dcrat | hxxps://github[.]com/RZM-CRACK-TEAM/RedLine-CRACK?tab=readme-ov-file

System Information Discovery

Processes:

Panel.exepanel.exePanel.exemssurrogateProvider_protected.exepanel.exepanel.exemssurrogateProvider_protected.exePanel.exemssurrogateProvider_protected.exePanel.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	Panel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	panel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	Panel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	mssurrogateProvider_protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	panel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	panel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	mssurrogateProvider_protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	Panel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	mssurrogateProvider_protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	Panel.exe

Executes dropped EXE 17 IoCs

Processes:

panel.exemssurrogateProvider_protected.exePanel.exePanel.exeIdle.exeKurome.Loader.exeKurome.Host.exepanel.exemssurrogateProvider_protected.exePanel.exePanel.exepanel.exemssurrogateProvider_protected.exesysmon.exemssurrogateProvider_protected.exePanel.exePanel.exe

pid	process
2840	panel.exe
2636	mssurrogateProvider_protected.exe
1280	Panel.exe
5724	Panel.exe
5400	Idle.exe
6780	Kurome.Loader.exe
7140	Kurome.Host.exe
1480	panel.exe
6188	mssurrogateProvider_protected.exe
6436	Panel.exe
1764	Panel.exe
6248	panel.exe
4328	mssurrogateProvider_protected.exe
5948	sysmon.exe
6300	mssurrogateProvider_protected.exe
6464	Panel.exe
6852	Panel.exe

Loads dropped DLL 22 IoCs

Processes:

Kurome.Host.exemssurrogateProvider_protected.exemssurrogateProvider_protected.exesysmon.exemssurrogateProvider_protected.exe

pid	process
7140	Kurome.Host.exe
7140	Kurome.Host.exe
7140	Kurome.Host.exe
7140	Kurome.Host.exe
7140	Kurome.Host.exe
7140	Kurome.Host.exe
6188	mssurrogateProvider_protected.exe
6188	mssurrogateProvider_protected.exe
6188	mssurrogateProvider_protected.exe
6188	mssurrogateProvider_protected.exe
4328	mssurrogateProvider_protected.exe
4328	mssurrogateProvider_protected.exe
4328	mssurrogateProvider_protected.exe
4328	mssurrogateProvider_protected.exe
5948	sysmon.exe
5948	sysmon.exe
5948	sysmon.exe
5948	sysmon.exe
6300	mssurrogateProvider_protected.exe
6300	mssurrogateProvider_protected.exe
6300	mssurrogateProvider_protected.exe
6300	mssurrogateProvider_protected.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

66 raw.githubusercontent.com
67 raw.githubusercontent.com

flow	ioc
66	raw.githubusercontent.com
67	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

mssurrogateProvider_protected.exePanel.exeIdle.exePanel.exe

pid	process
2636	mssurrogateProvider_protected.exe
2636	mssurrogateProvider_protected.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
5400	Idle.exe
5400	Idle.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe

Drops file in Program Files directory 34 IoCs

Processes:

mssurrogateProvider_protected.exemssurrogateProvider_protected.exemssurrogateProvider_protected.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Offline\winlogon.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\61a52ddc9dd915	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\7a0fd90576e088	mssurrogateProvider_protected.exe
File created	C:\Program Files\VideoLAN\Registry.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\66fc9ff0ee96c2	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Mail\msedge.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\WindowsPowerShell\msedge.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Google\mssurrogateProvider_protected.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Mail\61a52ddc9dd915	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Google\CrashReports\spoolsv.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\msedge.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\MSBuild\38384e6a620884	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\msedge.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Offline\cc11b995f2a76d	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\sihost.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Adobe\msedge.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Adobe\61a52ddc9dd915	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Google\Temp\121e5b5079f7c0	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\msedge.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Google\CrashReports\f3b6ecef712a24	mssurrogateProvider_protected.exe
File created	C:\Program Files\VideoLAN\ee2ad38f3d4382	mssurrogateProvider_protected.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\sihost.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\WindowsPowerShell\61a52ddc9dd915	mssurrogateProvider_protected.exe
File created	C:\Program Files\Google\61ed303a283eee	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Google\Temp\sysmon.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Mail\msedge.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\61a52ddc9dd915	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\MSBuild\SearchApp.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Mail\61a52ddc9dd915	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\61a52ddc9dd915	mssurrogateProvider_protected.exe
File created	C:\Program Files\Internet Explorer\de-DE\6ccacd8608530f	mssurrogateProvider_protected.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\Idle.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Internet Explorer\de-DE\Idle.exe	mssurrogateProvider_protected.exe

