PID:792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.8.2096948067\1673620062" -childID 7 -isForBrowser -prefsHandle 5500 -prefMapHandle 5544 -prefsLen 26874 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {329f3a0f-6179-4ae9-b688-b5fa29b550c5} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 5556 2161a489a58 tab
    3⤵
    PID:3284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.9.392928497\267660689" -childID 8 -isForBrowser -prefsHandle 2724 -prefMapHandle 2620 -prefsLen 26874 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4b4f9a8-0c56-449d-b5a5-15805bd012f6} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 5400 21621dcc958 tab
    3⤵
    PID:1692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.10.202044201\1220986860" -childID 9 -isForBrowser -prefsHandle 9596 -prefMapHandle 9600 -prefsLen 26914 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {009d05f1-e285-42ff-968d-a0e58f9bdba9} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 9584 21623a5bc58 tab
    3⤵
    PID:4664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.13.1503644858\140012541" -childID 12 -isForBrowser -prefsHandle 8552 -prefMapHandle 8548 -prefsLen 27179 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5d6ec3b-9a71-4591-8215-d90a92a62025} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 8560 2162420d558 tab
    3⤵
    PID:5280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.12.1076163284\283243455" -childID 11 -isForBrowser -prefsHandle 8660 -prefMapHandle 8664 -prefsLen 27179 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9550068-b08f-47f0-838f-450ac823f688} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 8740 2162420ed58 tab
    3⤵
    PID:5272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.11.501005322\1668296833" -childID 10 -isForBrowser -prefsHandle 8888 -prefMapHandle 8892 -prefsLen 27179 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd565f9b-2840-4ab5-bd42-b41e11401431} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 8880 21623e0b058 tab
    3⤵
    PID:5264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.15.1874668911\1647000380" -childID 14 -isForBrowser -prefsHandle 8492 -prefMapHandle 8488 -prefsLen 27179 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5f6d4ad-c628-4202-ba03-f160f08cefdb} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 8496 21623e09858 tab
    3⤵
    PID:5360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.14.859916341\565711408" -childID 13 -isForBrowser -prefsHandle 8268 -prefMapHandle 8264 -prefsLen 27179 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1c3c630-8333-4998-998b-bf5da6081476} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 8280 2161f6d9f58 tab
    3⤵
    PID:5344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.16.1515245792\1153755431" -childID 15 -isForBrowser -prefsHandle 8684 -prefMapHandle 8680 -prefsLen 27179 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c617104-becf-4d85-a072-0f776ca31282} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 8692 21624231f58 tab
    3⤵
    PID:5472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.17.2100815858\522543202" -childID 16 -isForBrowser -prefsHandle 7824 -prefMapHandle 7592 -prefsLen 27179 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f15a6f5-50f9-442c-b2fe-459b32008a9d} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 7580 2162433b058 tab
    3⤵
    PID:5440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.18.1303411925\365572134" -childID 17 -isForBrowser -prefsHandle 8492 -prefMapHandle 2752 -prefsLen 27179 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10d46688-760b-4087-a839-bc7352529ed8} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 7672 21622ce7258 tab
    3⤵
    PID:6168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.19.1382350041\581579118" -childID 18 -isForBrowser -prefsHandle 7196 -prefMapHandle 7200 -prefsLen 27179 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2efdd83-3d76-47eb-a344-df2013f33fe5} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 7188 2161b82bb58 tab
    3⤵
    PID:6240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.20.606965743\833963672" -childID 19 -isForBrowser -prefsHandle 7056 -prefMapHandle 6984 -prefsLen 27179 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf58dd5f-dbc6-4867-bc4e-ad365dd25662} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 8492 2161b82eb58 tab
    3⤵
    PID:6280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.21.1666958962\2049483096" -childID 20 -isForBrowser -prefsHandle 6932 -prefMapHandle 6936 -prefsLen 27179 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53255034-ea8c-40ac-8bb2-58103d01b337} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 5508 21623d52b58 tab
    3⤵
    PID:6452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5412

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Redline-crack-by-rzt\" -spe -an -ai#7zMap17919:102:7zEvent29282
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6788

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7084

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5632

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6332

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Builder\build.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Builder\build.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:6832
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:6824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6824.0.1403879084\537309722" -parentBuildID 20221007134813 -prefsHandle 1600 -prefMapHandle 1576 -prefsLen 21325 -prefMapSize 232814 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ec2c417-05be-497e-b8ec-2cb7706c5996} 6824 "\\.\pipe\gecko-crash-server-pipe.6824" 1680 234c27f0f58 gpu
    3⤵
    PID:5040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6824.1.1625417507\441563450" -parentBuildID 20221007134813 -prefsHandle 1988 -prefMapHandle 1984 -prefsLen 21370 -prefMapSize 232814 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cfbaae6-f365-4165-8906-349893b97ad4} 6824 "\\.\pipe\gecko-crash-server-pipe.6824" 2000 234b78daf58 socket
    3⤵
    PID:3084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6824.2.50528529\1932162431" -childID 1 -isForBrowser -prefsHandle 2720 -prefMapHandle 2716 -prefsLen 21831 -prefMapSize 232814 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {17b1d637-5612-4fed-af4f-d9c617ab1f31} 6824 "\\.\pipe\gecko-crash-server-pipe.6824" 2732 234c632f958 tab
    3⤵
    PID:3188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6824.4.455490889\875732431" -childID 3 -isForBrowser -prefsHandle 3132 -prefMapHandle 3784 -prefsLen 27182 -prefMapSize 232814 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63e932fa-c9ab-48f9-ac38-f1c1a88da18c} 6824 "\\.\pipe\gecko-crash-server-pipe.6824" 3492 234c7ff7858 tab
    3⤵
    PID:248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6824.3.181080195\230790711" -childID 2 -isForBrowser -prefsHandle 3336 -prefMapHandle 3332 -prefsLen 27182 -prefMapSize 232814 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63a6ea91-11a2-41ff-984e-65198b2e5be0} 6824 "\\.\pipe\gecko-crash-server-pipe.6824" 3344 234c76b5a58 tab
    3⤵
    PID:4244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6824.5.149858611\1962200392" -childID 4 -isForBrowser -prefsHandle 4448 -prefMapHandle 4444 -prefsLen 27182 -prefMapSize 232814 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69242c2f-9f8c-4989-875e-88249fd37670} 6824 "\\.\pipe\gecko-crash-server-pipe.6824" 4408 234c7ff9f58 tab
    3⤵
    PID:3520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6824.6.1958647071\625343877" -childID 5 -isForBrowser -prefsHandle 4612 -prefMapHandle 4616 -prefsLen 27182 -prefMapSize 232814 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bb18f48-2335-470a-a84d-53f57c92a618} 6824 "\\.\pipe\gecko-crash-server-pipe.6824" 4604 234c8b27558 tab
    3⤵
    PID:5456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6824.7.830346460\570235286" -childID 6 -isForBrowser -prefsHandle 4884 -prefMapHandle 4880 -prefsLen 27182 -prefMapSize 232814 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94689d95-9f9c-4bfc-a9cc-e7637edf4ce6} 6824 "\\.\pipe\gecko-crash-server-pipe.6824" 4892 234c8b25458 tab
    3⤵
    PID:5364

