Malware Analysis Report

2024-09-11 08:57

Sample ID 240524-j649zaba42
Target https://github.com/RZM-CRACK-TEAM/RedLine-CRACK/raw/main/Redline-crack-by-rzt.zip
Tags
dcrat redline sectoprat cheat infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/RZM-CRACK-TEAM/RedLine-CRACK/raw/main/Redline-crack-by-rzt.zip was found to be: Known bad.

Malicious Activity Summary

dcrat redline sectoprat cheat infostealer rat trojan

Process spawned unexpected child process

RedLine payload

DcRat

SectopRAT

SectopRAT payload

RedLine

DCRat payload

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-24 08:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 08:17

Reported

2024-05-24 08:20

Platform

win10v2004-20240426-en

Max time kernel

157s

Max time network

146s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/RZM-CRACK-TEAM/RedLine-CRACK/raw/main/Redline-crack-by-rzt.zip

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Recovery\WindowsRE\msedge.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Recovery\WindowsRE\msedge.exe N/A
N/A N/A C:\Recovery\WindowsRE\msedge.exe N/A
N/A N/A C:\Recovery\WindowsRE\msedge.exe N/A
N/A N/A C:\Recovery\WindowsRE\msedge.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Recovery\WindowsRE\msedge.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Mail\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Program Files\Windows Multimedia Platform\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Program Files (x86)\Windows Mail\1c7346099e1d63 C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Program Files\Windows Defender\en-US\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Program Files\Windows Media Player\Visualizations\csrss.exe C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Program Files\Windows Mail\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Program Files\Windows Multimedia Platform\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Program Files (x86)\Windows Mail\identity_helper.exe C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Program Files\Windows Defender\en-US\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Program Files\Windows Media Player\Visualizations\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ShellComponents\61a52ddc9dd915 C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Windows\de-DE\conhost.exe C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v1.0.3705\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Windows\en-US\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe N/A
File created C:\Windows\rescache\_merged\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Windows\Speech\Common\fr-FR\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Windows\ja-JP\conhost.exe C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Windows\ja-JP\088424020bedd6 C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Windows\ShellComponents\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Windows\ShellComponents\msedge.exe C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Windows\ShellComponents\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe N/A
File created C:\Windows\de-DE\088424020bedd6 C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v1.0.3705\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
File created C:\Windows\en-US\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Recovery\WindowsRE\msedge.exe N/A
N/A N/A C:\Recovery\WindowsRE\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\msedge.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Panel.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Tools\WinRar.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Tools\WinRar.exe N/A
N/A N/A C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Tools\WinRar.exe N/A
N/A N/A C:\Recovery\WindowsRE\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 548 wrote to memory of 2544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 2544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 548 wrote to memory of 4940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/RZM-CRACK-TEAM/RedLine-CRACK/raw/main/Redline-crack-by-rzt.zip

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1ce946f8,0x7ffe1ce94708,0x7ffe1ce94718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11088378885339667876,6191666955077460662,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,11088378885339667876,6191666955077460662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,11088378885339667876,6191666955077460662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11088378885339667876,6191666955077460662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11088378885339667876,6191666955077460662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11088378885339667876,6191666955077460662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11088378885339667876,6191666955077460662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11088378885339667876,6191666955077460662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11088378885339667876,6191666955077460662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,11088378885339667876,6191666955077460662,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3976 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11088378885339667876,6191666955077460662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11088378885339667876,6191666955077460662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11088378885339667876,6191666955077460662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,11088378885339667876,6191666955077460662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe

"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe"

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe

"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe"

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe

"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe"

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe

"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe"

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe

"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe"

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe

"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe"

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe

"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe"

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe

"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe"

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe

"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe"

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe

"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"

C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe

"C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"

C:\Users\Admin\AppData\Local\Temp\Panel.exe

"C:\Users\Admin\AppData\Local\Temp\Panel.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11088378885339667876,6191666955077460662,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4068 /prefetch:2