Drops file in Windows directory 15 IoCs

Processes:

mssurrogateProvider_protected.exeKurome.Loader.exemssurrogateProvider_protected.exemssurrogateProvider_protected.exe

description	ioc	process
File created	C:\Windows\Sun\Java\cd89ddd3d81b06	mssurrogateProvider_protected.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll	Kurome.Loader.exe
File created	C:\Windows\diagnostics\scheduled\mssurrogateProvider_protected.exe	mssurrogateProvider_protected.exe
File created	C:\Windows\CSC\TrustedInstaller.exe	mssurrogateProvider_protected.exe
File created	C:\Windows\ja-JP\65be3b505478f7	mssurrogateProvider_protected.exe
File created	C:\Windows\Containers\69ddcba757bf72	mssurrogateProvider_protected.exe
File created	C:\Windows\it-IT\Kurome.Host.exe	mssurrogateProvider_protected.exe
File created	C:\Windows\it-IT\65be3b505478f7	mssurrogateProvider_protected.exe
File created	C:\Windows\ja-JP\Kurome.Host.exe	mssurrogateProvider_protected.exe
File created	C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Fonts\29c1c3cc0f7685	mssurrogateProvider_protected.exe
File created	C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Fonts\unsecapp.exe	mssurrogateProvider_protected.exe
File created	C:\Windows\Sun\Java\TiWorker.exe	mssurrogateProvider_protected.exe
File created	C:\Windows\schemas\EAPMethods\explorer.exe	mssurrogateProvider_protected.exe
File created	C:\Windows\PrintDialog\en-US\RuntimeBroker.exe	mssurrogateProvider_protected.exe
File created	C:\Windows\Containers\smss.exe	mssurrogateProvider_protected.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exeWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 6 IoCs

Processes:

panel.exemssurrogateProvider_protected.exepanel.exemssurrogateProvider_protected.exepanel.exemssurrogateProvider_protected.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	mssurrogateProvider_protected.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mssurrogateProvider_protected.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	mssurrogateProvider_protected.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

Processes:

pid	process
4660	schtasks.exe
2536	schtasks.exe
3584	schtasks.exe
2140	schtasks.exe
5640	schtasks.exe
6424	schtasks.exe
216	schtasks.exe
5420	schtasks.exe
6728	schtasks.exe
6596	schtasks.exe
4068	schtasks.exe
3100	schtasks.exe
5124	schtasks.exe
5464	schtasks.exe
4076	schtasks.exe
4688	schtasks.exe
3152	schtasks.exe
2540	schtasks.exe
4584	schtasks.exe
2140	schtasks.exe
5760	schtasks.exe
1492	schtasks.exe
4044	schtasks.exe
5176	schtasks.exe
6600	schtasks.exe
5912	schtasks.exe
5772	schtasks.exe
840	schtasks.exe
4424	schtasks.exe
5328	schtasks.exe
1600	schtasks.exe
5516	schtasks.exe
6284	schtasks.exe
2096	schtasks.exe
460	schtasks.exe
1428	schtasks.exe
6356	schtasks.exe
6908	schtasks.exe
3476	schtasks.exe
6320	schtasks.exe
6752	schtasks.exe
6224	schtasks.exe
5420	schtasks.exe
6856	schtasks.exe
3316	schtasks.exe
5380	schtasks.exe
4572	schtasks.exe
5164	schtasks.exe
4544	schtasks.exe
3840	schtasks.exe
1696	schtasks.exe
4440	schtasks.exe
5288	schtasks.exe
6688	schtasks.exe
6596	schtasks.exe
5676	schtasks.exe
5752	schtasks.exe
816	schtasks.exe
4332	schtasks.exe
6892	schtasks.exe
6520	schtasks.exe
4116	schtasks.exe
888	schtasks.exe
2820	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3456 WINWORD.EXE
3456 WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemssurrogateProvider_protected.exePanel.exePanel.exeIdle.exe