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies registry class
PID:4056
- C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2596
- - C:\Users\Default User\unsecapp.exe
    "C:\Users\Default User\unsecapp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5632
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\Panel.exe
    "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:5396
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2632 -s 2128
    3⤵
    - Program crash
    PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 10 /tr "'C:\odt\ApplicationFrameHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\odt\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 10 /tr "'C:\odt\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\firefox.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 9 /tr "'C:\Users\Default\AppData\ApplicationFrameHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:7080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Users\Default\AppData\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 7 /tr "'C:\Users\Default\AppData\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
PID:6792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Users\Default\Pictures\firefox.exe'" /rl HIGHEST /f
1⤵
PID:5000

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:5268
- C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H5Fujp527S.bat"
    3⤵
    PID:6976
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:4060
    - - C:\Windows\System32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2264
  - - C:\odt\fontdrvhost.exe
      "C:\odt\fontdrvhost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:6204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Searches\services.exe'" /f
1⤵
PID:6808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Searches\services.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\services.exe'" /rl HIGHEST /f
1⤵
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\smss.exe'" /f
1⤵
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\smss.exe'" /rl HIGHEST /f
1⤵
PID:5228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\smss.exe'" /rl HIGHEST /f
1⤵
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\wininit.exe'" /f
1⤵
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 5 /tr "'C:\odt\firefox.exe'" /f
1⤵
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\odt\firefox.exe'" /rl HIGHEST /f
1⤵
PID:5788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 13 /tr "'C:\odt\firefox.exe'" /rl HIGHEST /f
1⤵
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "buildb" /sc MINUTE /mo 13 /tr "'C:\odt\build.exe'" /f
1⤵
PID:6052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "build" /sc ONLOGON /tr "'C:\odt\build.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "buildb" /sc MINUTE /mo 6 /tr "'C:\odt\build.exe'" /rl HIGHEST /f
1⤵
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\dwm.exe'" /f
1⤵
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\dwm.exe'" /rl HIGHEST /f
1⤵
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\dwm.exe'" /rl HIGHEST /f
1⤵
PID:5192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\dwm.exe'" /f
1⤵
PID:6020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\dwm.exe'" /rl HIGHEST /f
1⤵
PID:6780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\dwm.exe'" /rl HIGHEST /f
1⤵
PID:1108

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1184
- C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAiD6FNIJb.bat"
    3⤵
    PID:4396
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:5712
    - - C:\Windows\System32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4584
  - - C:\Program Files\Common Files\Services\firefox.exe
      "C:\Program Files\Common Files\Services\firefox.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\unsecapp.exe'" /f
1⤵
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
PID:5412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Videos\dllhost.exe'" /f
1⤵
PID:5816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:6076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\ELAMBKUP\spoolsv.exe'" /f
1⤵
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ELAMBKUP\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\ELAMBKUP\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\wininit.exe'" /f
1⤵
- Creates scheduled task(s)
PID:6476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
PID:5944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\InstallAgent.exe'" /f
1⤵
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallAgent" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\InstallAgent.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\InstallAgent.exe'" /rl HIGHEST /f
1⤵
PID:6916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\sihost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\sihost.exe'" /rl HIGHEST /f
1⤵
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\sihost.exe'" /rl HIGHEST /f
1⤵
PID:7012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\firefox.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\firefox.exe'" /rl HIGHEST /f
1⤵
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 7 /tr "'C:\odt\firefox.exe'" /f
1⤵
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\firefox.exe'" /rl HIGHEST /f
1⤵
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\odt\firefox.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 14 /tr "'C:\odt\firefox.exe'" /rl HIGHEST /f
1⤵
PID:7152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
PID:7160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
PID:5716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
PID:5592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:6044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:5188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:5700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\firefox.exe'" /f
1⤵
PID:5436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\firefox.exe'" /rl HIGHEST /f
1⤵
PID:5560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\firefox.exe'" /rl HIGHEST /f
1⤵
PID:5888

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Tools\NetFramework48.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Tools\NetFramework48.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5764
- F:\a81922cb2d4a82d9b4\Setup.exe
  F:\a81922cb2d4a82d9b4\\Setup.exe /x86 /x64 /web
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1920
- - F:\a81922cb2d4a82d9b4\SetupUtility.exe
    SetupUtility.exe /aupause
    3⤵
    - Executes dropped EXE
    PID:6096
- - F:\a81922cb2d4a82d9b4\SetupUtility.exe
    SetupUtility.exe /screboot
    3⤵
    - Executes dropped EXE
    PID:6176
- - C:\Windows\System32\dism.exe
    dism.exe /quiet /norestart /online /add-package /packagepath:"F:\a81922cb2d4a82d9b4\Windows10.0-KB4486129-x64.cab"
    3⤵
    PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\5167DBE6-6113-4BF3-AC61-8332239C3E82\dismhost.exe
      C:\Users\Admin\AppData\Local\Temp\5167DBE6-6113-4BF3-AC61-8332239C3E82\dismhost.exe {2961931E-E0FB-41AF-A610-2B47454FA65F}
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\services.exe'" /f
1⤵
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
PID:5412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\odt\sihost.exe'" /f
1⤵
PID:5368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
PID:5256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:6372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\fontdrvhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:5280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\dwm.exe'" /f
1⤵
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\tracing\dwm.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\tracing\dwm.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6084

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:2032

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:5600

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:6696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Modifies data under HKEY_USERS
PID:2024

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5228

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:6476

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:7100
- C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5848
- - C:\Program Files\Microsoft Office\Office16\sihost.exe
    "C:\Program Files\Microsoft Office\Office16\sihost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:6940
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe"
  2⤵
  - Executes dropped EXE
  PID:5264
- - C:\Users\Admin\AppData\Local\Temp\Panel.exe
    "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:4300
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 5264 -s 1996
    3⤵
    - Program crash
    PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe'" /f
1⤵
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
PID:6116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
PID:5184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\dllhost.exe'" /f
1⤵
PID:5488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:5524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:5656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office16\sihost.exe'" /f
1⤵
PID:5972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\sihost.exe'" /rl HIGHEST /f
1⤵
PID:6124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\sihost.exe'" /rl HIGHEST /f
1⤵
PID:5380

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6864

C:\Users\All Users\Application Data\smss.exe
"C:\Users\All Users\Application Data\smss.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6856

C:\Recovery\WindowsRE\conhost.exe
C:\Recovery\WindowsRE\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4716

C:\odt\spoolsv.exe
C:\odt\spoolsv.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1380

C:\odt\taskhostw.exe
C:\odt\taskhostw.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6792

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe"
1⤵
- Executes dropped EXE
PID:4768

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe"
1⤵
- Executes dropped EXE
PID:3820

C:\odt\build.exe
C:\odt\build.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6440

C:\Recovery\WindowsRE\RuntimeBroker.exe
C:\Recovery\WindowsRE\RuntimeBroker.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6228

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Redline-crack-by-rzt\ReadMe.txt
1⤵
PID:4164