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Tools\WinRar.exe

"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Tools\WinRar.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellComponents\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\ShellComponents\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellComponents\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\de-DE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "identity_helperi" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\identity_helper.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "identity_helper" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\identity_helper.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "identity_helperi" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\identity_helper.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\Framework\v1.0.3705\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\v1.0.3705\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\Framework\v1.0.3705\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Gadgets\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "buildb" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\build.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "build" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\build.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "buildb" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\build.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\en-US\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\en-US\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\en-US\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellComponents\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\ShellComponents\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellComponents\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Visualizations\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Visualizations\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\conhost.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Panel.exe

"C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GLJorTTfY3.bat"

C:\Windows\SysWOW64\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\msedge.exe

"C:\Recovery\WindowsRE\msedge.exe"

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\32d82ed33dbd438ca88f51eaa1754302 /t 2068 /p 5044

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.104:443 www.bing.com tcp
US 8.8.8.8:53 104.196.17.2.in-addr.arpa udp
BE 2.17.196.104:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:1337 tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
US 8.8.8.8:53 a0682132.xsph.ru udp
RU 141.8.197.42:80 a0682132.xsph.ru tcp
RU 141.8.197.42:80 a0682132.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4dc6fc5e708279a3310fe55d9c44743d
SHA1 a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256 a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA512 5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

\??\pipe\LOCAL\crashpad_548_EMCBJZUCPHJESFSD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c9c4c494f8fba32d95ba2125f00586a3
SHA1 8a600205528aef7953144f1cf6f7a5115e3611de
SHA256 a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA512 9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 43ee7fda0238b4bf472ac8497bb4f0f6
SHA1 403872372220c002bdb5602c30e10b7b1c3044d9
SHA256 b94a3de2a7efdb6ac45efdb4c162b25f39bbe2cb948cfd879cf5b719b970b013
SHA512 bf10fc42f9628d88d60fe718c0788aa34e41d052836b98a4894c908a32e3c34033543061bfe5b46567fe2f7ce913469fb9b8939c554590ed7ad7a9c0d5e2ae60

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\Downloads\Unconfirmed 131418.crdownload

MD5 1118549e87cbad92e6959506172d8c5d
SHA1 a5598c8355d03dc1ed03b0f7842d478d6a9e17fe
SHA256 54b542bd706838bc61c23ef8189935fc74e0099b14e509d33649b43ff108d85f
SHA512 029527677e3a316a0929a111701c87c5fe6c11ecc361a3c009de75ee06d110245d0f250fca836a1aa0a90f86237e3102bcdf60ed645a9b42ad04bd50793aa09c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 41d1c3ca6f8265e2a4d1593d19fa2205
SHA1 19fdab53b992fd9b2dd42ec14a1da5bc484b2955
SHA256 a53726e5512f3c7f1d18fef4bc04cd1a1c5ad834393eadd470fbb60c20566400
SHA512 0db4c727a32ef382e252d654b16cdf47899931e6fda16220e95a3fcbebaaa040c022900a8a48de55c3cc3edbc2f746412f210b2ac161d54a86af3bd1c66cd3f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 837b1c70366a2c8a211906e92b51c13f
SHA1 072f4d2438f42a9863f33fb3c4228db4750547c6
SHA256 6b1c8efe818b13f1d0b4179143f461f98fd4583bb60237d6bfb38ed54853d212
SHA512 6651b516bbf2cd3ce48e85f158d1673f3abde34b3a7f282dc9a3d32cb99ae8fd12cfb15d871aaa04cf9ee4778c1ae0d7ac6de826a1f3438de02855596cfb6887

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 46911814c026d171bc28042963ae0bbb
SHA1 0e744da2ccce964374930327a7895d53210f4386
SHA256 0bb20565dfd522a42420a953b72631f14ffdb8cba7995c1356bdf0d7d5faab3d
SHA512 7074f975cb3b6f90f7cf7848137e6152c6e52bfe181d86e53b027793f774bf8e70caeec67a3d64293d7d282c99122f248a7f9017a3b5857358f752a49edb4f12

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9fb333e6bbde927d6c275c7e4595da10
SHA1 79f54bdf73d3322d3a563af42493a91830395dae
SHA256 9a6959a0a91a8b2e74adf9cf7364f9a4aee036809af07822fbb895a502fe91c9
SHA512 a39f4c6e4771f714ade2318336498745b3d05b1fb05f687443ffe276e759730094825500de819d5bc608c6cd92238c7b9f474043bb36761544cc5b0e08c93f42

memory/2660-120-0x00000000006D0000-0x0000000000906000-memory.dmp

memory/2660-121-0x0000000007800000-0x0000000007E10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Kurome.Loader.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/5508-130-0x00000000057B0000-0x0000000005B12000-memory.dmp

C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

MD5 059d51f43f1a774bc5aa76d19c614670
SHA1 171329bf0f48190cf4d59ce106b139e63507457d
SHA256 2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d
SHA512 a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

memory/5508-131-0x0000000005B20000-0x0000000005C9C000-memory.dmp

memory/380-142-0x0000000000890000-0x00000000008B4000-memory.dmp

memory/380-148-0x0000000005160000-0x0000000005186000-memory.dmp

memory/380-149-0x0000000005F60000-0x0000000006578000-memory.dmp

memory/380-150-0x0000000005240000-0x0000000005252000-memory.dmp

memory/380-151-0x00000000052F0000-0x000000000532C000-memory.dmp

memory/380-152-0x00000000053A0000-0x0000000005406000-memory.dmp

memory/380-153-0x0000000005BD0000-0x0000000005E56000-memory.dmp

memory/380-154-0x0000000005940000-0x000000000598C000-memory.dmp

memory/380-155-0x0000000005A60000-0x0000000005B2E000-memory.dmp

memory/380-156-0x0000000006690000-0x000000000679A000-memory.dmp

memory/380-157-0x00000000059F0000-0x0000000005A18000-memory.dmp

memory/380-158-0x0000000005B80000-0x0000000005BD0000-memory.dmp

memory/380-159-0x0000000006580000-0x0000000006680000-memory.dmp

memory/380-160-0x00000000067D0000-0x0000000006800000-memory.dmp

memory/6044-169-0x0000000000750000-0x0000000000778000-memory.dmp

memory/6044-174-0x0000000005E10000-0x00000000063B4000-memory.dmp

memory/6044-175-0x00000000051E0000-0x0000000005272000-memory.dmp

memory/6044-176-0x00000000052C0000-0x00000000052CA000-memory.dmp

memory/6044-177-0x0000000007030000-0x000000000708E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2c2e6472d05e3832905f0ad4a04d21c3
SHA1 007edbf35759af62a5b847ab09055e7d9b86ffcc
SHA256 283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03
SHA512 8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe

MD5 ca8b99c9d67aee4b846581461ec6bb2b
SHA1 7c0fd208b99bc69aaf003693aeafbe73cde4658f
SHA256 d53b5ccdc46e2575b7c917ae6414b93028b9fe4df2deda7107a7a470080a9f3a
SHA512 027f3e669560a0668706665101bfb7ca258943f80cc660085428516015fb7a106266b34334afabfd95bf43c348d53d2fe6f9cbf7a6a737314d19524e4bc36a83

memory/5188-204-0x0000000000850000-0x000000000086E000-memory.dmp

memory/1084-230-0x0000000000400000-0x0000000001470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe

MD5 fcbf03d90d4e9ce80f575452266e71d1
SHA1 1b067d0e057db189c71b2f7ac4ee2483ebaf0fa7
SHA256 2ec28f57e64fee2b2f1a40c78c079672f0dddb84da2a84fe3291bd68a4771a73
SHA512 9ce9962f645ab542f135d8560a7095259fe6628afcf598a58dfcf8e96b0d1dfa73e59ce13af3ff97e6c03046634dbd46a278c6535f99f99b3a6051b7bbfcf380

memory/3636-293-0x00000000002A0000-0x00000000006DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Panel.exe

MD5 f4e19b67ef27af1434151a512860574e
SHA1 56304fc2729974124341e697f3b21c84a8dd242a
SHA256 c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a
SHA512 a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77

memory/3636-303-0x00000000002A0000-0x00000000006DC000-memory.dmp

memory/1664-304-0x00007FFE08400000-0x00007FFE08EC1000-memory.dmp

memory/1664-312-0x000000001ACD0000-0x000000001AE70000-memory.dmp

memory/1664-311-0x000000001ACD0000-0x000000001AE70000-memory.dmp

memory/1664-328-0x0000000180000000-0x0000000180005000-memory.dmp

memory/1664-326-0x0000000180000000-0x0000000180005000-memory.dmp

memory/1664-345-0x000000001DE30000-0x000000001DF72000-memory.dmp

memory/3636-361-0x00000000073B0000-0x0000000007416000-memory.dmp

memory/1664-337-0x000000001DA60000-0x000000001DBA2000-memory.dmp

memory/1664-375-0x000000001DB70000-0x000000001DB7A000-memory.dmp

memory/1664-381-0x000000001E4F0000-0x000000001E852000-memory.dmp

memory/1664-383-0x000000001F010000-0x000000001F0A2000-memory.dmp

memory/1664-404-0x000000001F2B0000-0x000000001F2CC000-memory.dmp

memory/1664-382-0x000000001E860000-0x000000001EE04000-memory.dmp

memory/1664-367-0x000000001DB60000-0x000000001DB6A000-memory.dmp

memory/1664-365-0x000000001DB60000-0x000000001DB6A000-memory.dmp

memory/1664-363-0x000000001DB60000-0x000000001DB6A000-memory.dmp

memory/1664-415-0x000000001F2D0000-0x000000001F44C000-memory.dmp

memory/1664-362-0x000000001DB60000-0x000000001DB6A000-memory.dmp

memory/1664-333-0x000000001DA60000-0x000000001DBA2000-memory.dmp

memory/1664-332-0x000000001DA60000-0x000000001DBA2000-memory.dmp

memory/1664-324-0x0000000180000000-0x0000000180005000-memory.dmp

memory/1664-322-0x0000000180000000-0x0000000180005000-memory.dmp

memory/1664-321-0x0000000180000000-0x0000000180005000-memory.dmp

memory/1664-310-0x000000001ACD0000-0x000000001AE70000-memory.dmp

memory/3636-2295-0x00000000002A0000-0x00000000006DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GLJorTTfY3.bat

MD5 ea51df10df47b3214f895c00c1ab1e5a
SHA1 ad8106fc546d6f7eee53dd62f94207fd901b6a9c
SHA256 d86b5c3bd3ea406c2db239b40c0a55bb9da5539161f9bbeda7ec748361e27420
SHA512 3bd071f95bd0b9e0abf5338eef389cb7969366b79471ea9466579379c4cd26ff1736221bab90c05634618bd9b92f3f141a9804c84bf638b672894d3f44f6a0c7

memory/5908-4211-0x000000001F870000-0x000000001F8D6000-memory.dmp

memory/5908-4212-0x000000001F8E0000-0x000000001FB66000-memory.dmp

memory/5908-4226-0x000000001FB90000-0x000000001FBAA000-memory.dmp

memory/5908-4227-0x000000001FE30000-0x0000000020448000-memory.dmp

memory/5908-4275-0x00000000206C0000-0x0000000020770000-memory.dmp

memory/5908-4245-0x0000000020570000-0x0000000020582000-memory.dmp

memory/5908-4231-0x000000001FE00000-0x000000001FE12000-memory.dmp

memory/5908-4230-0x000000001FDC0000-0x000000001FDFC000-memory.dmp

memory/5908-4229-0x0000000020450000-0x0000000020550000-memory.dmp

memory/5908-4260-0x00000000205D0000-0x000000002060A000-memory.dmp

memory/5248-4297-0x0000000000F60000-0x000000000139C000-memory.dmp

memory/5908-4312-0x0000000020DE0000-0x0000000020E54000-memory.dmp

memory/5248-4298-0x0000000000F60000-0x000000000139C000-memory.dmp

memory/5908-4328-0x0000000021B80000-0x0000000021BCA000-memory.dmp

memory/5908-4329-0x0000000021B30000-0x0000000021B80000-memory.dmp

memory/5248-4336-0x0000000000F60000-0x000000000139C000-memory.dmp

memory/5908-4337-0x0000000024840000-0x00000000248DC000-memory.dmp

memory/5908-4350-0x0000000021E40000-0x0000000021E8F000-memory.dmp

memory/5908-4351-0x0000000024B30000-0x0000000024C3A000-memory.dmp

memory/5908-4352-0x00000000249E0000-0x0000000024A10000-memory.dmp