pid	process
3980	msedge.exe
3980	msedge.exe
4972	msedge.exe
4972	msedge.exe
1532	identity_helper.exe
1532	identity_helper.exe
4772	msedge.exe
4772	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
2636	mssurrogateProvider_protected.exe
2636	mssurrogateProvider_protected.exe
2636	mssurrogateProvider_protected.exe
2636	mssurrogateProvider_protected.exe
1280	Panel.exe
1280	Panel.exe
2636	mssurrogateProvider_protected.exe
2636	mssurrogateProvider_protected.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
2636	mssurrogateProvider_protected.exe
2636	mssurrogateProvider_protected.exe
1280	Panel.exe
5724	Panel.exe
5724	Panel.exe
1280	Panel.exe
1280	Panel.exe
1280	Panel.exe
5724	Panel.exe
5724	Panel.exe
5724	Panel.exe
1280	Panel.exe
5724	Panel.exe
5400	Idle.exe
5400	Idle.exe
1280	Panel.exe
5724	Panel.exe
1280	Panel.exe
5724	Panel.exe
5724	Panel.exe
1280	Panel.exe
5724	Panel.exe
1280	Panel.exe
1280	Panel.exe
5724	Panel.exe
5724	Panel.exe
1280	Panel.exe
5724	Panel.exe
1280	Panel.exe
1280	Panel.exe
5724	Panel.exe
1280	Panel.exe
5724	Panel.exe
1280	Panel.exe
5724	Panel.exe
1280	Panel.exe
5724	Panel.exe
5724	Panel.exe
1280	Panel.exe
1280	Panel.exe
5724	Panel.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

4972 msedge.exe
4972 msedge.exe
4972 msedge.exe
4972 msedge.exe
4972 msedge.exe
4972 msedge.exe
4972 msedge.exe
4972 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zG.exemssurrogateProvider_protected.exePanel.exePanel.exeIdle.exeKurome.Loader.exeKurome.Host.exe

description	pid	process
Token: SeRestorePrivilege	2272	7zG.exe
Token: 35	2272	7zG.exe
Token: SeSecurityPrivilege	2272	7zG.exe
Token: SeSecurityPrivilege	2272	7zG.exe
Token: SeDebugPrivilege	2636	mssurrogateProvider_protected.exe
Token: SeDebugPrivilege	1280	Panel.exe
Token: SeDebugPrivilege	5724	Panel.exe
Token: SeDebugPrivilege	5400	Idle.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: SeDebugPrivilege	6780	Kurome.Loader.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: SeDebugPrivilege	7140	Kurome.Host.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe
Token: 33	5724	Panel.exe
Token: SeIncBasePriorityPrivilege	5724	Panel.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

WINWORD.EXEmssurrogateProvider_protected.exeIdle.exemssurrogateProvider_protected.exemssurrogateProvider_protected.exesysmon.exemssurrogateProvider_protected.exe

pid	process
3456	WINWORD.EXE
3456	WINWORD.EXE
3456	WINWORD.EXE
3456	WINWORD.EXE
3456	WINWORD.EXE
3456	WINWORD.EXE
3456	WINWORD.EXE
3456	WINWORD.EXE
2636	mssurrogateProvider_protected.exe
5400	Idle.exe
6188	mssurrogateProvider_protected.exe
4328	mssurrogateProvider_protected.exe
5948	sysmon.exe
6300	mssurrogateProvider_protected.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4972 wrote to memory of 852	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 852	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3484	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3980	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 3980	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2932	4972	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/RZM-CRACK-TEAM/RedLine-CRACK?tab=readme-ov-file
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e8a546f8,0x7ff8e8a54708,0x7ff8e8a54718
2⤵
PID:852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,5363281659044710732,14398008042921372359,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
2⤵
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,5363281659044710732,14398008042921372359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,5363281659044710732,14398008042921372359,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
2⤵
PID:2932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5363281659044710732,14398008042921372359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
2⤵
PID:1764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5363281659044710732,14398008042921372359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:3516