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:6732
- C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mdKUgBk0An.bat"
    3⤵
    PID:6728
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:6592
    - - C:\Windows\System32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:6332
  - - C:\odt\fontdrvhost.exe
      "C:\odt\fontdrvhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1884
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe"
  2⤵
  - Executes dropped EXE
  PID:4316
- - C:\Users\Admin\AppData\Local\Temp\Panel.exe
    "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
    3⤵
    - Executes dropped EXE
    PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\taskhostw.exe'" /f
1⤵
PID:5576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\taskhostw.exe'" /rl HIGHEST /f
1⤵
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\taskhostw.exe'" /rl HIGHEST /f
1⤵
PID:5716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\sihost.exe'" /f
1⤵
PID:6048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\sihost.exe'" /rl HIGHEST /f
1⤵
PID:6068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\sihost.exe'" /rl HIGHEST /f
1⤵
PID:5952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protectedm" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\mssurrogateProvider_protected.exe'" /f
1⤵
PID:5328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protected" /sc ONLOGON /tr "'C:\Users\Admin\mssurrogateProvider_protected.exe'" /rl HIGHEST /f
1⤵
PID:6004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protectedm" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\mssurrogateProvider_protected.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:5720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TaskmgrT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Taskmgr.exe'" /f
1⤵
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Taskmgr" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Taskmgr.exe'" /rl HIGHEST /f
1⤵
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TaskmgrT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Taskmgr.exe'" /rl HIGHEST /f
1⤵
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
PID:6032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:7044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\SendTo\dllhost.exe'" /f
1⤵
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\sysmon.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\sysmon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
PID:6172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PanelP" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\Panel.exe'" /f
1⤵
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Panel" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\Panel.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PanelP" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\en-US\Panel.exe'" /rl HIGHEST /f
1⤵
PID:5444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
PID:5580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /f
1⤵
PID:5976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Favorites\OfficeClickToRun.exe'" /f
1⤵
PID:5968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Favorites\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Favorites\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
PID:7016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\Idle.exe'" /f
1⤵
PID:6388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
PID:6352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
PID:6776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
PID:7008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:5268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Links\Idle.exe'" /f
1⤵
PID:5548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f
1⤵
PID:5212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f
1⤵
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protectedm" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\mssurrogateProvider_protected.exe'" /f
1⤵
PID:7004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protected" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\mssurrogateProvider_protected.exe'" /rl HIGHEST /f
1⤵
PID:5156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protectedm" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\mssurrogateProvider_protected.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Redline-crack-by-rzt\ReadMe.txt
1⤵
PID:1880

C:\Users\Default\AppData\ApplicationFrameHost.exe
C:\Users\Default\AppData\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6124

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:5136
- C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rYYcThIVM7.bat"
    3⤵
    PID:1340
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2928
    - - C:\Windows\System32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:5680
  - - C:\Program Files\Java\jre1.8.0_66\bin\explorer.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
PID:5996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PanelP" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\Panel.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Panel" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\Panel.exe'" /rl HIGHEST /f
1⤵
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PanelP" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\Panel.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Creates scheduled task(s)
PID:6356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\dwm.exe'" /f
1⤵
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protectedm" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\mssurrogateProvider_protected.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protected" /sc ONLOGON /tr "'C:\Program Files\Java\mssurrogateProvider_protected.exe'" /rl HIGHEST /f
1⤵
PID:6912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protectedm" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\mssurrogateProvider_protected.exe'" /rl HIGHEST /f
1⤵
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\odt\System.exe'" /f
1⤵
PID:6924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
PID:6876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre1.8.0_66\bin\explorer.exe'" /f
1⤵
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Java\jre1.8.0_66\bin\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre1.8.0_66\bin\explorer.exe'" /rl HIGHEST /f
1⤵
PID:7048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\spoolsv.exe'" /f
1⤵
PID:5904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Security\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:7088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\spoolsv.exe'" /f
1⤵
PID:3364

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- Executes dropped EXE
PID:6036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /f
1⤵
PID:5432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
PID:6040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
PID:5628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "notepadn" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\notepad.exe'" /f
1⤵
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "notepad" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\notepad.exe'" /rl HIGHEST /f
1⤵
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "notepadn" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\notepad.exe'" /rl HIGHEST /f
1⤵
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\wininit.exe'" /f
1⤵
PID:6244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Tasks\wininit.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\wininit.exe'" /rl HIGHEST /f
1⤵
PID:6592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PanelP" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Panel.exe'" /f
1⤵
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Panel" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Panel.exe'" /rl HIGHEST /f
1⤵
PID:5244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PanelP" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Panel.exe'" /rl HIGHEST /f
1⤵
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\System.exe'" /f
1⤵
PID:5816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f
1⤵
PID:5368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
PID:6172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PanelP" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\uninstall\Panel.exe'" /f
1⤵
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Panel" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\Panel.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PanelP" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\uninstall\Panel.exe'" /rl HIGHEST /f
1⤵
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /f
1⤵
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f
1⤵
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f
1⤵
PID:4004

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2680
- C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
    "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:6564
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yabN673CUK.bat"
      4⤵
      PID:5708
    - - C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:5576
      - C:\Windows\System32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5428
    - - C:\Windows\de-DE\sysmon.exe
        
        "C:\Windows\de-DE\sysmon.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4676
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe"
  2⤵
  - Executes dropped EXE
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\Panel.exe
    "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
    3⤵
    - Executes dropped EXE
    PID:2620
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2620 -s 2216
      4⤵
      Program crash
      PID:3932
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2636 -s 2688
    3⤵
    - Program crash
    PID:6448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /f
1⤵
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:7044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:6196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\sppsvc.exe'" /f
1⤵
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:5416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PanelP" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Panel.exe'" /f
1⤵
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Panel" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Panel.exe'" /rl HIGHEST /f
1⤵
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PanelP" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Panel.exe'" /rl HIGHEST /f
1⤵
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
PID:5444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\WmiPrvSE.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:6776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /f
1⤵
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:6948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
PID:5596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
PID:5552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PanelP" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\Panel.exe'" /f
1⤵
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Panel" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\Panel.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PanelP" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\Panel.exe'" /rl HIGHEST /f
1⤵
PID:6764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\System.exe'" /f
1⤵
PID:5932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\System.exe'" /rl HIGHEST /f
1⤵
PID:7164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\System.exe'" /rl HIGHEST /f
1⤵
PID:5380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Idle.exe'" /f
1⤵
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Idle.exe'" /rl HIGHEST /f
1⤵
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Idle.exe'" /rl HIGHEST /f
1⤵
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\en-US\lsass.exe'" /f
1⤵
PID:5936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
PID:5860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
PID:5632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /f
1⤵
PID:6664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\PrintHood\Idle.exe'" /f
1⤵
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\Idle.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\PrintHood\Idle.exe'" /rl HIGHEST /f
1⤵
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Idle.exe'" /f
1⤵
PID:5492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
1⤵
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
1⤵
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\wininit.exe'" /f
1⤵
PID:6436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\wininit.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\wininit.exe'" /rl HIGHEST /f
1⤵
PID:6788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:7012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "notepadn" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\notepad.exe'" /f
1⤵
PID:5392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "notepad" /sc ONLOGON /tr "'C:\Users\All Users\Templates\notepad.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "notepadn" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\notepad.exe'" /rl HIGHEST /f
1⤵
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
PID:5844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\sysmon.exe'" /f
1⤵
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\de-DE\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:7036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f
1⤵
PID:5692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
PID:620

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4544
- C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JjySRHXDhh.bat"
    3⤵
    PID:6444
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2496
    - - C:\Windows\System32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:6336
  - - C:\odt\taskhostw.exe
      "C:\odt\taskhostw.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:5156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:5784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\ApplicationFrameHost.exe'" /f
1⤵
PID:5748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
PID:5196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\dwm.exe'" /f
1⤵
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\dwm.exe'" /rl HIGHEST /f
1⤵
PID:5896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\dwm.exe'" /rl HIGHEST /f
1⤵
PID:6360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\dwm.exe'" /f
1⤵
PID:68

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\dwm.exe'" /rl HIGHEST /f
1⤵
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\dwm.exe'" /rl HIGHEST /f
1⤵
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
PID:6736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
PID:5956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\OfficeClickToRun.exe'" /f
1⤵
PID:5920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
PID:6256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
PID:6132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\odt\wininit.exe'" /f
1⤵
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4176

