Resubmissions
05/07/2024, 16:54
240705-vesbwavapf 1005/07/2024, 16:49
240705-vb469ssamr 704/07/2024, 16:17
240704-trmrgs1eja 1004/07/2024, 16:14
240704-tpl26syfqj 704/07/2024, 16:11
240704-tmx2na1dne 10Analysis
-
max time kernel
392s -
max time network
393s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 16:17
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/SRT9tP
Resource
win10v2004-20240508-en
General
-
Target
https://gofile.io/d/SRT9tP
Malware Config
Extracted
redline
s6murai on telegram
178.40.160.213:3333
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/3600-80-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
resource yara_rule behavioral1/memory/3600-80-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Executes dropped EXE 3 IoCs
pid Process 4440 Panel.exe 2828 Panel.exe 1960 Panel.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Unkown = "C:\\Windows\\system32\\chome_exe\\CraxSMS Beta test.exe" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Unkown = "C:\\Windows\\system32\\chome_exe\\CraxSMS Beta test.exe" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Unkown = "C:\\Windows\\system32\\chome_exe\\CraxSMS Beta test.exe" powershell.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\chome_exe\CraxSMS Beta test.exe Panel.exe File opened for modification C:\Windows\SysWOW64\chome_exe\CraxSMS Beta test.exe Panel.exe File opened for modification C:\Windows\SysWOW64\chome_exe\CraxSMS Beta test.exe Panel.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4440 set thread context of 3600 4440 Panel.exe 124 PID 2828 set thread context of 2760 2828 Panel.exe 128 PID 1960 set thread context of 1340 1960 Panel.exe 135 -
Drops file in Program Files directory 31 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Host\Kurome.WCF.dll msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Builder\Mono.Cecil.dll msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Builder\Mono.Cecil.pdb msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Builder\Mono.Cecil.Rocks.pdb msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Host\Kurome.WCF.dll.config msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Loader\Kurome.Loader.exe.config msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Panel\RedLine_20_2\FAQ (English).docx msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Panel\RedLine_20_2\FAQ(RUS).docx msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Builder\Kurome.Builder.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Host\Kurome.Host.exe.config msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Panel\RedLine_20_2\Panel\chromeBrowsers.txt msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Panel\RedLine_20_2\Panel\geckoBrowsers.txt msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Panel\RedLine_20_2\Panel\serviceSettings.json msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Panel\RedLine_20_2\Tools\WinRar.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Host\Kurome.Host.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Builder\Mono.Cecil.Mdb.pdb msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Builder\Mono.Cecil.Pdb.pdb msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Builder\stub.dll msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Panel\RedLine_20_2\Panel\Panel.exe.config msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Builder\Kurome.Builder.exe.config msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Builder\Kurome.Builder.pdb msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Panel\RedLine_20_2\Tools\NetFramework48.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Builder\Mono.Cecil.Mdb.dll msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Builder\Mono.Cecil.Rocks.dll msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Loader\Kurome.Loader.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Panel\RedLine_20_2\Panel\Panel.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Panel\RedLine_20_2\Tools\Chrome.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Kurome.Builder\Mono.Cecil.Pdb.dll msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Panel\RedLine_20_2\Panel\telegramChatsSettings.json msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\ReadMe.txt msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Redline Crack\Panel\RedLine_20_2\FAQ.txt msedge.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1712 powershell.exe 1712 powershell.exe 1712 powershell.exe 2124 powershell.exe 2124 powershell.exe 2124 powershell.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 1960 Panel.exe 1960 Panel.exe 4496 powershell.exe 4856 taskmgr.exe 4856 taskmgr.exe 4496 powershell.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeRestorePrivilege 2764 7zG.exe Token: 35 2764 7zG.exe Token: SeSecurityPrivilege 2764 7zG.exe Token: SeSecurityPrivilege 2764 7zG.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 3600 RegAsm.exe Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 2760 RegAsm.exe Token: SeDebugPrivilege 4856 taskmgr.exe Token: SeSystemProfilePrivilege 4856 taskmgr.exe Token: SeCreateGlobalPrivilege 4856 taskmgr.exe Token: SeDebugPrivilege 1960 Panel.exe Token: SeDebugPrivilege 4496 powershell.exe Token: SeDebugPrivilege 1340 RegAsm.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2764 7zG.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4440 wrote to memory of 1712 4440 Panel.exe 122 PID 4440 wrote to memory of 1712 4440 Panel.exe 122 PID 4440 wrote to memory of 1712 4440 Panel.exe 122 PID 4440 wrote to memory of 3600 4440 Panel.exe 124 PID 4440 wrote to memory of 3600 4440 Panel.exe 124 PID 4440 wrote to memory of 3600 4440 Panel.exe 124 PID 4440 wrote to memory of 3600 4440 Panel.exe 124 PID 4440 wrote to memory of 3600 4440 Panel.exe 124 PID 4440 wrote to memory of 3600 4440 Panel.exe 124 PID 4440 wrote to memory of 3600 4440 Panel.exe 124 PID 4440 wrote to memory of 3600 4440 Panel.exe 124 PID 2828 wrote to memory of 2124 2828 Panel.exe 126 PID 2828 wrote to memory of 2124 2828 Panel.exe 126 PID 2828 wrote to memory of 2124 2828 Panel.exe 126 PID 2828 wrote to memory of 2760 2828 Panel.exe 128 PID 2828 wrote to memory of 2760 2828 Panel.exe 128 PID 2828 wrote to memory of 2760 2828 Panel.exe 128 PID 2828 wrote to memory of 2760 2828 Panel.exe 128 PID 2828 wrote to memory of 2760 2828 Panel.exe 128 PID 2828 wrote to memory of 2760 2828 Panel.exe 128 PID 2828 wrote to memory of 2760 2828 Panel.exe 128 PID 2828 wrote to memory of 2760 2828 Panel.exe 128 PID 1960 wrote to memory of 4496 1960 Panel.exe 132 PID 1960 wrote to memory of 4496 1960 Panel.exe 132 PID 1960 wrote to memory of 4496 1960 Panel.exe 132 PID 1960 wrote to memory of 4316 1960 Panel.exe 134 PID 1960 wrote to memory of 4316 1960 Panel.exe 134 PID 1960 wrote to memory of 4316 1960 Panel.exe 134 PID 1960 wrote to memory of 1340 1960 Panel.exe 135 PID 1960 wrote to memory of 1340 1960 Panel.exe 135 PID 1960 wrote to memory of 1340 1960 Panel.exe 135 PID 1960 wrote to memory of 1340 1960 Panel.exe 135 PID 1960 wrote to memory of 1340 1960 Panel.exe 135 PID 1960 wrote to memory of 1340 1960 Panel.exe 135 PID 1960 wrote to memory of 1340 1960 Panel.exe 135 PID 1960 wrote to memory of 1340 1960 Panel.exe 135
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/SRT9tP1⤵PID:1504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4108,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:11⤵PID:2892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3680,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:11⤵PID:456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4916,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:11⤵PID:4752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5436,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:81⤵PID:2300
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5460,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=5528 /prefetch:81⤵PID:2424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5900,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=5892 /prefetch:11⤵PID:4000
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6028,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=5240 /prefetch:11⤵PID:1236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5176,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=5476 /prefetch:81⤵PID:5100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6204,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=6216 /prefetch:11⤵PID:4632
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=5784,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=6568 /prefetch:81⤵PID:5076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6264,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=6712 /prefetch:11⤵PID:1248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6920,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=6976 /prefetch:11⤵PID:2636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=7124,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=6852 /prefetch:11⤵PID:5088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6540,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=6216 /prefetch:81⤵
- Drops file in Program Files directory
PID:2876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4148,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=7340 /prefetch:81⤵PID:3372
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Redline Crack\" -ad -an -ai#7zMap27787:88:7zEvent70861⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2764
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5816,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=6720 /prefetch:81⤵PID:3088
-
C:\Users\Admin\Downloads\Redline Crack\Redline Crack\Panel\RedLine_20_2\Panel\Panel.exe"C:\Users\Admin\Downloads\Redline Crack\Redline Crack\Panel\RedLine_20_2\Panel\Panel.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Unkown';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Unkown' -Value '"C:\Windows\system32\chome_exe\CraxSMS Beta test.exe"' -PropertyType 'String'2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
-
C:\Users\Admin\Downloads\Redline Crack\Redline Crack\Panel\RedLine_20_2\Panel\Panel.exe"C:\Users\Admin\Downloads\Redline Crack\Redline Crack\Panel\RedLine_20_2\Panel\Panel.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Unkown';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Unkown' -Value '"C:\Windows\system32\chome_exe\CraxSMS Beta test.exe"' -PropertyType 'String'2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4856
-
C:\Users\Admin\Downloads\Redline Crack\Redline Crack\Panel\RedLine_20_2\Panel\Panel.exe"C:\Users\Admin\Downloads\Redline Crack\Redline Crack\Panel\RedLine_20_2\Panel\Panel.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Unkown';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Unkown' -Value '"C:\Windows\system32\chome_exe\CraxSMS Beta test.exe"' -PropertyType 'String'2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b5291f3dcf2c13784e09a057f2e43d13
SHA1fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e
SHA256ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce
SHA51211c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
18KB
MD590a5b0dbffe7a2b64d0960fdb6f63227
SHA18866beea62c9cca51bd835f5e4186b4d41d1c805
SHA256e1b333af6bfb5d89a343b3cbd14ff6e8a32bf923766ef31e25df0b063718f8cd
SHA5126bd89b21bdc42cabbe6531195db83a523acc20f1d684b4936aed06710da6ca6e11b64cb15ac10dfa4dfe5512aed852016eb2383cb1a60ea4b8b10b75f71c2119
-
Filesize
16KB
MD566a9ac496e85d2fcd9bedbe8da93ccc7
SHA1ddf5ac6d9d8f33ff333aef113a3c48315bca6a9b
SHA256961f1dff2562f3995a90d43927a839ccac29307daa32612da1cc677dd1b47bea
SHA512f9f975bdece87501b3e3e4a3f49ab433a5daee3c046b41e4aff2748ae15f3cd285e056d7aafd235641d39de79c4ac506c56aef8d1f91b1c47c425c5912f40599
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
181KB
MD5d12407c805a128099e2ae7929ec81030
SHA1d5de8f0adff0d33780d1307ddbaa08c210b21432
SHA25674e5079e7eb3e39ecf0f0d2d48a119770100bfd44f7f776a12ec0c25ed5936b8
SHA512bc67efe96ef236eec83dbfd6b5258f79c2e99e1454132f75e399fdcede06f4468e355d263c06c507f47dc0c7273b87e99fd142a1f6841d9c56ef318908f8bef1
-
Filesize
26KB
MD5494890d393a5a8c54771186a87b0265e
SHA1162fa5909c1c3f84d34bda5d3370a957fe58c9c8
SHA256f2a5a06359713226aeacfe239eeb8ae8606f4588d8e58a19947c3a190efbdfc7
SHA51240fbd033f288fee074fc36e899796efb30d3c582784b834fc583706f19a0b8d5a134c6d1405afe563d2676072e4eefc4e169b2087867cab77a3fa1aa1a7c9395