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,5363281659044710732,14398008042921372359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
2⤵
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,5363281659044710732,14398008042921372359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5363281659044710732,14398008042921372359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
2⤵
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5363281659044710732,14398008042921372359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
2⤵
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5363281659044710732,14398008042921372359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
2⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5363281659044710732,14398008042921372359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
2⤵
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1992,5363281659044710732,14398008042921372359,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3756 /prefetch:8
2⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5363281659044710732,14398008042921372359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
2⤵
PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5363281659044710732,14398008042921372359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1992,5363281659044710732,14398008042921372359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,5363281659044710732,14398008042921372359,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2312 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1784

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2944

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Redline-crack-by-rzt\" -ad -an -ai#7zMap4123:102:7zEvent31737
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Redline-crack-by-rzt\Redline-crack-by-rzt\Panel\RedLine_20_2\FAQ.txt
1⤵
PID:4720

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Redline-crack-by-rzt\Redline-crack-by-rzt\Panel\RedLine_20_2\FAQ (English).docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3456

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2840

C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
"C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Program Files\Internet Explorer\de-DE\Idle.exe
"C:\Program Files\Internet Explorer\de-DE\Idle.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5400

C:\Users\Admin\AppData\Local\Temp\Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Panel.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Users\Admin\AppData\Local\Temp\Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\de-DE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Temp\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Temp\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Offline\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Offline\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Offline\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TiWorkerT" /sc MINUTE /mo 11 /tr "'C:\Windows\Sun\Java\TiWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TiWorker" /sc ONLOGON /tr "'C:\Windows\Sun\Java\TiWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TiWorkerT" /sc MINUTE /mo 7 /tr "'C:\Windows\Sun\Java\TiWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:460

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:6780

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:7140

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1480

C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
"C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\33TFBivtVQ.bat"
3⤵
PID:6948

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:6288

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:1532

C:\Recovery\WindowsRE\sysmon.exe
"C:\Recovery\WindowsRE\sysmon.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5948

C:\Users\Admin\AppData\Local\Temp\Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Panel.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:6436

C:\Users\Admin\AppData\Local\Temp\Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:1764

C:\Users\Admin\AppData\Local\Temp\Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA8DRXuUVcvUCYJ9rHxkE7HQAAAAACAAAAAAAQZgAAAAEAACAAAAAsWXH9kivbFScWMIpPefv2vUepS7Wd6cwRrzuA7xirggAAAAAOgAAAAAIAACAAAADXneyDyugATLqwt3HAj6da0LGZdQaBBCez/XVPNl72PxAAAAChAdjBhevCRrC4D/yLTQTiQAAAAABwICEljVywORjxTcAFYDrhs9708MdDbFWgNiENZMY9wt3lWgJg/J5IagNi/jJQb+HnAlCZwcKBObhux7Hr7Qs=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA8DRXuUVcvUCYJ9rHxkE7HQAAAAACAAAAAAAQZgAAAAEAACAAAAAWyYomI3HuMxD4od0TldrhqAdqyOEME0aNda5pV4jPDAAAAAAOgAAAAAIAACAAAAClMAbUdVW5PcLcNsO7ubpY/IFjLzVBlfNMoWw4TFXnZRAAAAB9mz8CKnFFerSzHGOeRGS9QAAAAEbFSVffjdr4jSS6nIEeW7o3ZrH3sje9jXOkeFGq+EOT4szFkE6Aw8VhD5QV+WpKtNtZMTVIM308THXxZtGm0wU="
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:6464