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:5076
- C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:6524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2cYsD2QxcS.bat"
    3⤵
    PID:3444
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:812
    - - C:\Windows\System32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:5344
  - - C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe
      "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
PID:6052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
PID:6044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /f
1⤵
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:5720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\odt\ShellExperienceHost.exe'" /f
1⤵
PID:5276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
PID:6592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
PID:7012

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:6020
- C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6872

C:\Windows\en-US\unsecapp.exe
C:\Windows\en-US\unsecapp.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Recovery\WindowsRE\conhost.exe
C:\Recovery\WindowsRE\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6820

C:\Program Files\Common Files\Services\firefox.exe
"C:\Program Files\Common Files\Services\firefox.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2248

C:\odt\build.exe
C:\odt\build.exe
1⤵
- Suspicious use of SetWindowsHookEx
PID:5644

C:\Recovery\WindowsRE\RuntimeBroker.exe
C:\Recovery\WindowsRE\RuntimeBroker.exe
1⤵
- Suspicious use of SetWindowsHookEx
PID:32

C:\Program Files\7-Zip\Lang\spoolsv.exe
"C:\Program Files\7-Zip\Lang\spoolsv.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:6152

C:\Users\Default\sppsvc.exe
C:\Users\Default\sppsvc.exe
1⤵
- Suspicious use of SetWindowsHookEx
PID:4316

C:\Program Files\Java\jdk1.8.0_66\bin\InstallAgent.exe
"C:\Program Files\Java\jdk1.8.0_66\bin\InstallAgent.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:6752

C:\Program Files (x86)\Windows Defender\it-IT\sihost.exe
"C:\Program Files (x86)\Windows Defender\it-IT\sihost.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\CrashReports\Idle.exe

Filesize
1.5MB

MD5
fcbf03d90d4e9ce80f575452266e71d1

SHA1
1b067d0e057db189c71b2f7ac4ee2483ebaf0fa7

SHA256
2ec28f57e64fee2b2f1a40c78c079672f0dddb84da2a84fe3291bd68a4771a73

SHA512
9ce9962f645ab542f135d8560a7095259fe6628afcf598a58dfcf8e96b0d1dfa73e59ce13af3ff97e6c03046634dbd46a278c6535f99f99b3a6051b7bbfcf380

Download Submit
C:\Program Files (x86)\Google\CrashReports\Idle.exe

Filesize
1.5MB

MD5
fcbf03d90d4e9ce80f575452266e71d1

SHA1
1b067d0e057db189c71b2f7ac4ee2483ebaf0fa7

SHA256
2ec28f57e64fee2b2f1a40c78c079672f0dddb84da2a84fe3291bd68a4771a73

SHA512
9ce9962f645ab542f135d8560a7095259fe6628afcf598a58dfcf8e96b0d1dfa73e59ce13af3ff97e6c03046634dbd46a278c6535f99f99b3a6051b7bbfcf380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Kurome.Loader.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\smss.exe.log

Filesize
484B

MD5
49bddeedfc82481ba9d2c17cfce37675

SHA1
5a45bfedf3a990883bfc1a1fa2affbe5db94b6fb

SHA256
ab656bebc4d9c75956304be395323a41c282c748ae8e8ab2e46e0031f1cb8578

SHA512
9fa56622319d5e6fccacb2b7f5c5bda48a871e282b6d488822dd8e8349288626d6cc5960eb891df2a6268e67daac3c88e2d4bee450b4981d56789799551c6a24

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\16tg48g1.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
8d169ce987d07275a671707ea9d1e1e9

SHA1
4529bf7aa41c6c5ab8e9557dca2297823ee9fe5a

SHA256
dfa01611609a6802f4eeeadd8fb3dc2c5d1bc14c05731ff73444953884824a3b

SHA512
f37c670467de9511cdec159e4930bb9981d15313816ffacfd0b8ec8ddb2b92a3689d9c5463f0168bde143246df334e159519b76ec920f98ad96cac2da419c9a5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\16tg48g1.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
0ec85791b4b21c0731338e8c31b7c1f5

SHA1
b7b5dee80260e5507456d11b21df101bc7fcd519

SHA256
16d0ade5cc08c601448b3af4701c2bd77b7275dbaece827baf8319346068a387

SHA512
81dfd96014e186605267fff2812dd65e9c05d71d063fdce1f96d2bae2f555bfb0dbe506545d45f7598222aa1acee051177d4cc593094c42c79565b58ef84fc01

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\16tg48g1.default-release\cache2\doomed\26198

Filesize
7KB

MD5
577731d891859664d03202181761fdaa

SHA1
3e248f1b573475a07dfd2d5a4de5736bdc25bda5

SHA256
155cfce46fc006a930d2509e79cdaf58ac30a14ba160737731155996405d8aec

SHA512
ef7073329e2f79eec87dbc4ec9960bae6673e5bfb200147ea3313e2871e6007c3816f154e2ba446e9542a82f2894a9115fbfe00783814ce2687cc1457789e7db

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\16tg48g1.default-release\cache2\doomed\5571

Filesize
10KB

MD5
4421ad855dd0f7b24bec2dc6c044f924

SHA1
c942f29e193ce8e2a6be1f2ecda49f2de3e5fd74

SHA256
3312c2f64da66ed0b2b5f9a98cdceda459e7319243a5e3d4c7dc6314de78589d

SHA512
47bd5ccbd02906fc0198fc2527b8a3364c75d5346249d338f6979f66f9340006869cb687131eec2cc8774582dac6f29344511c68efea64755cc7df96543ddc2e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\16tg48g1.default-release\cache2\doomed\7637

Filesize
7KB

MD5
f5d3971665789597e7a9bd8b0569e66a

SHA1
4dd66cad13a27ed9e9c3262b536195c6c9ecade7

SHA256
626d4c90c737adda27cc31f2057bb7c11a0c054014920e9e96c0f79d73e630df

SHA512
1d32287c78732a15c063547be0c0aa1d6dffcd2b66eb6654e482d4224b292ee6a9bf7da2990605921e1e8bc6fa1444816ff81b185f9c4bdad70bc630821dfe1b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\16tg48g1.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
be3f88d713bc78e14c87c1ac65c99a43

SHA1
53af6250c6ca5fd1b9e66cfada8737e0421af2a8

SHA256
94eacc00db4e9de849dba24c42505f7d6a3f8f09a42b006142769e2122922512

SHA512
4b2a7403a611f4f6f89eb15f34821e714410931ee974abf9ad3112a84953b8392d4040b37554c18863edb954b5ee0df43f4a0e9ceffb848084d890fc1d5d25ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Panel.exe

Filesize
9.3MB

MD5
f4e19b67ef27af1434151a512860574e

SHA1
56304fc2729974124341e697f3b21c84a8dd242a

SHA256
c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a

SHA512
a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup_20230703_105838068.html

Filesize
16KB

MD5
695c14c229b01a5a7079d450ac6129f6

SHA1
5d41a4b393c420e7cca23afa4965d050a5de0345

SHA256
6d63dc6fe6a5565a82815bd1b2cae8cb35ef00a9b0c4daa89219fc0d0ff44e01

SHA512
80a28e90e169f5160568eda739abfcdfb715a06e262e91f2f04973ca590684aa5e9c3049a7caebbffad74bd1a3f957dde4d694976884913a7321395582785606

Download Submit
C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe

Filesize
1.5MB

MD5
fcbf03d90d4e9ce80f575452266e71d1

SHA1
1b067d0e057db189c71b2f7ac4ee2483ebaf0fa7

SHA256
2ec28f57e64fee2b2f1a40c78c079672f0dddb84da2a84fe3291bd68a4771a73

SHA512
9ce9962f645ab542f135d8560a7095259fe6628afcf598a58dfcf8e96b0d1dfa73e59ce13af3ff97e6c03046634dbd46a278c6535f99f99b3a6051b7bbfcf380

Download Submit
C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe

Filesize
1.5MB

MD5
fcbf03d90d4e9ce80f575452266e71d1

SHA1
1b067d0e057db189c71b2f7ac4ee2483ebaf0fa7

SHA256
2ec28f57e64fee2b2f1a40c78c079672f0dddb84da2a84fe3291bd68a4771a73

SHA512
9ce9962f645ab542f135d8560a7095259fe6628afcf598a58dfcf8e96b0d1dfa73e59ce13af3ff97e6c03046634dbd46a278c6535f99f99b3a6051b7bbfcf380

Download Submit
C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe

Filesize
1.5MB

MD5
fcbf03d90d4e9ce80f575452266e71d1

SHA1
1b067d0e057db189c71b2f7ac4ee2483ebaf0fa7

SHA256
2ec28f57e64fee2b2f1a40c78c079672f0dddb84da2a84fe3291bd68a4771a73

SHA512
9ce9962f645ab542f135d8560a7095259fe6628afcf598a58dfcf8e96b0d1dfa73e59ce13af3ff97e6c03046634dbd46a278c6535f99f99b3a6051b7bbfcf380

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\SiteSecurityServiceState.txt

Filesize
623B

MD5
017abacbb1661e7fff4cc54d8c20b53f

SHA1
0d4131e75f9773f7f7675a6ac1ce73db52b6adcb

SHA256
a6e05672741e43bd0ffabea4ee7b608b437266700948f59427c9561a34542b00

SHA512
32027a942bb9bc4f37dac4468aee52b9129dc62f42fdf279378ce018d31eb3fd8501b671690d9129eae3c602f60acd73061b3845a6996db1036b329a862a73ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\cert9.db

Filesize
288KB

MD5
509fddfcb6814a5e4f5686a24209c0d9

SHA1
e79006ebd612bd90037f4e338bd5364af4c52cb8

SHA256
52d34c1d3c75d7098d72042a666e53583db243798460272f54aab134132eb97d

SHA512
d68085a7346b93f3a3cc9de82e32940d533526c4ba580c977630135cd2013dcd94b247dd7b68bc9780f682b4d2a5f7a2bc3c104c444632bfd7fa7d5eb5dddbdd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\cookies.sqlite

Filesize
512KB

MD5
ba521ef8f31c70f3d85678f3eba24d9a

SHA1
e5d5352c04f9e6c9fd11b929fdce2af690f50fa7

SHA256
3a448b80d1366c35e7b5ea2877c7a6e5f565f110e4239e587808a1bd00ff97bc

SHA512
d80945a5b057336085193bd84bfe51d9e2987fa8086322b6ab7a3e18144a57913c691f84e126df88a92e2d14bf2436e9907b37a8f99cb34ef190eed621704f10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\permissions.sqlite

Filesize
96KB

MD5
7c873d6830d1734e80e2f0def9af5327

SHA1
e795de3982a746a93115b289a3e17d2009ef7115

SHA256
b1bb8ac1c4e1d61dbaa8b7e5f4a52381e561522e50bac7c29a57db30ab662196

SHA512
e6ea1bb935ecadd42d9d8bb9450cd14773ff2939e371c97d6f0f9d38be24f31b20af47ddda8003b74aafc8e9b69135c6dd1e25f766f58f2ad3ef40a93279cd75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\prefs-1.js

Filesize
6KB

MD5
21ae39e60b0aa1ec6f71548bfddc5fd2

SHA1
ad56897c0136fac222452e00461dddb94cc3308d

SHA256
2e9fc6140a5d30c2749c15fd5462252bef03c9c7e55846c26c910bdbceb7c601

SHA512
a5827bbd82533763bddf8754b57457bafa69acfed56d9edf3cd3f470a797537a4bdb9fcdcc680a536fbf14b4918c558b0fca169b36c711671809ac108074eed3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\prefs-1.js

Filesize
7KB

MD5
14d684aa81e1f0f63cf229bee1e044da

SHA1
75cf510d536c35e24a0aa187c0dc96b0725e875c

SHA256
27f41b2d0ed44980574964e9742cebc0e8440aed6f78c1cadb49e8836204bd53

SHA512
e7f108318789a7a95553341de521163a131fccdfb4419f9c2504cfe679fcd9a7f7cfecf1125a37914c5174058aecc8f30c6b164536318ffc854bd91c106f678f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\prefs-1.js

Filesize
7KB

MD5
8f248c677f236f109183fb3836f9e58d

SHA1
bb839ce2553da63ec1d7646292a12a34c1218f25

SHA256
145c5ed985ce57908cfdb08d4f9db0747b64edc0f1ea4ba2d354e6ce81ec4587

SHA512
5011209dde1ba190c9ac11498176c1849d006044c6b0ed7d34a60593f7027513cc7b71bad07c0eee3b43d1f94b07e0f567b8a4dd2eb231b64da8a8bcf3fe1a9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\prefs-1.js

Filesize
6KB

MD5
66daecd867055e4e1d347340f5054953

SHA1
d6bcc924727c85fcd88ec8bba850db0dae848e41

SHA256
29fd5bf18157fc7f097d1807952d14bbf8b085eac409270e7e62a0e94652e1c7

SHA512
e2a291ae2ddd214fee1d50876377f0e32bd3dd3d6514e98f889f3a257702f70334cc237bc9be7f4cd20adbf4018cab1e046eda7544479c5afc8dd149af236d51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\prefs.js

Filesize
7KB

MD5
34b29fd4e1e534d5cc8a7fd2069e59f3

SHA1
50b662a5485ee22694fa946a7d8484bb0e2bf1cb

SHA256
78a4e95084a39e399bea779ca77cf1f576f4016e74c2f898621aca506af9e5e8

SHA512
53aec0e164fad12b8d0dc082882b2ed781bed39e347fcd174b14ecc68dc3104d740aba17b9d4e6f4d6fee1e0c55ebca4e64985d8a6b06875b0a9db3cddaab596

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\prefs.js

Filesize
6KB

MD5
25bf3b2699d0a705b8757a0ff07be587

SHA1
2be5ad85ccdbff9e19a235c85b145419a058b89b

SHA256
9a6248164021cd959557468f62c6c32c2dae6bd94ba3275e129400596f953869

SHA512
dcd0807a59fed8bef0ccc6cd72c4abb3dda92aaae95851a63ab581d81e93d17426797b5cdfdbb01aff1360863abbf99fe8d91f098286b0a6051f11a816e61cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\prefs.js

Filesize
7KB

MD5
299392dc394443bf336c7f45f1484d81

SHA1
1801f837bdfdbce75b6ecc116b28852382593786

SHA256
1284e59859111eccfa00f12d0a825902b55142520f0a10e004413f1599df577e

SHA512
bc213f02ed260048aa3c685e979816139eaa82da3651cf865bf6c6c5797a1002a16f1d0770931b3267ff817b0439e18edd20e5cfbdd1e3807f7e11c59dce03cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\prefs.js

Filesize
7KB

MD5
16c93c509d60f6c0be2e133fdf053aad

SHA1
7a199db6dc839b4710abcc4fce6709ccb4049927

SHA256
c3c93f82117fb6465897ae9d1fdaec6c3a8bfb164fb3e77d3bb216649a7caea3

SHA512
6cbcee8599ac88e45aa1a01c66ca2008ec8ca6e91d08d1df1dc4ef487c3dc29894571f267c144b4d5208d71b3f6db9f4a29da994ae773ad760170f51e4e034f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\sessionCheckpoints.json

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\sessionCheckpoints.json.tmp

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
87e97375d8564a07bb915d07715433bd

SHA1
797674769e300ad9d39420247bb9c642db947bc8

SHA256
17ee260e059bf915c2a7416831ba1ee4d9e27f0772877c32c2ec5fafe3961c6a

SHA512
0ac5b617979f8071136b20849f9f2c01824db620b48ca461a6326e37e309850ac87041be600afd123bac71a7e16fe41a72c8f79be85ebbbe90e2fcf7b965548d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
38de9b95762100660205782fd5cafdf9

SHA1
cb19ca884f30ddea3905815593c6bcd7ec767226

SHA256
2fe334e69935c53daa3e14d635a538e883ec674c25c991948a3958da099623ff

SHA512
e05958a20c5fee831691e86ce9b51f2cfea217f980113a282c3f783ee4a086eb6f4f9e7cfe1d9218faebf528f9a8ed9410234c45f084ad65fedd3c67132ff0c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
99a5bf71962315b83584a846dfeb7571

SHA1
03c162c44bd50d66963dfaaec067062ac1bf9136

SHA256
9d8437a9a67a1f88efed459b769031567831627baa5ebeee17c07d496dbe29dd

SHA512
c72b137f9f26ae8f51816cc325cb1e306d1f3bf4a034b93f116870fb026e548640f51021eeb8aff80b495a5651d025372822fce398ec19f35ff74bb38bc509e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\sessionstore.jsonlz4

Filesize
6KB

MD5
80bdb2ff93b542e0eeb3c72a8c60996d

SHA1
07e8ef53b8085cf2bf0c14aaaa0e96e4ef6911c5

SHA256
b9d244970c9aa11ade1eab699f8901630320b3cdb06e088a88d153a28aa10b73

SHA512
056c8533d9afd9e713819796fc2d097fa5f2b5760f7131dfa695f2a75e7e7bc4e4bbdf98d6e17fc7249f6dcf2a8a9582189f95570c0bad4a7f77b5870621a9c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\sessionstore.jsonlz4

Filesize
6KB

MD5
80bdb2ff93b542e0eeb3c72a8c60996d

SHA1
07e8ef53b8085cf2bf0c14aaaa0e96e4ef6911c5

SHA256
b9d244970c9aa11ade1eab699f8901630320b3cdb06e088a88d153a28aa10b73

SHA512
056c8533d9afd9e713819796fc2d097fa5f2b5760f7131dfa695f2a75e7e7bc4e4bbdf98d6e17fc7249f6dcf2a8a9582189f95570c0bad4a7f77b5870621a9c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\sessionstore.jsonlz4

Filesize
896B

MD5
ad707500ef3d1db92ff0562cf166762b

SHA1
498dfc261a82b355d45eb776ac9ce3142a7029fd

SHA256
710f549366290b0abd55153413f01b0b03a1d0daf4c3a5f28773ae08fc93fd05

SHA512
630b3d96adf84404b3a2923f265b1626696b405c7d6c762b237157e3fb59cf3f67961a9e58eb982c489944d4a16e8f076248ef14e0d8618848f2c27fd9e3e2ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\storage.sqlite

Filesize
4KB

MD5
176f98bad06d6d65ef4e01e323a864e0

SHA1
31887a3d65f2e7fa7fd9b650af31963ea940ff23

SHA256
0d51c79e2b7f774d5dbf7d76dea8e802cb052727c1d3d71b8e247ee5a78004ab

SHA512
2bcfd4158f3f2ed8de028c1167d76d2fe64e3b587c7f21dc1396318a11780fd70868791588f4adc8e2665aca9ed396c706988388b56a8f844efd0edcce861609

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
785550040f09864f96c94999c8617957

SHA1
2b8a181eb428f69c996d0f99f53090dd67ef7ea0

SHA256
7cf75890c8e413bb69adbda365f814c909f5e45b92b816541fe99b17da555da6

SHA512
dd2c659a350bcd4ba6896249765d84140005ba54f1712305d613702991b05d620605cf9bcb90ec819cc7bb0554940c7cde04a6c06f4994e26e51dce97c989ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
cb708d7bf5a12dbecbfb1dc395c364aa

SHA1
4ceac91f35a78a7ef6536b78ca1cf051d6f155ae

SHA256
e7e62a990ba08f193b65f52c9f99b1a9d92ea5fc62e9ee5fa7516256e5a3e11e

SHA512
ee0150adb048be06fb6359dbff59d6360c225c67333f13e92121b9d8904431902457059ba52ab3e08983a1aac1e42cd06b1ad40a0855d172e1aa26c37c034b7c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\16tg48g1.default-release\xulstore.json

Filesize
217B

MD5
58e240288763218d12bf235d34e5aee2

SHA1
89135494b57f590011c09668dec3b90d2c5ee9ae

SHA256
615f80e71dfde24711e7fefc1b7959f7592c5e5cf9ad0f3aecb4235b93187176

SHA512
caed2638902987aead199e73cffb90881bf245bbb616cb38c46b281d4aaaa54dc20a54e9bfe17a8d6e68847394c113fb7606e94b64f44ab0b52bf7846f26e936

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt.Qy3s7hAs.zip.part

Filesize
21.7MB

MD5
1118549e87cbad92e6959506172d8c5d

SHA1
a5598c8355d03dc1ed03b0f7842d478d6a9e17fe

SHA256
54b542bd706838bc61c23ef8189935fc74e0099b14e509d33649b43ff108d85f

SHA512
029527677e3a316a0929a111701c87c5fe6c11ecc361a3c009de75ee06d110245d0f250fca836a1aa0a90f86237e3102bcdf60ed645a9b42ad04bd50793aa09c

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt.zip

Filesize
21.7MB

MD5
1118549e87cbad92e6959506172d8c5d

SHA1
a5598c8355d03dc1ed03b0f7842d478d6a9e17fe

SHA256
54b542bd706838bc61c23ef8189935fc74e0099b14e509d33649b43ff108d85f

SHA512
029527677e3a316a0929a111701c87c5fe6c11ecc361a3c009de75ee06d110245d0f250fca836a1aa0a90f86237e3102bcdf60ed645a9b42ad04bd50793aa09c

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe

Filesize
137KB

MD5
cf38a4bde3fe5456dcaf2b28d3bfb709

SHA1
711518af5fa13f921f3273935510627280730543

SHA256
c47b78e566425fc4165a83b2661313e41ee8d66241f7bea7723304a6a751595e

SHA512
3302b270ee028868ff877fa291c51e6c8b12478e7d873ddb9009bb68b55bd3a08a2756619b4415a76a5b4167abd7c7c3b9cc9f44c32a29225ff0fc2f94a1a4cc

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe

Filesize
137KB

MD5
cf38a4bde3fe5456dcaf2b28d3bfb709

SHA1
711518af5fa13f921f3273935510627280730543

SHA256
c47b78e566425fc4165a83b2661313e41ee8d66241f7bea7723304a6a751595e

SHA512
3302b270ee028868ff877fa291c51e6c8b12478e7d873ddb9009bb68b55bd3a08a2756619b4415a76a5b4167abd7c7c3b9cc9f44c32a29225ff0fc2f94a1a4cc

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe.config

Filesize
189B

MD5
5a7f52d69e6fca128023469ae760c6d5

SHA1
9d7f75734a533615042f510934402c035ac492f7

SHA256
498c7f8e872f9cef0cf04f7d290cf3804c82a007202c9b484128c94d03040fd0

SHA512
4dc8ae80ae9e61d2801441b6928a85dcf9d6d73656d064ffbc0ce9ee3ad531bfb140e9f802e39da2a83af6de606b115e5ccd3da35d9078b413b1d1846cbd1b4f

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Builder\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Builder\build.exe

Filesize
95KB

MD5
ca8b99c9d67aee4b846581461ec6bb2b

SHA1
7c0fd208b99bc69aaf003693aeafbe73cde4658f

SHA256
d53b5ccdc46e2575b7c917ae6414b93028b9fe4df2deda7107a7a470080a9f3a

SHA512
027f3e669560a0668706665101bfb7ca258943f80cc660085428516015fb7a106266b34334afabfd95bf43c348d53d2fe6f9cbf7a6a737314d19524e4bc36a83

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Builder\build.exe

Filesize
95KB

MD5
ca8b99c9d67aee4b846581461ec6bb2b

SHA1
7c0fd208b99bc69aaf003693aeafbe73cde4658f

SHA256
d53b5ccdc46e2575b7c917ae6414b93028b9fe4df2deda7107a7a470080a9f3a

SHA512
027f3e669560a0668706665101bfb7ca258943f80cc660085428516015fb7a106266b34334afabfd95bf43c348d53d2fe6f9cbf7a6a737314d19524e4bc36a83

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Builder\stub.dll

Filesize
96KB

MD5
625ed01fd1f2dc43b3c2492956fddc68

SHA1
48461ef33711d0080d7c520f79a0ec540bda6254

SHA256
6824c2c92eb7cee929f9c6b91e75c8c1fc3bfe80495eba4fa27118d40ad82b2b

SHA512
1889c7cee50092fe7a66469eb255b4013624615bac3a9579c4287bf870310bdc9018b0991f0ad7a9227c79c9bd08fd0c6fc7ebe97f21c16b7c06236f3755a665

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe

Filesize
119KB

MD5
4fde0f80c408af27a8d3ddeffea12251

SHA1
e834291127af150ce287443c5ea607a7ae337484

SHA256
1b644cdb1c7247c07d810c0ea10bec34dc5600f3645589690a219de08cf2dedb

SHA512
3693aeaa2cc276060b899f21f6f57f435b75fec5bcd7725b2dd79043b341c12ebc29bd43b287eb22a3e31fd2b50c4fa36bf020f9f3db5e2f75fe8cc747eca5f5

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe

Filesize
119KB

MD5
4fde0f80c408af27a8d3ddeffea12251

SHA1
e834291127af150ce287443c5ea607a7ae337484

SHA256
1b644cdb1c7247c07d810c0ea10bec34dc5600f3645589690a219de08cf2dedb

SHA512
3693aeaa2cc276060b899f21f6f57f435b75fec5bcd7725b2dd79043b341c12ebc29bd43b287eb22a3e31fd2b50c4fa36bf020f9f3db5e2f75fe8cc747eca5f5

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe.config

Filesize
189B

MD5
5a7f52d69e6fca128023469ae760c6d5

SHA1
9d7f75734a533615042f510934402c035ac492f7

SHA256
498c7f8e872f9cef0cf04f7d290cf3804c82a007202c9b484128c94d03040fd0

SHA512
4dc8ae80ae9e61d2801441b6928a85dcf9d6d73656d064ffbc0ce9ee3ad531bfb140e9f802e39da2a83af6de606b115e5ccd3da35d9078b413b1d1846cbd1b4f

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Host\Kurome.WCF.dll

Filesize
123KB

MD5
e3d39e30e0cdb76a939905da91fe72c8

SHA1
433fc7dc929380625c8a6077d3a697e22db8ed14

SHA256
4bfa493b75361920e6403c3d85d91a454c16ddda89a97c425257e92b352edd74

SHA512
9bb3477023193496ad20b7d11357e510ba3d02b036d6f35f57d061b1fc4d0f6cb3055ae040d78232c8a732d9241699ddcfac83cc377230109bf193736d9f92b8

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe

Filesize
2.2MB

MD5
a3ec05d5872f45528bbd05aeecf0a4ba

SHA1
68486279c63457b0579d86cd44dd65279f22d36f

SHA256
d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e

SHA512
b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe

Filesize
2.2MB

MD5
a3ec05d5872f45528bbd05aeecf0a4ba

SHA1
68486279c63457b0579d86cd44dd65279f22d36f

SHA256
d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e

SHA512
b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe

Filesize
2.2MB

MD5
a3ec05d5872f45528bbd05aeecf0a4ba

SHA1
68486279c63457b0579d86cd44dd65279f22d36f

SHA256
d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e

SHA512
b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe

Filesize
2.2MB

MD5
a3ec05d5872f45528bbd05aeecf0a4ba

SHA1
68486279c63457b0579d86cd44dd65279f22d36f

SHA256
d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e

SHA512
b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe.config

Filesize
186B

MD5
9070d769fd43fb9def7e9954fba4c033

SHA1
de4699cdf9ad03aef060470c856f44d3faa7ea7f

SHA256
cbaf2ae95b1133026c58ab6362af2f7fb2a1871d7ad58b87bd73137598228d9b

SHA512
170028b66c5d2db2b8c90105b77b0b691bf9528dc9f07d4b3983d93e9e37ea1154095aaf264fb8b5e67c167239697337cc9e585e87ef35faa65a969cac1aa518

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Loader\Redline-crack-by-rzt - Shortcut.lnk

Filesize
1KB

MD5
a601b8c047bcadf5d4f0a1f59497693e

SHA1
8393e6f8c965ae802127958f7e9f8c3eb016d5a1

SHA256
c5af030b6d05528c17207ee392580be7f4763f708d0cee3f17ddb257ae6d2cae

SHA512
e6d203faedeef8571c6c59e1d6096a220f830ac4b0d1551cb1669f48a05ef80d596cda77864ed574afd534df68a4600a3afeee9b2343b32ab96b838fe9d70935

Download Submit
C:\Windows\INF\netrasa.PNF

Filesize
22KB

MD5
80648b43d233468718d717d10187b68d

SHA1
a1736e8f0e408ce705722ce097d1adb24ebffc45

SHA256
8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

SHA512
eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
214KB

MD5
64ca65db83785ad47410c71d1e03fbf0

SHA1
5027473b5023be93993a9727640fbd5d23849d84

SHA256
eb0700d5d227af1437653658afa322a2d4f75634c6f0106154e9060151aaa6c7

SHA512
60fd12ea97f41520b4bad3de7004b08cd84c4b1bc4155cd23f08b412b4782072d859077aed4febe3a6adfacca7c728bb92f24dd60179ced6c00728038f783d78

Download Submit
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Builder\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Builder\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Host\Kurome.WCF.dll

Filesize
123KB

MD5
e3d39e30e0cdb76a939905da91fe72c8

SHA1
433fc7dc929380625c8a6077d3a697e22db8ed14

SHA256
4bfa493b75361920e6403c3d85d91a454c16ddda89a97c425257e92b352edd74

SHA512
9bb3477023193496ad20b7d11357e510ba3d02b036d6f35f57d061b1fc4d0f6cb3055ae040d78232c8a732d9241699ddcfac83cc377230109bf193736d9f92b8

Download Submit
\Users\Admin\Downloads\Redline-crack-by-rzt\Kurome.Host\Kurome.WCF.dll

Filesize
123KB

MD5
e3d39e30e0cdb76a939905da91fe72c8

SHA1
433fc7dc929380625c8a6077d3a697e22db8ed14

SHA256
4bfa493b75361920e6403c3d85d91a454c16ddda89a97c425257e92b352edd74

SHA512
9bb3477023193496ad20b7d11357e510ba3d02b036d6f35f57d061b1fc4d0f6cb3055ae040d78232c8a732d9241699ddcfac83cc377230109bf193736d9f92b8

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
memory/2632-1183-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/2632-1251-0x00000000022A0000-0x00000000022AA000-memory.dmp

Filesize
40KB

Download
memory/2632-1168-0x00007FF9C71B0000-0x00007FF9C7B9C000-memory.dmp

Filesize
9.9MB

Download
memory/2632-1170-0x000000001AC80000-0x000000001AE20000-memory.dmp

Filesize
1.6MB

Download
memory/2632-1171-0x000000001AC80000-0x000000001AE20000-memory.dmp

Filesize
1.6MB

Download
memory/2632-1173-0x000000001AC80000-0x000000001AE20000-memory.dmp

Filesize
1.6MB

Download
memory/2632-1191-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/2632-1185-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/2632-1195-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/2632-1198-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/2632-1207-0x000000001DC20000-0x000000001DD62000-memory.dmp

Filesize
1.3MB

Download
memory/2632-1210-0x000000001DC20000-0x000000001DD62000-memory.dmp

Filesize
1.3MB

Download
memory/2632-1219-0x000000001DC20000-0x000000001DD62000-memory.dmp

Filesize
1.3MB

Download
memory/2632-1227-0x000000001DD70000-0x000000001DEB2000-memory.dmp

Filesize
1.3MB

Download
memory/2632-1258-0x00000000022A0000-0x00000000022AA000-memory.dmp

Filesize
40KB

Download
memory/2632-1260-0x00000000022A0000-0x00000000022AA000-memory.dmp

Filesize
40KB

Download
memory/2632-1253-0x00000000022A0000-0x00000000022AA000-memory.dmp

Filesize
40KB

Download
memory/3120-972-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/3120-988-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/3120-977-0x0000000005640000-0x00000000059A2000-memory.dmp

Filesize
3.4MB

Download
memory/3120-983-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/3120-985-0x00000000059B0000-0x0000000005B2A000-memory.dmp

Filesize
1.5MB

Download
memory/3120-984-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/4516-122-0x0000000000400000-0x0000000001470000-memory.dmp

Filesize
16.4MB

Download
memory/4724-176-0x0000000000140000-0x000000000057C000-memory.dmp

Filesize
4.2MB

Download
memory/4724-184-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/4724-181-0x0000000006050000-0x000000000654E000-memory.dmp

Filesize
5.0MB

Download
memory/4724-180-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/4724-272-0x0000000000140000-0x000000000057C000-memory.dmp

Filesize
4.2MB

Download
memory/4724-273-0x0000000073BD0000-0x00000000742BE000-memory.dmp

Filesize
6.9MB

Download
memory/4724-179-0x0000000073BD0000-0x00000000742BE000-memory.dmp

Filesize
6.9MB

Download
memory/4724-178-0x0000000000140000-0x000000000057C000-memory.dmp

Filesize
4.2MB

Download
memory/4856-332-0x0000000073BD0000-0x00000000742BE000-memory.dmp

Filesize
6.9MB

Download
memory/4856-274-0x0000000000AA0000-0x0000000000EDC000-memory.dmp

Filesize
4.2MB

Download
memory/4856-276-0x0000000000AA0000-0x0000000000EDC000-memory.dmp

Filesize
4.2MB

Download
memory/4856-277-0x0000000005E30000-0x0000000005E40000-memory.dmp

Filesize
64KB

Download
memory/4856-304-0x0000000000AA0000-0x0000000000EDC000-memory.dmp

Filesize
4.2MB

Download
memory/4856-326-0x0000000073BD0000-0x00000000742BE000-memory.dmp

Filesize
6.9MB

Download
memory/4856-270-0x0000000000AA0000-0x0000000000EDC000-memory.dmp

Filesize
4.2MB

Download
memory/4856-327-0x0000000000AA0000-0x0000000000EDC000-memory.dmp

Filesize
4.2MB

Download
memory/4856-275-0x0000000073BD0000-0x00000000742BE000-memory.dmp

Filesize
6.9MB

Download
memory/4984-1033-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/4984-1034-0x0000000005E00000-0x0000000005E0A000-memory.dmp

Filesize
40KB

Download
memory/4984-1024-0x0000000000D60000-0x0000000000D88000-memory.dmp

Filesize
160KB

Download
memory/4984-1029-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download
memory/4984-1039-0x0000000007450000-0x00000000074AE000-memory.dmp

Filesize
376KB

Download
memory/4984-1040-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/4984-1031-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/4984-1032-0x0000000005720000-0x00000000057B2000-memory.dmp

Filesize
584KB

Download
memory/4984-1043-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download
memory/5632-978-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/5632-986-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download
memory/5632-991-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download
memory/5632-990-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/5632-992-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/5632-987-0x00000000015D0000-0x00000000015D1000-memory.dmp

Filesize
4KB

Download
memory/6332-1011-0x00000000054A0000-0x00000000054DE000-memory.dmp

Filesize
248KB

Download
memory/6332-1018-0x00000000066E0000-0x0000000006730000-memory.dmp

Filesize
320KB

Download
memory/6332-996-0x0000000000AA0000-0x0000000000AC4000-memory.dmp

Filesize
144KB

Download
memory/6332-1035-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/6332-1002-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/6332-1001-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download
memory/6332-1012-0x0000000005550000-0x00000000055B4000-memory.dmp

Filesize
400KB

Download
memory/6332-1013-0x0000000005D50000-0x0000000005FDC000-memory.dmp

Filesize
2.5MB

Download
memory/6332-1030-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download
memory/6332-1014-0x0000000005BC0000-0x0000000005C0B000-memory.dmp

Filesize
300KB

Download
memory/6332-1007-0x0000000005310000-0x0000000005336000-memory.dmp

Filesize
152KB

Download
memory/6332-1015-0x0000000005FE0000-0x00000000060AE000-memory.dmp

Filesize
824KB

Download
memory/6332-1016-0x00000000067F0000-0x00000000068FA000-memory.dmp

Filesize
1.0MB

Download
memory/6332-1008-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/6332-1017-0x0000000005CA0000-0x0000000005CC8000-memory.dmp

Filesize
160KB

Download
memory/6332-1009-0x00000000060D0000-0x00000000066D6000-memory.dmp

Filesize
6.0MB

Download
memory/6332-1010-0x0000000005400000-0x0000000005412000-memory.dmp

Filesize
72KB

Download
memory/6332-1020-0x0000000006760000-0x0000000006790000-memory.dmp

Filesize
192KB

Download
memory/6332-1019-0x0000000006A10000-0x0000000006B12000-memory.dmp

Filesize
1.0MB

Download
memory/6332-1003-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/7084-964-0x0000000006BF0000-0x0000000007200000-memory.dmp

Filesize
6.1MB

Download
memory/7084-963-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/7084-962-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

Filesize
64KB

Download
memory/7084-961-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download
memory/7084-960-0x0000000000E30000-0x0000000001066000-memory.dmp

Filesize
2.2MB

Download
memory/7084-967-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download