C:\Users\Admin\AppData\Local\Temp\Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA8DRXuUVcvUCYJ9rHxkE7HQAAAAACAAAAAAAQZgAAAAEAACAAAAAsWXH9kivbFScWMIpPefv2vUepS7Wd6cwRrzuA7xirggAAAAAOgAAAAAIAACAAAADXneyDyugATLqwt3HAj6da0LGZdQaBBCez/XVPNl72PxAAAAChAdjBhevCRrC4D/yLTQTiQAAAAABwICEljVywORjxTcAFYDrhs9708MdDbFWgNiENZMY9wt3lWgJg/J5IagNi/jJQb+HnAlCZwcKBObhux7Hr7Qs=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA8DRXuUVcvUCYJ9rHxkE7HQAAAAACAAAAAAAQZgAAAAEAACAAAAAWyYomI3HuMxD4od0TldrhqAdqyOEME0aNda5pV4jPDAAAAAAOgAAAAAIAACAAAAClMAbUdVW5PcLcNsO7ubpY/IFjLzVBlfNMoWw4TFXnZRAAAAB9mz8CKnFFerSzHGOeRGS9QAAAAEbFSVffjdr4jSS6nIEeW7o3ZrH3sje9jXOkeFGq+EOT4szFkE6Aw8VhD5QV+WpKtNtZMTVIM308THXxZtGm0wU=" "--monitor"
5⤵
- Executes dropped EXE
PID:6852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protectedm" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\mssurrogateProvider_protected.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protected" /sc ONLOGON /tr "'C:\Program Files\Google\mssurrogateProvider_protected.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protectedm" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\mssurrogateProvider_protected.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\msedge.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\msedge.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:6816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:6996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\msedge.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\msedge.exe'" /rl HIGHEST /f
1⤵
PID:6212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\msedge.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\S-1-5-21-1403246978-718555486-3105247137-1000\msedge.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\S-1-5-21-1403246978-718555486-3105247137-1000\msedge.exe'" /rl HIGHEST /f
1⤵
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\S-1-5-21-1403246978-718555486-3105247137-1000\msedge.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Users\Admin\Downloads\Redline-crack-by-rzt\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Downloads\Redline-crack-by-rzt\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:6248

C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
"C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yhqgU49729.bat"
3⤵
PID:5304

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:1900

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:5372

C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
"C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:6300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Application Data\SppExtComObj.exe'" /f
1⤵
PID:7120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Application Data\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\sihost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\sihost.exe'" /rl HIGHEST /f
1⤵
PID:7068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\sihost.exe'" /rl HIGHEST /f
1⤵
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Kurome.HostK" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\Kurome.Host.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Kurome.Host" /sc ONLOGON /tr "'C:\Windows\it-IT\Kurome.Host.exe'" /rl HIGHEST /f
1⤵
PID:5184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Kurome.HostK" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\Kurome.Host.exe'" /rl HIGHEST /f
1⤵
PID:5980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Kurome.HostK" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\Kurome.Host.exe'" /f
1⤵
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Kurome.Host" /sc ONLOGON /tr "'C:\Windows\ja-JP\Kurome.Host.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Kurome.HostK" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\Kurome.Host.exe'" /rl HIGHEST /f
1⤵
PID:6020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Users\Public\msedge.exe'" /f
1⤵
PID:5648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Public\msedge.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Users\Public\msedge.exe'" /rl HIGHEST /f
1⤵
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Favorites\Links\csrss.exe'" /f
1⤵
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\csrss.exe'" /rl HIGHEST /f
1⤵
PID:6364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Favorites\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /rl HIGHEST /f
1⤵
PID:7012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /rl HIGHEST /f
1⤵
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\taskhostw.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\taskhostw.exe'" /rl HIGHEST /f
1⤵
PID:6592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\taskhostw.exe'" /rl HIGHEST /f
1⤵
PID:5376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Containers\smss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Containers\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Containers\smss.exe'" /rl HIGHEST /f
1⤵
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\msedge.exe'" /f
1⤵
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\msedge.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\msedge.exe'" /rl HIGHEST /f
1⤵
PID:5624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Fonts\unsecapp.exe'" /f
1⤵
PID:6388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Fonts\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Fonts\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5752

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Redline-crack-by-rzt\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\chromeBrowsers.txt
1⤵
PID:5192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery