dcrat | hxxps://github[.]com/RZM-CRACK-TEAM/RedLine-CRACK

Analysis

max time kernel
337s
max time network
337s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19/10/2024, 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/RZM-CRACK-TEAM/RedLine-CRACK

Score

10^/10

dcrat redline sectoprat cheat discovery infostealer persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

127.0.0.1:1337

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5676	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5284	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5808	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5248	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5756	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5208	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5980	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	1464	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5140	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5772	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6748	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6620	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6156	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6164	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6356	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6388	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5268	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7072	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5800	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6636	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6932	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6264	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6884	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6400	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7064	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	5708	schtasks.exe	181
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6660	5708	schtasks.exe	181

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/3264-4476-0x000000001F0B0000-0x000000001F0CA000-memory.dmp	family_redline
behavioral1/memory/5936-5206-0x00000000009D0000-0x00000000009EE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/5936-5206-0x00000000009D0000-0x00000000009EE000-memory.dmp	family_sectoprat

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1812-371-0x0000000000600000-0x0000000000A3C000-memory.dmp	dcrat
behavioral1/memory/1812-372-0x0000000000600000-0x0000000000A3C000-memory.dmp	dcrat
behavioral1/memory/1812-2630-0x0000000000600000-0x0000000000A3C000-memory.dmp	dcrat
behavioral1/memory/2340-3419-0x0000000000AB0000-0x0000000000EEC000-memory.dmp	dcrat
behavioral1/memory/2340-3575-0x0000000000AB0000-0x0000000000EEC000-memory.dmp	dcrat
behavioral1/memory/2340-4577-0x0000000000AB0000-0x0000000000EEC000-memory.dmp	dcrat
behavioral1/memory/3336-5361-0x0000000000A70000-0x0000000000EAC000-memory.dmp	dcrat
behavioral1/memory/3336-5362-0x0000000000A70000-0x0000000000EAC000-memory.dmp	dcrat
behavioral1/memory/3336-9414-0x0000000000A70000-0x0000000000EAC000-memory.dmp	dcrat
behavioral1/memory/6352-9415-0x0000000000E50000-0x000000000128C000-memory.dmp	dcrat
behavioral1/memory/6352-9434-0x0000000000E50000-0x000000000128C000-memory.dmp	dcrat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\130.0.6723.59\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	GoogleUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation = "0"	GoogleUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 45 IoCs

pid	Process
1812	mssurrogateProvider_protected.exe
4440	Panel.exe
3264	Panel.exe
2340	mssurrogateProvider_protected.exe
2324	GoogleUpdate.exe
236	GoogleUpdate.exe
2720	GoogleUpdate.exe
540	GoogleUpdateComRegisterShell64.exe
4784	GoogleUpdateComRegisterShell64.exe
4384	GoogleUpdateComRegisterShell64.exe
6000	GoogleUpdate.exe
2980	GoogleUpdate.exe
912	GoogleUpdate.exe
5140	130.0.6723.59_chrome_installer.exe
4576	setup.exe
5204	setup.exe
5124	setup.exe
5412	setup.exe
5884	GoogleUpdateOnDemand.exe
5740	GoogleUpdate.exe
5772	GoogleUpdate.exe
4180	chrome.exe
5964	chrome.exe
5316	chrome.exe
4780	chrome.exe
5380	chrome.exe
5768	chrome.exe
2304	chrome.exe
1396	elevation_service.exe
3364	chrome.exe
5248	chrome.exe
1044	chrome.exe
6104	chrome.exe
2696	chrome.exe
2340	chrome.exe
5936	build.exe
4724	chrome.exe
3952	chrome.exe
3336	mssurrogateProvider_protected.exe
3136	Panel.exe
6744	Panel.exe
6352	chrome.exe
5560	Panel.exe
4172	chrome.exe
4700	Panel.exe

Loads dropped DLL 64 IoCs

pid	Process
2324	GoogleUpdate.exe
236	GoogleUpdate.exe
2720	GoogleUpdate.exe
540	GoogleUpdateComRegisterShell64.exe
2720	GoogleUpdate.exe
4784	GoogleUpdateComRegisterShell64.exe
2720	GoogleUpdate.exe
4384	GoogleUpdateComRegisterShell64.exe
2720	GoogleUpdate.exe
2324	GoogleUpdate.exe
6000	GoogleUpdate.exe
2980	GoogleUpdate.exe
912	GoogleUpdate.exe
912	GoogleUpdate.exe
2980	GoogleUpdate.exe
5740	GoogleUpdate.exe
5772	GoogleUpdate.exe
5740	GoogleUpdate.exe
4180	chrome.exe
5964	chrome.exe
4180	chrome.exe
5316	chrome.exe
5316	chrome.exe
4780	chrome.exe
4780	chrome.exe
5380	chrome.exe
5316	chrome.exe
5316	chrome.exe
5316	chrome.exe
5380	chrome.exe
5316	chrome.exe
5316	chrome.exe
5316	chrome.exe
2304	chrome.exe
2304	chrome.exe
5768	chrome.exe
5768	chrome.exe
3364	chrome.exe
3364	chrome.exe
1044	chrome.exe
1044	chrome.exe
5248	chrome.exe
5248	chrome.exe
6104	chrome.exe
6104	chrome.exe
2696	chrome.exe
2696	chrome.exe
2340	chrome.exe
2340	chrome.exe
6024	Kurome.Loader.exe
6024	Kurome.Loader.exe
6024	Kurome.Loader.exe
6024	Kurome.Loader.exe
4396	Kurome.Host.exe
4396	Kurome.Host.exe
4396	Kurome.Host.exe
4396	Kurome.Host.exe
5936	build.exe
5936	build.exe
5936	build.exe
5936	build.exe
5736	Kurome.Builder.exe
5736	Kurome.Builder.exe
5736	Kurome.Builder.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
35	raw.githubusercontent.com

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
1812	mssurrogateProvider_protected.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
1812	mssurrogateProvider_protected.exe
2340	mssurrogateProvider_protected.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
3264	Panel.exe
2340	mssurrogateProvider_protected.exe
3336	mssurrogateProvider_protected.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\130.0.6723.59.manifest	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\Locales\pl.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\VisualElements\SmallLogo.png	setup.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\7a73b78f679a6f	mssurrogateProvider_protected.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\sppsvc.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\GUM47FC.tmp\goopdateres_hu.dll	Chrome.exe
File created	C:\Program Files (x86)\GUM47FC.tmp\goopdateres_it.dll	Chrome.exe
File created	C:\Program Files (x86)\GUM47FC.tmp\goopdateres_nl.dll	Chrome.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\chrome.exe.sig	setup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.34.11\goopdateres_pl.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.34.11\goopdateres_pt-PT.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\GUM47FC.tmp\GoogleCrashHandler64.exe	Chrome.exe
File created	C:\Program Files (x86)\Google\Update\1.3.34.11\goopdateres_nl.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\chrome_100_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\chrome.dll.sig	setup.exe
File created	C:\Program Files (x86)\GUM47FC.tmp\GoogleCrashHandler.exe	Chrome.exe
File created	C:\Program Files (x86)\Google\Update\Install\{FC83BB9F-6F9A-4672-A761-3170C950D173}\130.0.6723.59_chrome_installer.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\Install\{FC83BB9F-6F9A-4672-A761-3170C950D173}\CR_A55A6.tmp\CHROME.PACKED.7Z	130.0.6723.59_chrome_installer.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\Locales\fa.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\Locales\lt.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\Locales\zh-CN.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\MEIPreload\preloaded_data.pb	setup.exe
File created	C:\Program Files (x86)\GUM47FC.tmp\GoogleUpdate.exe	Chrome.exe
File created	C:\Program Files (x86)\GUM47FC.tmp\goopdateres_hi.dll	Chrome.exe
File created	C:\Program Files (x86)\GUM47FC.tmp\goopdateres_tr.dll	Chrome.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\Locales\en-GB.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\Locales\sl.pak	setup.exe
File created	C:\Program Files (x86)\GUM47FC.tmp\GoogleUpdateSetup.exe	Chrome.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\VisualElements\SmallLogoCanary.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\os_update_handler.exe	setup.exe
File created	C:\Program Files (x86)\GUM47FC.tmp\goopdateres_iw.dll	Chrome.exe
File created	C:\Program Files (x86)\Google\Update\1.3.34.11\goopdateres_no.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\Install\{FC83BB9F-6F9A-4672-A761-3170C950D173}\CR_A55A6.tmp\SETUP.EX_	130.0.6723.59_chrome_installer.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\v8_context_snapshot.bin	setup.exe
File created	C:\Program Files\Windows Media Player\Visualizations\5b884080fd4f94	mssurrogateProvider_protected.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\Locales\et.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\Locales\fil.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\Locales\gu.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\Locales\te.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\chrome.VisualElementsManifest.xml	setup.exe
File created	C:\Program Files (x86)\Windows Defender\61a52ddc9dd915	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\GUM47FC.tmp\GoogleUpdateComRegisterShell64.exe	Chrome.exe
File created	C:\Program Files (x86)\GUM47FC.tmp\GoogleUpdateCore.exe	Chrome.exe
File created	C:\Program Files (x86)\GUM47FC.tmp\goopdateres_bg.dll	Chrome.exe
File created	C:\Program Files (x86)\Google\Update\1.3.34.11\goopdateres_sk.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.34.11\psmachine.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\WidevineCdm\LICENSE	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\dxcompiler.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\elevation_service.exe	setup.exe
File created	C:\Program Files (x86)\GUM47FC.tmp\goopdate.dll	Chrome.exe
File created	C:\Program Files (x86)\Google\Update\1.3.34.11\goopdateres_bn.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.34.11\goopdateres_da.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.34.11\goopdateres_ms.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\default_apps\external_extensions.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	setup.exe
File created	C:\Program Files (x86)\GUM47FC.tmp\goopdateres_fi.dll	Chrome.exe
File created	C:\Program Files (x86)\GUM47FC.tmp\goopdateres_sw.dll	Chrome.exe
File created	C:\Program Files (x86)\Google\Update\1.3.34.11\goopdateres_ca.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\Locales\el.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4576_179473974\Chrome-bin\130.0.6723.59\Locales\vi.pak	setup.exe
File created	C:\Program Files (x86)\GUM47FC.tmp\goopdateres_zh-TW.dll	Chrome.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\chrome_installer.log	setup.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll	Kurome.Loader.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_270975517\manifest.json	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_270975517\LICENSE	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_2024390443\manifest.json	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_2024390443\_metadata\verified_contents.json	chrome.exe
File created	C:\Windows\Sun\Java\886983d96e3d3e	mssurrogateProvider_protected.exe
File created	C:\Windows\SKB\8a93fb0283f0e4	mssurrogateProvider_protected.exe
File created	C:\Windows\es-ES\6ccacd8608530f	mssurrogateProvider_protected.exe
File created	C:\Windows\Fonts\7a73b78f679a6f	mssurrogateProvider_protected.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_2024390443\Filtering Rules	chrome.exe
File created	C:\Windows\Sun\Java\csrss.exe	mssurrogateProvider_protected.exe
File created	C:\Windows\SKB\Kurome.Loader.exe	mssurrogateProvider_protected.exe
File created	C:\Windows\Registration\CRMLog\7a0fd90576e088	mssurrogateProvider_protected.exe
File opened for modification	C:\Windows\SystemTemp\chrome_installer.log	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_270975517\crl-set	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_270975517\_metadata\verified_contents.json	chrome.exe
File created	C:\Windows\fr-FR\7a73b78f679a6f	mssurrogateProvider_protected.exe
File created	C:\Windows\es-ES\Idle.exe	mssurrogateProvider_protected.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_2024390443\LICENSE.txt	chrome.exe
File created	C:\Windows\ShellComponents\Registry.exe	mssurrogateProvider_protected.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_2024390443\manifest.fingerprint	chrome.exe
File created	C:\Windows\ShellComponents\ee2ad38f3d4382	mssurrogateProvider_protected.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll	Kurome.Loader.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_270975517\manifest.fingerprint	chrome.exe
File created	C:\Windows\fr-FR\chrome.exe	mssurrogateProvider_protected.exe
File created	C:\Windows\Registration\CRMLog\explorer.exe	mssurrogateProvider_protected.exe
File created	C:\Windows\Fonts\chrome.exe	mssurrogateProvider_protected.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssurrogateProvider_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssurrogateProvider_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	panel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	panel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssurrogateProvider_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateOnDemand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6000	GoogleUpdate.exe
5772	GoogleUpdate.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Policy = "3"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\AppName = "GoogleUpdateWebPlugin.exe"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\AppPath = "C:\\Program Files (x86)\\Google\\Update\\1.3.34.11"	GoogleUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Policy = "3"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\AppName = "GoogleUpdateBroker.exe"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\AppPath = "C:\\Program Files (x86)\\Google\\Update\\1.3.34.11"	GoogleUpdate.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133738550916359383"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32\ = "{600FDFA3-1EA7-4792-9436-ABB5154A9EB2}"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\PROGID	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VERSIONINDEPENDENTPROGID	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32\ = "{600FDFA3-1EA7-4792-9436-ABB5154A9EB2}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods\ = "10"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32\ = "{600FDFA3-1EA7-4792-9436-ABB5154A9EB2}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods\ = "24"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32\ = "{600FDFA3-1EA7-4792-9436-ABB5154A9EB2}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32\ = "{600FDFA3-1EA7-4792-9436-ABB5154A9EB2}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods\ = "4"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ = "IBrowserHttpRequest2"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LOCALSERVER32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID\ = "GoogleUpdate.Update3COMClassService"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32\ = "{600FDFA3-1EA7-4792-9436-ABB5154A9EB2}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32\ = "{600FDFA3-1EA7-4792-9436-ABB5154A9EB2}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ = "Google Update Core Class"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{708860E0-F641-4611-8895-7D867DD3675B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods\ = "5"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ = "IAppBundleWeb"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{600FDFA3-1EA7-4792-9436-ABB5154A9EB2}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.34.11\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\PROGID	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mssurrogateProvider_protected.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ = "ICredentialDialog"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods\ = "10"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods\ = "11"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\ = "CATID_AppContainerCompatible"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CoreClass\CLSID\ = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods\ = "10"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{600FDFA3-1EA7-4792-9436-ABB5154A9EB2}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.34.11\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID\ = "GoogleUpdate.Update3WebMachine.1.0"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CredentialDialogMachine\CurVer\ = "GoogleUpdate.CredentialDialogMachine.1.0"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID\ = "GoogleUpdate.CredentialDialogMachine"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32\ = "{600FDFA3-1EA7-4792-9436-ABB5154A9EB2}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32\ = "{600FDFA3-1EA7-4792-9436-ABB5154A9EB2}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GUM47FC.tmp\GoogleUpdateSetup.exe\:Zone.Identifier:$DATA	Chrome.exe
File created	C:\Program Files (x86)\Google\Update\1.3.34.11\GoogleUpdateSetup.exe\:Zone.Identifier:$DATA	GoogleUpdate.exe
File opened for modification	C:\Users\Admin\Downloads\Redline-crack-by-rzt.zip:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5100	schtasks.exe
7004	schtasks.exe
6940	schtasks.exe
5560	schtasks.exe
412	schtasks.exe
2688	schtasks.exe
5248	schtasks.exe
5980	schtasks.exe
540	schtasks.exe
5368	schtasks.exe
5808	schtasks.exe
1380	schtasks.exe
1580	schtasks.exe
3528	schtasks.exe
5208	schtasks.exe
2384	schtasks.exe
6884	schtasks.exe
6928	schtasks.exe
5492	schtasks.exe
6440	schtasks.exe
3108	schtasks.exe
2984	schtasks.exe
5676	schtasks.exe
3068	schtasks.exe
6156	schtasks.exe
6164	schtasks.exe
5688	schtasks.exe
1904	schtasks.exe
1524	schtasks.exe
1468	schtasks.exe
4724	schtasks.exe
6620	schtasks.exe
3452	schtasks.exe
1708	schtasks.exe
880	schtasks.exe
4656	schtasks.exe
1348	schtasks.exe
6748	schtasks.exe
6932	schtasks.exe
6660	schtasks.exe
6608	schtasks.exe
6572	schtasks.exe
3112	schtasks.exe
4360	schtasks.exe
6636	schtasks.exe
6280	schtasks.exe
2500	schtasks.exe
2824	schtasks.exe
6448	schtasks.exe
6872	schtasks.exe
4576	schtasks.exe
4996	schtasks.exe
6388	schtasks.exe
1748	schtasks.exe
7072	schtasks.exe
1704	schtasks.exe
6916	schtasks.exe
6344	schtasks.exe
2920	schtasks.exe
3328	schtasks.exe
2720	schtasks.exe
6356	schtasks.exe
7064	schtasks.exe
4448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3268	msedge.exe
3268	msedge.exe
888	msedge.exe
888	msedge.exe
4380	identity_helper.exe
4380	identity_helper.exe
2424	msedge.exe
2424	msedge.exe
3672	msedge.exe
3672	msedge.exe
1812	mssurrogateProvider_protected.exe
1812	mssurrogateProvider_protected.exe
1812	mssurrogateProvider_protected.exe
1812	mssurrogateProvider_protected.exe
1812	mssurrogateProvider_protected.exe
1812	mssurrogateProvider_protected.exe
1812	mssurrogateProvider_protected.exe
1812	mssurrogateProvider_protected.exe
1812	mssurrogateProvider_protected.exe
1812	mssurrogateProvider_protected.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
4440	Panel.exe
3264	Panel.exe
3264	Panel.exe
4440	Panel.exe
3264	Panel.exe
4440	Panel.exe
3264	Panel.exe
3264	Panel.exe
2340	mssurrogateProvider_protected.exe
2340	mssurrogateProvider_protected.exe
4440	Panel.exe
3264	Panel.exe
3264	Panel.exe
4440	Panel.exe
3264	Panel.exe
4440	Panel.exe
3264	Panel.exe
4440	Panel.exe
3264	Panel.exe
4440	Panel.exe
3264	Panel.exe
4440	Panel.exe
3264	Panel.exe
4440	Panel.exe
3264	Panel.exe
4440	Panel.exe
3264	Panel.exe
4440	Panel.exe
3264	Panel.exe
4440	Panel.exe
3264	Panel.exe
4440	Panel.exe
3264	Panel.exe
4440	Panel.exe
3264	Panel.exe
4440	Panel.exe
3264	Panel.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	388	Kurome.Host.exe
Token: SeDebugPrivilege	2760	Kurome.Builder.exe
Token: SeDebugPrivilege	1812	mssurrogateProvider_protected.exe
Token: SeDebugPrivilege	4440	Panel.exe
Token: SeDebugPrivilege	3264	Panel.exe
Token: SeDebugPrivilege	2340	mssurrogateProvider_protected.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: SeDebugPrivilege	2324	GoogleUpdate.exe
Token: SeDebugPrivilege	2324	GoogleUpdate.exe
Token: SeDebugPrivilege	2324	GoogleUpdate.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe
Token: SeIncBasePriorityPrivilege	3264	Panel.exe
Token: 33	3264	Panel.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1812	mssurrogateProvider_protected.exe
2340	mssurrogateProvider_protected.exe
5776	WinRar.exe
5776	WinRar.exe
5776	WinRar.exe
3336	mssurrogateProvider_protected.exe
6352	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 244	888	msedge.exe	77
PID 888 wrote to memory of 244	888	msedge.exe	77
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	78
PID 888 wrote to memory of 3268	888	msedge.exe	79
PID 888 wrote to memory of 3268	888	msedge.exe	79
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80
PID 888 wrote to memory of 1944	888	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/RZM-CRACK-TEAM/RedLine-CRACK
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffca7a33cb8,0x7ffca7a33cc8,0x7ffca7a33cd8
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,17140317344602121736,4622637106729929386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,17140317344602121736,4622637106729929386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,17140317344602121736,4622637106729929386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,17140317344602121736,4622637106729929386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,17140317344602121736,4622637106729929386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,17140317344602121736,4622637106729929386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,17140317344602121736,4622637106729929386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,17140317344602121736,4622637106729929386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,17140317344602121736,4622637106729929386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,17140317344602121736,4622637106729929386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,17140317344602121736,4622637106729929386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,17140317344602121736,4622637106729929386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,17140317344602121736,4622637106729929386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,17140317344602121736,4622637106729929386,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
  2⤵
  PID:6112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3184

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Redline-crack-by-rzt\ReadMe.txt
1⤵
PID:1732

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1952
- C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1812
- - C:\Users\Admin\mssurrogateProvider_protected.exe
    "C:\Users\Admin\mssurrogateProvider_protected.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2340
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4440
- - C:\Users\Admin\AppData\Local\Temp\Panel.exe
    "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\SearchHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protectedm" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\mssurrogateProvider_protected.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protected" /sc ONLOGON /tr "'C:\Users\Admin\mssurrogateProvider_protected.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protectedm" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\mssurrogateProvider_protected.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "notepadn" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\notepad.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "notepad" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\notepad.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "notepadn" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\notepad.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Gadgets\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Gadgets\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellComponents\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\ShellComponents\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellComponents\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Start Menu\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Start Menu\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:912

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Tools\Chrome.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Tools\Chrome.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:5492
- C:\Program Files (x86)\GUM47FC.tmp\GoogleUpdate.exe
  "C:\Program Files (x86)\GUM47FC.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={147E1A31-5E49-ACD4-7646-E2EE6FA22B56}&lang=ru&browser=3&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:236
- - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2720
  - - C:\Program Files (x86)\Google\Update\1.3.34.11\GoogleUpdateComRegisterShell64.exe
      "C:\Program Files (x86)\Google\Update\1.3.34.11\GoogleUpdateComRegisterShell64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:540
  - - C:\Program Files (x86)\Google\Update\1.3.34.11\GoogleUpdateComRegisterShell64.exe
      "C:\Program Files (x86)\Google\Update\1.3.34.11\GoogleUpdateComRegisterShell64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:4784
  - - C:\Program Files (x86)\Google\Update\1.3.34.11\GoogleUpdateComRegisterShell64.exe
      "C:\Program Files (x86)\Google\Update\1.3.34.11\GoogleUpdateComRegisterShell64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:4384
- - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNC4xMSIgc2hlbGxfdmVyc2lvbj0iMS4zLjM0LjExIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezY5RjM1MzZCLUNGMTAtNDk1QS05ODdBLURBMjIwODM5RjkxRH0iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9Ins4RUU1RjE4OC1FMDkyLTRDQkQtOUFDRS01MUM5NTBDMUJFQ0Z9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuNDkzIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjM3MSIgbmV4dHZlcnNpb249IjEuMy4zNC4xMSIgbGFuZz0icnUiIGJyYW5kPSIiIGNsaWVudD0iIiBpaWQ9InsxNDdFMUEzMS01RTQ5LUFDRDQtNzY0Ni1FMkVFNkZBMjJCNTZ9Ij48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBpbnN0YWxsX3RpbWVfbXM9IjY3MiIvPjwvYXBwPjwvcmVxdWVzdD4
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:6000
- - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={147E1A31-5E49-ACD4-7646-E2EE6FA22B56}&lang=ru&browser=3&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" /installsource taggedmi /sessionid "{69F3536B-CF10-495A-987A-DA220839F91D}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2980

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:912
- C:\Program Files (x86)\Google\Update\Install\{FC83BB9F-6F9A-4672-A761-3170C950D173}\130.0.6723.59_chrome_installer.exe
  "C:\Program Files (x86)\Google\Update\Install\{FC83BB9F-6F9A-4672-A761-3170C950D173}\130.0.6723.59_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Windows\TEMP\gui8831.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:5140
- - C:\Program Files (x86)\Google\Update\Install\{FC83BB9F-6F9A-4672-A761-3170C950D173}\CR_A55A6.tmp\setup.exe
    "C:\Program Files (x86)\Google\Update\Install\{FC83BB9F-6F9A-4672-A761-3170C950D173}\CR_A55A6.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Install\{FC83BB9F-6F9A-4672-A761-3170C950D173}\CR_A55A6.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Windows\TEMP\gui8831.tmp"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    PID:4576
  - - C:\Program Files (x86)\Google\Update\Install\{FC83BB9F-6F9A-4672-A761-3170C950D173}\CR_A55A6.tmp\setup.exe
      "C:\Program Files (x86)\Google\Update\Install\{FC83BB9F-6F9A-4672-A761-3170C950D173}\CR_A55A6.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.59 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6285ddc28,0x7ff6285ddc34,0x7ff6285ddc40
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:5204
  - - C:\Program Files (x86)\Google\Update\Install\{FC83BB9F-6F9A-4672-A761-3170C950D173}\CR_A55A6.tmp\setup.exe
      "C:\Program Files (x86)\Google\Update\Install\{FC83BB9F-6F9A-4672-A761-3170C950D173}\CR_A55A6.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:5124
    - - C:\Program Files (x86)\Google\Update\Install\{FC83BB9F-6F9A-4672-A761-3170C950D173}\CR_A55A6.tmp\setup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{FC83BB9F-6F9A-4672-A761-3170C950D173}\CR_A55A6.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.59 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6285ddc28,0x7ff6285ddc34,0x7ff6285ddc40
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5412
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
  "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNC4xMSIgc2hlbGxfdmVyc2lvbj0iMS4zLjM0LjExIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezY5RjM1MzZCLUNGMTAtNDk1QS05ODdBLURBMjIwODM5RjkxRH0iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9InszMkY2NzU3OS1FNDNELTRDMzItQjI4OC0yM0EwQUMwOEQ3OTN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuNDkzIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNDLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTMwLjAuNjcyMy41OSIgYXA9Ing2NC1zdGFibGUtc3RhdHNkZWZfMSIgbGFuZz0icnUiIGJyYW5kPSIiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxMiIgaWlkPSJ7MTQ3RTFBMzEtNUU0OS1BQ0Q0LTc2NDYtRTJFRTZGQTIyQjU2fSIgY29ob3J0PSIxOmd1L2kxOToiIGNvaG9ydG5hbWU9IlN0YWJsZSBJbnN0YWxscyAmYW1wOyBWZXJzaW9uIFBpbnMiPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vZWRnZWRsLm1lLmd2dDEuY29tL2VkZ2VkbC9yZWxlYXNlMi9jaHJvbWUvcG9ranh0b3lnZnN3NGpxZ2psaHo2cXpxaG1fMTMwLjAuNjcyMy41OS8xMzAuMC42NzIzLjU5X2Nocm9tZV9pbnN0YWxsZXIuZXhlIiBkb3dubG9hZGVkPSIxMTUzOTIzNjgiIHRvdGFsPSIxMTUzOTIzNjgiIGRvd25sb2FkX3RpbWVfbXM9Ijg3MDMiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIzNzUiIGRvd25sb2FkX3RpbWVfbXM9Ijk1MTYiIGRvd25sb2FkZWQ9IjExNTM5MjM2OCIgdG90YWw9IjExNTM5MjM2OCIgaW5zdGFsbF90aW1lX21zPSIzMDM1OSIvPjxkYXRhIG5hbWU9Imluc3RhbGwiIGluZGV4PSJlbXB0eSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5772

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Tools\WinRar.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Tools\WinRar.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5776

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\d6c4b1aa52114cfb8ceffe1bdae76f2e /t 1532 /p 5776
1⤵
PID:5956

C:\Program Files (x86)\Google\Update\1.3.34.11\GoogleUpdateOnDemand.exe
"C:\Program Files (x86)\Google\Update\1.3.34.11\GoogleUpdateOnDemand.exe" -Embedding
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5884
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
  "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ondemand
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4180
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.59 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc95387c38,0x7ffc95387c44,0x7ffc95387c50
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5964
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1812,i,2682353682960477216,5861761093958122644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1804 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5316
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2084,i,2682353682960477216,5861761093958122644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2144 /prefetch:11
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4780
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2296,i,2682353682960477216,5861761093958122644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:13
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5380
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,2682353682960477216,5861761093958122644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5768
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,2682353682960477216,5861761093958122644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3452 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2304
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4352,i,2682353682960477216,5861761093958122644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4380 /prefetch:9
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6104
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4548,i,2682353682960477216,5861761093958122644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4620 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3364
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4824,i,2682353682960477216,5861761093958122644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4560 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2696
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5028,i,2682353682960477216,5861761093958122644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3120 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5248
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5024,i,2682353682960477216,5861761093958122644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1044
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5448,i,2682353682960477216,5861761093958122644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5408 /prefetch:14
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2340
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=216,i,2682353682960477216,5861761093958122644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4452 /prefetch:14
      4⤵
      Executes dropped EXE
      PID:4724
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4428,i,2682353682960477216,5861761093958122644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5844 /prefetch:14
      4⤵
      Executes dropped EXE
      PID:3952
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4348,i,2682353682960477216,5861761093958122644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6068 /prefetch:10
      4⤵
      Executes dropped EXE
      PID:4172

C:\Program Files\Google\Chrome\Application\130.0.6723.59\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\130.0.6723.59\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4688

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5492

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6024

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4396

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5936

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5736

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1236
- C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3336
- - C:\Windows\fr-FR\chrome.exe
    "C:\Windows\fr-FR\chrome.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6352
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe"
  2⤵
  - Executes dropped EXE
  PID:3136
- - C:\Users\Admin\AppData\Local\Temp\Panel.exe
    "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
    3⤵
    - Executes dropped EXE
    PID:6744
  - - C:\Users\Admin\AppData\Local\Temp\Panel.exe
      "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAAvUy95KZMU2vitrpkOna9wAAAAACAAAAAAAQZgAAAAEAACAAAADYmwfh7tJFng5C9FfZyoV5ANcYePwLBgV0JioTK761+wAAAAAOgAAAAAIAACAAAADVzOt23sKsYY4vU07/xsGkLb18dYqlmQBXVG4I4FbF9RAAAADMpR1DnmxRi/d4vDuoS0YpQAAAABUJGFWJlqpwmpUmJHbXnXUkEO4KYl+sqT2Ql5T6EfFm/hvrXi0j21HvrzVHjcIUWY9Bw+ikmbG5LivxMuoqV7c=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAAvUy95KZMU2vitrpkOna9wAAAAACAAAAAAAQZgAAAAEAACAAAAA4S+hCcEG9EG6J/ISqdLDYlr4pcMyi4QI+39Rvgruc7QAAAAAOgAAAAAIAACAAAABJm14qegVqOO7ehLnDXnPx9j8l/Fye68Majm3ErbRcehAAAAABe9j669xwtHsl8GaWNAD0QAAAANfAFRtfpz2c7OoMOTLe+1S9RVFMZGTsa1gHAe+JfbxJgQuzYldyB8/0wS3zevUCuqRVgf7WdvPFP6yAnjlA01I="
      4⤵
      Executes dropped EXE
      PID:5560
    - - C:\Users\Admin\AppData\Local\Temp\Panel.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAAvUy95KZMU2vitrpkOna9wAAAAACAAAAAAAQZgAAAAEAACAAAADYmwfh7tJFng5C9FfZyoV5ANcYePwLBgV0JioTK761+wAAAAAOgAAAAAIAACAAAADVzOt23sKsYY4vU07/xsGkLb18dYqlmQBXVG4I4FbF9RAAAADMpR1DnmxRi/d4vDuoS0YpQAAAABUJGFWJlqpwmpUmJHbXnXUkEO4KYl+sqT2Ql5T6EfFm/hvrXi0j21HvrzVHjcIUWY9Bw+ikmbG5LivxMuoqV7c=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAAvUy95KZMU2vitrpkOna9wAAAAACAAAAAAAQZgAAAAEAACAAAAA4S+hCcEG9EG6J/ISqdLDYlr4pcMyi4QI+39Rvgruc7QAAAAAOgAAAAAIAACAAAABJm14qegVqOO7ehLnDXnPx9j8l/Fye68Majm3ErbRcehAAAAABe9j669xwtHsl8GaWNAD0QAAAANfAFRtfpz2c7OoMOTLe+1S9RVFMZGTsa1gHAe+JfbxJgQuzYldyB8/0wS3zevUCuqRVgf7WdvPFP6yAnjlA01I=" "--monitor"
        5⤵
        Executes dropped EXE
        
        PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Sun\Java\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Sun\Java\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Sun\Java\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Visualizations\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Visualizations\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\chrome.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Users\Default\SendTo\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 7 /tr "'C:\Users\Default\SendTo\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Kurome.LoaderK" /sc MINUTE /mo 13 /tr "'C:\Windows\SKB\Kurome.Loader.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Kurome.Loader" /sc ONLOGON /tr "'C:\Windows\SKB\Kurome.Loader.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Kurome.LoaderK" /sc MINUTE /mo 12 /tr "'C:\Windows\SKB\Kurome.Loader.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\chrome.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\chrome.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\chrome.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\chrome.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Windows\fr-FR\chrome.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\chrome.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
PID:6536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\dwm.exe'" /f
1⤵
PID:5608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\dwm.exe'" /rl HIGHEST /f
1⤵
PID:6748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\explorer.exe'" /f
1⤵
PID:7104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\chrome.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\chrome.exe'" /rl HIGHEST /f
1⤵
PID:6716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\chrome.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\chrome.exe'" /f
1⤵
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Windows\Fonts\chrome.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\chrome.exe'" /rl HIGHEST /f
1⤵
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\es-ES\sysmon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\es-ES\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5688

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Redline-crack-by-rzt\ReadMe.txt
1⤵
PID:5840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GUM47FC.tmp\GoogleCrashHandler.exe

Filesize
287KB

MD5
a2d8bef0cca959e4beb16de982e3771c

SHA1
5713e1542a47f5dab9d6c4fb58092dea0c9bea4a

SHA256
aff4f2d3049b10893265524f4f1eeb297a60a9414f80ea3695bf1c58de2bc43d

SHA512
3df564bd32a3c5bcd91aa6b71561c79351b462a33e6a8901c3a451d706f012ed077000f6cb89017ed6014e209e81fab414e90d54cd6bb6100c4f355108e7dd2c

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\GoogleCrashHandler64.exe

Filesize
364KB

MD5
30c7cbced8e3689e30299cabad4b9ac7

SHA1
2c8f9adc1f8b6fc53c1489c59ac59034a47f552e

SHA256
296f1bc3a9e0210ada077895deafb9969aa8073189f1f3eb0736e9e87d17bb05

SHA512
6cfa66872d8db974ae21324aa12b65e5994a334121d2a33e3ce680b244813879b4a59e819ab51df27febebab303d7dac1331420ab683c6e8035473bc0ebe31cf

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\GoogleUpdate.exe

Filesize
151KB

MD5
82f657b0aee67a6a560321cf0927f9f7

SHA1
703175455354cdbd4244668c94704fee585a9228

SHA256
794cf7644115198db451431bca7c89ff9a97550482b1e3f7f13eb7aca6120a11

SHA512
5407eac0dc840aee05265bdc0810865890fed09d7b83ff0dc3f3e4ed4a322a3716710c35208fe8a95ffb0ab2a051e5305825c3251ceb2dd7e0cde6e9cc4f97c2

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\GoogleUpdateComRegisterShell64.exe

Filesize
179KB

MD5
396ba164448844fcd0c72dd802ac7db6

SHA1
51e738ad497fbfc289099444555180f4a123c39d

SHA256
f3ada0bb7459836ba250314ea6d417694c974445f0f7218ea8a48b60c557bb89

SHA512
e0c4b15fc23c7c4507e1b06767ba9170993f9dafd642d5c07e5693aa39dd760b8aa63ec21d694a849c70b7c2ece362e07d26983e24d90f7dc2ded8d86ff05646

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\GoogleUpdateCore.exe

Filesize
401KB

MD5
cecfd51c91c3aa81093460598c5d02a2

SHA1
b5411b717d1fccaa166e795de6f6da0b422704b0

SHA256
a055856dcc22687bcbaa828342c851f87dd9de74dc5d647e7799d8ec4d7be0de

SHA512
a1b9e6938f4231dee231256dadeb00006c1f5d30f16f88644196a31692aa6c9ef02c32c94fc030a7c072cdc45741ed4cb89f09c14320eab63c4ad02e7ddfd880

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdate.dll

Filesize
1.0MB

MD5
69d1bf5384cea587e6cc69ac827cc02d

SHA1
ff9895fe5ba57f1b7675c7f69ccc08365aafa02f

SHA256
d8f9c6a2e3f784e4a9c9dd714e1fbfea1883b920216dc01ad9d56700b17c0671

SHA512
3c0bbc042a6e51eeb4fc48b63a984b5e1964364fee3e94e0debd6e61ab806890bc1cdc9bfd2a672e55195d9ea1c2725792d826c1211badce6a7574760ec61df0

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_am.dll

Filesize
45KB

MD5
2e4a126b96812387b4b2287f0ac9984e

SHA1
f860ac32eb14282f9acb0beb8b17cb28c72d8ae6

SHA256
3593fb2cbdbe626f0162e2fd279f63447fb23591d68e460eed338410ea765f3c

SHA512
d7126dceb64cbc3daa42c7c1e5a4291e0d7bc61734704628c337ba150a51e1d6c5167ccd4bdca2f8a61be1e09d2cc4713641bd63a0ca7cf7a2245414e38ecdc8

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_ar.dll

Filesize
44KB

MD5
73b513e081a75b2419a1e4ff96ea7a01

SHA1
3c076814f6e0d7e5ca77ca37d20b0d9f2a8ac4c5

SHA256
f2831ccdd15dedeeb7a097bcdb49ee31831274a3171f11809ea11c69b232b953

SHA512
337937733d4fafd55f5992bbba3960e5bb670f4cd87ec88e95ff28cfffc97f13d6ca18007c0fb769c1ac78ae3eb86f049a3c82f5dc69f5476c57ced894973a97

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_bg.dll

Filesize
47KB

MD5
c2ebb44d01d7a7d5b61aca6f82e16504

SHA1
e1a8e38eaf05234d9f10e055f920fdf1cd3ebe78

SHA256
d3f0fb94c9cfac96d685cc47e9456ad86d1b5bcf03bd0db11255d33a2a360adb

SHA512
df100a50dcfa4cedbc0c0fc91aa76e90dae9bc377a645fcc2e9dde18736b36016c796c5273f2bfdecc505a150edb705ec7a0016df6281f345f8a2fe1093dfeca

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_bn.dll

Filesize
47KB

MD5
685ed2907a9d297d86ba33667b760086

SHA1
e6b98c9a3980099d279ddbc2eea94b3bbe094a50

SHA256
edbaf1e2ac0c335972ede1be0d425e9c8be4c68e4987778e6ae28f046e5d0d9a

SHA512
c35557b4f91476d8daebd9b13b06ce489ffc4f2a9e47155036c29ba22724e436917fd4ca467bb870905733d3ac5be8f85c22d2d39027b13b92a0b2b4b09092b2

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_ca.dll

Filesize
47KB

MD5
038ef0dee664c858cdd550e717849c9c

SHA1
33143772d5c8570e5eaa894fdc58f3ca9f992e9e

SHA256
6d682e1347068253231be39136da2774255f758a4c8dc056f06e2bf875a3bdc1

SHA512
96844cad15f8dffd024adab2657643e06bcb026334ea7c7a9940d0c2c75b69f3284f108c50afeb243e4042ee9eaa00827368a354b97edd4212046db4c977ebe7

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_cs.dll

Filesize
46KB

MD5
ce1dd611a19e30291631a9657afd96b3

SHA1
af7f28802081381b4fd8c707151d0664cdaefc39

SHA256
0a8166e3963bd3e754487c1b57e84a429e1c1ec483d273da5ef2cc5e3a6115de

SHA512
5b0d5b2732a14a08fb4509408142a481c23e323adea6cdd90d8fe70c0dc58b48c46d47387409129a4e6be83a76733041a98d30fa749bd0544e3d88694a6d3b61

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_da.dll

Filesize
46KB

MD5
db5b3a59d09111bcd39c20f626b474bd

SHA1
fd3e35d9d00f14b99b8aba065d71e8261a6d5fe1

SHA256
79ffd7f3efccf614f7a1ed8ffdb49623694bc1b179c6f435ca56464a0526c57c

SHA512
bd0e2556183824efc610b248fe595b6f1e34d194fc0bc652f29fa7f07443121f9580d025e8b5088f91b18c771d1c63c1a93a72707fc228e70ac1a2e5dd0c3ea1

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_de.dll

Filesize
48KB

MD5
53a1f85365b0a7e9f9b28171c44a057e

SHA1
3ec8c9ec9ba32c5acb120175bd0fc876695d9583

SHA256
9e3a8acf0bf2655af754add6cc10e12cfa10a68da256e93192644a4fe3c8c7c9

SHA512
6db953a72dd346aa491bf21afe8d5537e773abdbf2e8e99d8c0b4d07635119016b07db52228322a7e72b29781cbdb7234bff018d4b5786a00f4b3f1f2b37a6c1

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_el.dll

Filesize
48KB

MD5
d052cadd807c25c72886906a9efbc86e

SHA1
c56bd5d490c1b6997ab884cd8dc2cb18659eee40

SHA256
47fd4fa0a2ef55bf44d00f9abe231dcc053972a04b09e9ac005f37f7926498cb

SHA512
37371289e77233f2a225a8ffc3e36800e5416bd7a02d4f826e8fc117264bb2157a67d7425b05c8eb60365e3a93307c28fd1c00279d89d9e42e51474585c9d507

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_en-GB.dll

Filesize
45KB

MD5
4281d3c6a33aae2ace4fdd78ac7b6b33

SHA1
85a291be91118fec09a84572375b2a2dc255d47b

SHA256
ebd5c1b6f76eb41a59b1118a16a45db8fb45b32a0dabe5f919c5d209f1e4cf85

SHA512
df2c45ac7afad9ff9e7bda93a6760b8e014c8d5411b664eb0aa711ca2f35baae72b791224ec1cee7bf2a3fe2e604278abf2a32584a2cf05a1299ccf1cf975cab

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_en.dll

Filesize
45KB

MD5
5473d86e3d71ecbea1ece30abf01cd8f

SHA1
f5df20dd87ff904b279ab4949f25b72bbcd4a7ee

SHA256
b036bcb285a4eac4fe744b88c03a2e553132c9896d784ce95effb437973134ae

SHA512
be4590f12c5c9f83ff19a1f248616ca0eb0206af55adb8f326f3b70922718e804dfcfa32e8afaadc42113e0c57642a0d0db8c3de72df2b844eb54aa2e03691ab

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_es-419.dll

Filesize
47KB

MD5
babcc3d7ac72bb5fcbf504b960b7a233

SHA1
33d6338b41cf7908ef589c9c27902dbb2c8f7186

SHA256
fce66f6407d801d0a8b6d47c7286622cb5d800d7520f5c14ac162fa3145dbfc1

SHA512
2bf865df175033a33756cc4ed7681930049808b2ee61068142eed07e1c68e4581a81dd4238d7d2ebca27b33d7d45f4000bb342637c14a7275c8fa87684438073

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_es.dll

Filesize
48KB

MD5
c6b78770986dcdcf2e873059a33fd64b

SHA1
3dbf01d0b5288d1b54195b4c62ca8831bbc5f089

SHA256
69f67cc945fdd476b6d43f213da7a6cb35ac9194efaa50ee8a1c5fbfacac7c7f

SHA512
ba83afcc2e04277e25787634e07adf4d11199b400fc491fe1d1b556657b648cb5a0857b37a9f9f0096db9ef949a0971a55ea4f8900adc24fbe652a9c96fe2b3f

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_et.dll

Filesize
46KB

MD5
b1583b0eb3b3c938f5f16cfae1022601

SHA1
96df2af0f594d3bd101cd13d8b08ad5c30a52744

SHA256
82a6a6d661093a2310660e49a171b2bbcea4ad2d2485074b82c6969eeefd825d

SHA512
e56f02313351bc8aedb93e34784fd9a0d2f92c7c31c6e21d898027eeab6c15cda17a839f2313174627f88051bd306dd60bbb58b40ffb67ac7159400a73c7d177

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_fa.dll

Filesize
45KB

MD5
54649821e243e218ffa10802191055b6

SHA1
b5b74efe139ba8418b1c56c7a3241d395aa0a499

SHA256
5a397ab4774fd5a7f0d7e0d4871812fa92e2f9e5f595e94a4b652fecc29674ae

SHA512
e31f81434fd90d2b9aa5f7832052236ca56b836362ea35088e03397510523c8ff0d19345d71767a649f42ef1808f05335fd9b27020c3fb5a2ac33cea456e9851

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_fi.dll

Filesize
46KB

MD5
8f20a78be087a95b80f1162ceba79b46

SHA1
c76e0616b18b6f86d25cc2ad05e2ad04fb07f090

SHA256
ba9494dec1273c3a5f629e4cd0990beea6f35168ab940693fe179f111cfa9a9b

SHA512
a289c1c7b11b0272cf12004ea5190d2344ec044585fcaf0967e80f66af0c6d0f9208e5ed935b006ae875b4f876ff993be19a702bece3610e748f342ad492ffed

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_fil.dll

Filesize
47KB

MD5
f230b256bb15dc4d6c3c70895185bb0b

SHA1
5ea5242bc95c294a4d6ac7904ac3538998c175b4

SHA256
abb5511af0c804210152ade4e3d140e586932aa078db535f3f240f2ad8bf3c45

SHA512
eb9fdddd86825fa463858fea9a1ff8adae3fa6d67a27ff34a4704a9d503baa52ec2713d51b474a84dca6e69b0204d44fbfb452082d10a33a84ffff3e93066245

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_fr.dll

Filesize
48KB

MD5
77fd989107f16f1749b4160c1f0339f4

SHA1
c0897a9b5cedccd68ca9466623b73b58777ddf97

SHA256
816361339757f2f9bbef560c902d4207ce6328a3506570e9b1df1e65f77f989c

SHA512
1ec841b2f9d54ad9d9f6dbb5ddbe3a97d17b23b3f4ea45707803a1b61876b79f793bf649da5c0db4264bf2adfa32395962f91e8c2aeae4bf664d4b57b0cb1ccb

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_gu.dll

Filesize
48KB

MD5
f42aad7002e1a4ac1d455fa51852b32c

SHA1
5ddf112b7a9afc2baf26e3d6168458875efdb327

SHA256
215c700fac5caed6e5073e10cd5a07e0409cf0107903476e9a52dc5494ff6389

SHA512
73bcb19f50cc1a9f56ca1e759a3362cad150cb9e2bae75563429f611987c82c2e6fde56d847161f84fd6db071def3a8ad996a553a5d7061162ce34be2a05d4e8

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_hi.dll

Filesize
46KB

MD5
a5a40fde77ce0330572603819f7eab1a

SHA1
83bb3a9f1daf58a1d3e4a213837bbf9b996ad11a

SHA256
1e19516dacf3e895e632cfa6e863d4896a5847281602c16cf3995c107860888e

SHA512
90d46291506bdc47968d771194039472e318d1c6600bee8c71846080419d88a3fb96e8abcae4b7b0001a1eec7d91b03b0edd68641ce77e9417de3dd19af14309

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_hr.dll

Filesize
47KB

MD5
41b96846b3e594d215e049bc6e44e7d5

SHA1
1e607f3285feade41c0c5c124dc2cf00423007c5

SHA256
f53fa99736059d03ca35499f15d39be942d6f3633d47942e98a79d423aeccacd

SHA512
c2fd0106cfafad09f3f456e3248ae0afdc57649ccf7950efa2b5c371f948982f17041c0c25870e9a597fa9d5ce4f18f4ed9685af501db6290c4828bb4792788b

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_hu.dll

Filesize
47KB

MD5
3b8977206e495c4c64273009e5a57f9b

SHA1
b63baf9e295dfdce61e4668ffcb131a846346d9c

SHA256
d815413523556b0d5a872c5a8a62a80bfb939e52c9d319054ef8b54a68928bdb

SHA512
6427ab789f87c213977de0844ab0162f4c11f1fcec464d5451ef3e7bd69389045b1c9c93900ff2387bd255e800884d2cd2b914740c50ad46a6947a6455fd1fef

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_id.dll

Filesize
46KB

MD5
0abb138c12fdf76e83704895273ba314

SHA1
82bcf40e6b03dae0c18c17fb16a48da2c9b7a90a

SHA256
7e676cf463cdc3f7f8ab3e41edc5dab966a86681ec4989ecc74d460cd1d56b60

SHA512
90dbd5bf06d597dc909eb28061b0975b7b8d8f95dac5582e924fcdb645d9e48d5580be718b76ac860dd1793a19e868844341762fea6ab1dfd0d89fffbb3a96c7

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_is.dll

Filesize
46KB

MD5
4c954e97257e899d5941e190fcef8ca9

SHA1
ba48b1400694a9db0248c9b4d7deef01185cd1d2

SHA256
c14d1ce67e2a671feb5cfab3176cb0c73b31585ba32d40d9f21b1a892c1b2e20

SHA512
5a635abb9834b83f77d8703ef7ac2450b23a0c08a853db9f3c23addc881c5a6c9f091910c2e8a5e57e777e58c50a316e2c7c0793e01d5129f4ff8a87ef7e216a

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_it.dll

Filesize
48KB

MD5
e476d68395afc1f1468ea27e7d801eab

SHA1
a227eac261c10ea4e1c6ca2ba739050c0ed33375

SHA256
44bab1dc2526c25560493fbd4d5dbb8c0cfdf53f99cbb6b9ed0ba765fb39bcab

SHA512
8687e25fb9711a7575da95fc0673b5bba9600bf2c08491c94d9d3bc2b44bee91abb2f082e1b5988226e1a603b132ad0bd29a8d2175bf01aae005b0bc174cb508

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_iw.dll

Filesize
44KB

MD5
0da881f72338a4fb295a3fb837a696e5

SHA1
adb1f526e96528f38e56ca514588927cc747e91d

SHA256
8c7a9d6f96d007d9557eea5009ce20b7d1be0334aa7d8168d79c9867a733a932

SHA512
2a04569abc10e8a5acacb5411a008cf0a60223033e188be55def796c063e7c652690f0119e454d65e0f3ef464e3143d392d58aa8fdf6405bff72e88d353d7eca

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_ja.dll

Filesize
43KB

MD5
9a2fc61130b68ee41476d63f415447f1

SHA1
504bfce2ff3bb536324f77d959675c98ee6fbb28

SHA256
a3a60744f7c4853eb7e44b1840a6d3def05f3bbc53dbfec0c64b0de5e8bb5e2c

SHA512
22fe7827b113f8c2834b9ca3e25ae62029fa57c84c037cccbe2f019007d5cdc5dce3f7df0367fce99dda2315689f5a2975e8b029041c735dbadf6e7a0689d885

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_kn.dll

Filesize
48KB

MD5
072f51e42208a3d311105ef2fd72a883

SHA1
75ffea6e1d95c0806b04e3f16dc5976f19ab2b78

SHA256
77d6d93944a212f7efb2455f46db20277e0a5a4fada9a04a0d7392c5aa30cc22

SHA512
33755458ca0f3dcd36dc02a6ae781d3dbb0e9042a77159ad101c50b19444adf6979a73c3222cb804b7dc111a6b6f30ea707da00b1a7fc21ec15ca9dec05fbbbb

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_ko.dll

Filesize
42KB

MD5
33a88023facdd939c6c14cb692cd55e7

SHA1
d05c983d49667360d06926011b0f8095e5c2cba7

SHA256
5b5feaa8f9f9621c63fdedba977c24c4a4519b3966e2d6e445a0ec9b2caa8a54

SHA512
f846aef7a6882c8ccdce3cf5d641d67e2637e44dcb055597c29f8e8bc360807129f7a0d828f0a8f03cfdc5bb27f6b6c3f0a2e194308e0a9e21fab5f3583968d9

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_lt.dll

Filesize
46KB

MD5
de7fd22ca9efb8f45842bef8b0ddd8b1

SHA1
f9593b2d031a8976117ae31a5d2cccf1bd859baf

SHA256
e0bc1b946e50ad5aa24c016524da2e251530062704178ae0f51f9af02a89e1fc

SHA512
2f3b299efb513e6faf8e361cbcaff90652ae08bac138a1662996c33f0b299a65c50fc3570ae0b1cce0a2b131a19e7ba06839dd819ff7bdb1e6a687d5022bd7e8

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_lv.dll

Filesize
47KB

MD5
bcc3f87f93fa8c9ff8efbca84abd4f20

SHA1
72f26fdc4c1eb80f19d70fe3da883874fe1b3eb8

SHA256
fc52bcaa4081a8bf597b6cdca4981c9b29b59bac40f8307fa334a3485d2009d9

SHA512
6e170a630255f5921c5de6f1e159f2c1a9d10acde461798151406e2e560f29b86f118486e3c99567fe0a637e0f3d347496042485e8061ff4875d5fc8b049d649

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_ml.dll

Filesize
49KB

MD5
c75102b45b2086b3508b6c1258ddb604

SHA1
50047a285bbd90c20a8ac11eaf041469446da5f1

SHA256
8dd0d64d6883c721087e0f58b5c195893f0fb2451468fe5eccc7a9f44f3d1537

SHA512
56de8616b579cc5e2204d5e0c52441812424fa9f1703a237e221e5e0495dd2c09436c9fab713f01471ee6ee3aa52b0a1c3175affd552cb004fcf2cb07928560a

Download Submit
C:\Program Files (x86)\GUM47FC.tmp\goopdateres_ru.dll

Filesize
46KB

MD5
af3349f27fc5996c634bcc5545108a55

SHA1
46d0a57a2925ce027e7d84f78dc1592496bb4842

SHA256
5aac683af9938cc98996f153bdfbed7319fc08a406ef801119e3a64f77ec6942

SHA512
7ccfb2955b1dd40f9ca26e37af130e367a0fc11e87d97f54d57655785e7130ea060e67cff31d6161cb13cc9349c655cacf73b7f7dbd63edc71a1e60fbed04ce1

Download Submit
C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll

Filesize
450KB

MD5
cdbe4728d075ca5050b3b9fa7138f8b8

SHA1
f4e9c3646e948ae324f85d32c1adb4fbc880242f

SHA256
051c42124192595ec6d22577e4870fad2a8ac52f04a43cb77372a99d48a9b718

SHA512
7c7c11e5c7a8e91f3b361ce1dd4db230b1fc2c82c1dfc99d8771632fbb77c353a142dab34ca0322357b73c44cb0432e610e4a510df35e63cc34feaf4e91c847c

Download Submit
C:\Program Files\Google\Chrome\Application\130.0.6723.59\Installer\setup.exe

Filesize
5.6MB

MD5
f088060a8be42f8f3cddaee9b1886eef

SHA1
27bdbad90441616bc3225ed0245e3e7a92201544

SHA256
7478a46fe160c8e9832421561cbc4be619e9a9dc15ffd9905146916d4c66cf96

SHA512
0f3b7ef5c5693daef09c523bc4bcde6936d6e9e6584562a9a88941c830b7faef8c62ce0dab3939db7fc57cf25487a044e8c782b068d17e3b535207d30ced1c1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
97f8d1c4bd23ebf50b6b9ee5b3f0f1ee

SHA1
b8e8cb57ef22cd15b13a2c3db4c5c4be476488fc

SHA256
58d91c09d6195ad4929525dc87219aded17174abd26d17a5c5e77cae4626bb7b

SHA512
cbbcdc1df9f4c7f7dce9b73be22bb3e8752cc4d7b0bbdb607ba4d57f56b0fb11b60673f0fe4244d0fbdec8a58c44ca9893626a415d2b5ba3d554b31305932921

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
e10b352e26dd3ec3553a39113a744b05

SHA1
59d250c49ecdb0f6724a3f293f0d6cd2e036a57e

SHA256
35ba54262b446061ae18590bf414083ae015fb34513aad47ac0fdc53a8ecf32f

SHA512
30e8a9f278dd1ff8e13780dc60230ab37c81faf22bc506ad61a39319dc49ca081edaefb89c82f94ee52117d66497c05786f7a2af98a6c3810dfa0962c07a620c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
505a174e740b3c0e7065c45a78b5cf42

SHA1
38911944f14a8b5717245c8e6bd1d48e58c7df12

SHA256
024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

SHA512
7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
70a4b2f46848b1d53fc237323c151526

SHA1
8e0a90735cd0d1c89ea0c6c8e60de1927d65137c

SHA256
a0321670215dff8f61a0ae198feae406b7bf2c7d35d447af50d92d2cba62ae7e

SHA512
29c65139413e2a2b2b54293a722419f1ba56b14d5e4f3ac055b8f79ca222208a0252d70e650909eef61a4067997fd670bc6bde1aa0aecad8b201fa090b121700

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6c4ff174de6a43f5d30b6890eea3cc77

SHA1
53b82b7a0e5767114c7b758b4557ed4fefb9f7ec

SHA256
309fde72f07d897f48f92347e42c405e3bcf916e089f99f2aaa4b9b99fde4e8b

SHA512
55e5051e320fa92f3feb2d79819d93c46357099e1c34e7d7927bda434ee80845923408e5b83685f1ff924a24f081570d0bf5cdc1e53ec2542a69eee9f6f2456f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
af17ae9f366e0cc431affa54286cfd20

SHA1
48a05bb8468bb6e3041419e40cd49dbb97351b5e

SHA256
5b95bcb4706ba8550922ef60944a93a5f0033f5f030d287fea666cab582e3db1

SHA512
80c5b2f9d1663578d10b8445f9500c2ff4d851f6f36abe56a47c4b15995f9d0dcbd576ff2ace24e0e2a93e2b58e3fa0d548d1fb6619472d023a54e8322943eee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
b292ba957dca1c31bf4299d0caf35174

SHA1
71075883e0b3930776487165e1b9942d37271dbd

SHA256
7bf445180eb533c643451a55dfe151bd4f276c4d8a84887cefbd6639e4b57694

SHA512
381ec51acf1b7675006f52ea5e5ebf0a3c4d084962faf3d19748ded6a821e349626953f9f7d5c9a94474c5c2be9d392a2427ab38b161c2864f1a45dfb4179b3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
1811482506f29620eafa83b4d71cbc7b

SHA1
27af1aa38a8616d10b038dc24d2e3a809c3f89e6

SHA256
a65b9c031d911256b14342661daa9a26688cdcdd0e56b01a8c0b6632ec28c7b6

SHA512
fab17f012866875b582e77bf5bcf585c872811955f833c683c1c0a2016f14782d43da8005210de289bd360bed8ae7aa6df5481f9fffaafeb4054620e4169210f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb

Filesize
38B

MD5
3433ccf3e03fc35b634cd0627833b0ad

SHA1
789a43382e88905d6eb739ada3a8ba8c479ede02

SHA256
f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d

SHA512
21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
c5cfa86ffdee065f5383f3db39462099

SHA1
ce015e91e363a6f3abd54c5fa9bb7c16edda83fa

SHA256
cb8beea3f83f7583dc17dd0cbef5ea5c296c79fac9820e248bfb9843da04bedc

SHA512
fa4eef3ad01c72bbeae799fa02a12d3aab935fe2e32507659535bb4b7f34ce1dedfc371259fbb550acab088fd12bd59273621ba6b2644be0c7376ed1b627a464

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
201KB

MD5
67284e92eb74fce6202e1d8f3ca40e24

SHA1
0f588245df804d805a3ab930c01aa8c55af9bef0

SHA256
379b90e6afbc25c5f752e3c43d29b262bff38d820fa44dab508df4b101712bf7

SHA512
7fef2189d5ae6e9f4dd71924fd3b661421e48c40744090d240a9ce70e524cf9facedfb0300889c825bdac6fd7ebad0f241f5d6d10e169ee2eea833d12a9d96de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
227KB

MD5
f8f18cd2f55f6670ea4e7edd3df4281c

SHA1
019f80814f13fce90f5d8c93c8b4a641c7055bfd

SHA256
10c1de340a159471a54e0cee5b055e8cae4dbfef0c541fcbeb098e813a4a9707

SHA512
16ec592b78f514cfce5992f33856261bf9e2a67f892e58c981dcf904849fa5a488e3d9bdce6706aea72d53220182a8e107102f889c0051589d6d9afdb7b49a22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
197KB

MD5
21132f918afa64511d40a6bd03b74717

SHA1
acdc115544c7c7fe7adc66b57be3e3ca2b595ff3

SHA256
d2d4e7e34cde01ea95dd389bf82f61bb087ac31b31af792b9a6c55de84babba9

SHA512
6423804733f01ffec90ca3a75ca1992fc0fcdb112667a4c845deb399c80cc2c87ccff950b47caacd3a9a830428356d2f399c81e3f7b4317210381aed89e7fce9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.51.0\Filtering Rules

Filesize
72KB

MD5
b23dd5b6eccb460003ea37ba0f5e3730

SHA1
fd444553cb7699f84ce7e5664232771673dcf67d

SHA256
7f7f432c27d97dee184dcd3ea20f731674c008be849c0136f9c5358e359f3ea9

SHA512
7e47bd172c4bd4c65f063a8fa3fb33ed47f29156eb20e42d4e8ea73c6f02526a30ffe907be5b7c1406d4eaa71fbec7c0d557c376dccd0a1a961e2f61b3431181

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ed04ba62-8657-4563-ba64-de81e3859868.tmp

Filesize
197KB

MD5
077f2b511b2362bce67eb0410fa27ebd

SHA1
3953ec55fd18b83b73ce6574a4805d11f7ca0c05

SHA256
3a0a7730a5c9f165ac3811c51f66489bb7fffaec135c7382903942a9817bcd1c

SHA512
dcab2272d34bda3a10f6e02de250484a72e835d26dce819258464783d9e801c398338de0b83077a95509199adb705cee986174e42d9c9ac8c26b18e03a8db084

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mssurrogateProvider_protected.exe.log

Filesize
1KB

MD5
2f1bd55330d8a7dc087258c11b442c97

SHA1
e8245737a12110f5de64c24147f0d737d0f7b134

SHA256
9c51ccb5f91ce952857eeb27c719818a3929c460f78aced8e0d09f0a25fbdba6

SHA512
5038648dcecc7ccceb91c80e71725c5b04b66c9e16e67a756a0b1cacacf9024f24c9ec51bebd9a921d9ed8cc5e3d13cde703836d21e64a0bb091e27662c456b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
850d21bfe0888b09f8fc0475070e65ae

SHA1
f8619fc948bf1c87c7630e830b79ed8e9c9ed4df

SHA256
ad8baf21f040b04af4040454410219a636e6eedf17f97bdcf74d16c9fd2c7144

SHA512
1db582553a8d020b92c27171f72ddc07f3e4ec9869907fb4bd46435d24f4b39a84aa893b91ddfdb5e58dac792b1e5fc3c90376ca6687bd77ef49d1b16253eea0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
670B

MD5
2480be1af3028397d18c673be6ea680f

SHA1
6a18fda6ea86d7cb9f2356fc1540b801efed3d57

SHA256
c2402e468aebfa43d4bc7ec846556b4556c505c2997bad01c63cad95e67630a4

SHA512
c338905bfc5438801fc2c629e1e75d58fe87ea0af5479b09bb7c2fbdaf277f14bc41e02c23b5dc094fdf47cc76d137f5bc3ee738d082f81242d8d63c2d93a796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7adcd4ebd4d2331123d4d292cc803c85

SHA1
287239bc490399f00e056af26680eff702129354

SHA256
682b78fae4f2a3a349d57681f21562b972da6849bcefb6aa31c403cdf922087b

SHA512
fdb0a60cd8d45b436e6be9d3bf56f4b7d52288bc004d5a8e06adddd6c3e39298ce732ed11f691397c1a9e06fb48f9ba8eaac6cdd1fc756d4bae9aaea061a2972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c3eb5e598d05463d225bc6479309ccba

SHA1
18cd6de3f3067049e35b7cf8419a87037ce0029f

SHA256
448ae630764db75da11f9f37ffb03210deb3ad95c1d3ee548126552d9cda6ef2

SHA512
4e9166db4f9c4f223ef0baa9136b0a5e48d9602d002e0988d7f5dc51a8f8658373ece7524b920dc83075eb0d2c3f108dca412279e63e61ef94d1fbdfaf57b31f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a7a5ecd3fe73f10a38269b3d6f89b177

SHA1
1abce30f522af9e85e45aeb2fdfda91cfb74a600

SHA256
359dc82178c88e9acfedd95987a7cd1e0b6f1f6d5eae4262b3e70b9dcb19d453

SHA512
c63b07f7b072dcf1a8ca41bfea3a0bfbf7cd23fcfeeff4e69510215a127f979167dc51982759cd481ca294f725e4eb973ba598e9c64ddc1bdd7ff8f0c2b866da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fe55.TMP

Filesize
1KB

MD5
4d9b9113ea8f3aa399e632df746da32f

SHA1
1d0dec2c6bb1ae9e700f3ef40a9da7b542c45ca4

SHA256
41b8ebc69f35c9fbb087fff45fcd0dba9fd493d81eb98eff40409309ef407914

SHA512
b35c0808900cce2c1133f84c094c1d81ce06bedab60b022738382807d0a1c29b8433fd086650aa7ebb0216016e248c249518e215112ed6b3fc10b733c2a703a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\1abec318-c995-41d8-85cc-2fdefc6eee6b\0

Filesize
16.7MB

MD5
4a47f956d4e5b86c3a6721a3e4189071

SHA1
434fcc846c0b2aed6e71b96b4a22df0739e29356

SHA256
ddd595420854f182eadbaeb91f9e2541a20fb431b67f3bbd062e1220b817c43e

SHA512
7c51c70d299c9578d11fd4177a0bb17bffa30287c6ae2d9f26d82b726cfde46c32cce2be620d6128c6a6790b1e5f06176c552274239186fd17f5280fd6f1659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d15934e4-7c25-4969-ad6a-4385fc71bcb0.tmp

Filesize
5KB

MD5
f5242996a8ccc3a954ff5785e7096af6

SHA1
1d134444c76330ecbc96e31fd92a1306a6685625

SHA256
1ba49ec6d0a598f0ab5fd14e4036369db05fc8859deb352cd0a9e336fbcc574e

SHA512
f54cbef8141f93d32d419541bb2527cf7466b5a5f0a0c93c2bee038a7d2b648e0f466b97c18d5de609f88ac2cc2aeb74bfe79eceafb52af08c665ac51415dfe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
904c1ef44632b78af2c1d060b641e028

SHA1
44d73d5e203f5efc9d610206da20124288614979

SHA256
2be9fa4553b257a085409ac91468e863b4bdf6737ca83af42ad6aa113c9af32a

SHA512
fb97ec4263f79624c888de3f556d49e458d8b1b4726b0a6bebe6d7a96ded71666d803a859cb3b2531026e16a121db0498dd67979151be8efd350d0ccf956c156

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
935e00e72aac6698ce6b09d5264aa353

SHA1
99f2d0ebe449b2b18bcf5cdfa5ef3bb07fca31a5

SHA256
24270e6115bdadafd2d484d95278bb5acd657160756b989ad10af50776df0f1b

SHA512
8293357a71381d5dab48e52df2b62fc1d0ee63ca014a15a6f0a9b7ad41d6e802544fbfb0a04da39b8e25661476e13e908d53b1da1fc9cd65c2f4ed1036a0e60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Panel.exe

Filesize
9.3MB

MD5
f4e19b67ef27af1434151a512860574e

SHA1
56304fc2729974124341e697f3b21c84a8dd242a

SHA256
c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a

SHA512
a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77

Download Submit
C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe

Filesize
1.5MB

MD5
fcbf03d90d4e9ce80f575452266e71d1

SHA1
1b067d0e057db189c71b2f7ac4ee2483ebaf0fa7

SHA256
2ec28f57e64fee2b2f1a40c78c079672f0dddb84da2a84fe3291bd68a4771a73

SHA512
9ce9962f645ab542f135d8560a7095259fe6628afcf598a58dfcf8e96b0d1dfa73e59ce13af3ff97e6c03046634dbd46a278c6535f99f99b3a6051b7bbfcf380

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt.zip

Filesize
21.7MB

MD5
1118549e87cbad92e6959506172d8c5d

SHA1
a5598c8355d03dc1ed03b0f7842d478d6a9e17fe

SHA256
54b542bd706838bc61c23ef8189935fc74e0099b14e509d33649b43ff108d85f

SHA512
029527677e3a316a0929a111701c87c5fe6c11ecc361a3c009de75ee06d110245d0f250fca836a1aa0a90f86237e3102bcdf60ed645a9b42ad04bd50793aa09c

Download Submit
C:\Users\Admin\Downloads\Redline-crack-by-rzt.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_2024390443\manifest.json

Filesize
114B

MD5
3448d97da638c7ef0fbca9b6949ffc8f

SHA1
36d8434f26f0316fab4627f7856fca7291fe8adf

SHA256
1700a11fd1e58367b450a41b2ae5fd26ecb5cdb459869c796c7dde18f1d30f73

SHA512
9bf9055b2ef82bd1d2a1e94009fed2d3481fe2dc336d306fa0db786658efa5b72c9a9a214a829b9fcc4222476051871ff012009c64f09b9109072abdf3def8cc

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_270975517\crl-set

Filesize
529KB

MD5
a72c4603c0157226077cf62cd484bb2f

SHA1
13c7da79179e771936763a35aa3247cd34b9abec

SHA256
c67ac1d1bf9efeefbf4288c5653238ec4783c49326312589f350f3921dbe23b4

SHA512
763f0db7a4356e70250070951f869dfe047770c9b2934af8753bf3d9ead3a3f485160b04af7a84067def8ca133d6199f3a6640cf12dbba3382b111d8009ff559

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_270975517\manifest.json

Filesize
95B

MD5
2a6d30fe04e23705728474a9f1c67a9c

SHA1
d8b8abdfbe2ebede8c5a44fa5e97f875d0d60636

SHA256
3d45de10582c38181706dab08cd0dfa15b7e1f0ce5613581e22fda153c450da7

SHA512
2e1630f9fe4b4bd76bac7f6635c9d1a73003c7d8ea6e953a02352c4092b128511442ccc0d7c06c9309248c33c04f2dbdb421bd86ea67a527d51d8c8f5692f45a

Download Submit
memory/388-268-0x00000000059B0000-0x00000000059D6000-memory.dmp

Filesize
152KB

Download
memory/388-267-0x0000000000F50000-0x0000000000F74000-memory.dmp

Filesize
144KB

Download
memory/388-272-0x0000000005B70000-0x0000000005BBC000-memory.dmp

Filesize
304KB

Download
memory/388-273-0x0000000005CC0000-0x0000000005D8E000-memory.dmp

Filesize
824KB

Download
memory/388-274-0x0000000005EA0000-0x0000000005FAA000-memory.dmp

Filesize
1.0MB

Download
memory/388-275-0x0000000005C20000-0x0000000005C48000-memory.dmp

Filesize
160KB

Download
memory/388-271-0x0000000005AE0000-0x0000000005B1C000-memory.dmp

Filesize
240KB

Download
memory/388-276-0x0000000005D90000-0x0000000005DE0000-memory.dmp

Filesize
320KB

Download
memory/388-270-0x0000000005A70000-0x0000000005A82000-memory.dmp

Filesize
72KB

Download
memory/388-269-0x0000000006210000-0x0000000006828000-memory.dmp

Filesize
6.1MB

Download
memory/1812-371-0x0000000000600000-0x0000000000A3C000-memory.dmp

Filesize
4.2MB

Download
memory/1812-359-0x0000000000600000-0x0000000000A3C000-memory.dmp

Filesize
4.2MB

Download
memory/1812-2630-0x0000000000600000-0x0000000000A3C000-memory.dmp

Filesize
4.2MB

Download
memory/1812-372-0x0000000000600000-0x0000000000A3C000-memory.dmp

Filesize
4.2MB

Download
memory/1812-406-0x00000000062E0000-0x0000000006346000-memory.dmp

Filesize
408KB

Download
memory/1952-297-0x0000000000400000-0x0000000001470000-memory.dmp

Filesize
16.4MB

Download
memory/2340-3575-0x0000000000AB0000-0x0000000000EEC000-memory.dmp

Filesize
4.2MB

Download
memory/2340-4573-0x0000000000AB0000-0x0000000000EEC000-memory.dmp

Filesize
4.2MB

Download
memory/2340-4577-0x0000000000AB0000-0x0000000000EEC000-memory.dmp

Filesize
4.2MB

Download
memory/2340-3419-0x0000000000AB0000-0x0000000000EEC000-memory.dmp

Filesize
4.2MB

Download
memory/2340-2628-0x0000000000AB0000-0x0000000000EEC000-memory.dmp

Filesize
4.2MB

Download
memory/2760-290-0x00000000060A0000-0x00000000060FE000-memory.dmp

Filesize
376KB

Download
memory/2760-286-0x0000000000010000-0x0000000000038000-memory.dmp

Filesize
160KB

Download
memory/2760-287-0x0000000005100000-0x00000000056A6000-memory.dmp

Filesize
5.6MB

Download
memory/2760-288-0x0000000004A30000-0x0000000004AC2000-memory.dmp

Filesize
584KB

Download
memory/2760-289-0x00000000049F0000-0x00000000049FA000-memory.dmp

Filesize
40KB

Download
memory/3136-5469-0x000000001F430000-0x000000001F5AC000-memory.dmp

Filesize
1.5MB

Download
memory/3136-5434-0x000000001F170000-0x000000001F202000-memory.dmp

Filesize
584KB

Download
memory/3136-5433-0x000000001E9C0000-0x000000001EF66000-memory.dmp

Filesize
5.6MB

Download
memory/3136-5430-0x000000001E650000-0x000000001E9B2000-memory.dmp

Filesize
3.4MB

Download
memory/3264-4476-0x000000001F0B0000-0x000000001F0CA000-memory.dmp

Filesize
104KB

Download
memory/3264-4567-0x00000000232B0000-0x00000000232FA000-memory.dmp

Filesize
296KB

Download
memory/3264-4504-0x000000001F3A0000-0x000000001F3DA000-memory.dmp

Filesize
232KB

Download
memory/3264-4568-0x0000000023260000-0x00000000232B0000-memory.dmp

Filesize
320KB

Download
memory/3264-4578-0x0000000023390000-0x00000000233A2000-memory.dmp

Filesize
72KB

Download
memory/3264-4579-0x0000000023500000-0x000000002353C000-memory.dmp

Filesize
240KB

Download
memory/3264-4490-0x000000001F340000-0x000000001F352000-memory.dmp

Filesize
72KB

Download
memory/3264-4553-0x000000001F630000-0x000000001F6A4000-memory.dmp

Filesize
464KB

Download
memory/3264-4519-0x000000001F490000-0x000000001F540000-memory.dmp

Filesize
704KB

Download
memory/3336-5362-0x0000000000A70000-0x0000000000EAC000-memory.dmp

Filesize
4.2MB

Download
memory/3336-5361-0x0000000000A70000-0x0000000000EAC000-memory.dmp

Filesize
4.2MB

Download
memory/3336-5358-0x0000000000A70000-0x0000000000EAC000-memory.dmp

Filesize
4.2MB

Download
memory/3336-9353-0x0000000000A70000-0x0000000000EAC000-memory.dmp

Filesize
4.2MB

Download
memory/3336-9414-0x0000000000A70000-0x0000000000EAC000-memory.dmp

Filesize
4.2MB

Download
memory/4396-5204-0x0000000006070000-0x0000000006170000-memory.dmp

Filesize
1024KB

Download
memory/4396-5201-0x0000000004EB0000-0x0000000004F16000-memory.dmp

Filesize
408KB

Download
memory/4396-5205-0x0000000006290000-0x00000000062C0000-memory.dmp

Filesize
192KB

Download
memory/4396-5203-0x0000000005430000-0x000000000547C000-memory.dmp

Filesize
304KB

Download
memory/4396-5202-0x00000000056C0000-0x0000000005946000-memory.dmp

Filesize
2.5MB

Download
memory/4440-486-0x000000001EA50000-0x000000001EA6C000-memory.dmp

Filesize
112KB

Download
memory/4440-448-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/4440-375-0x000000001AD00000-0x000000001AEA0000-memory.dmp

Filesize
1.6MB

Download
memory/4440-416-0x000000001DAD0000-0x000000001DC12000-memory.dmp

Filesize
1.3MB

Download
memory/4440-417-0x000000001DAD0000-0x000000001DC12000-memory.dmp

Filesize
1.3MB

Download
memory/4440-458-0x000000001DBE0000-0x000000001DBEA000-memory.dmp

Filesize
40KB

Download
memory/4440-422-0x000000001DAD0000-0x000000001DC12000-memory.dmp

Filesize
1.3MB

Download
memory/4440-373-0x000000001AD00000-0x000000001AEA0000-memory.dmp

Filesize
1.6MB

Download
memory/4440-374-0x000000001AD00000-0x000000001AEA0000-memory.dmp

Filesize
1.6MB

Download
memory/4440-450-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/4440-385-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4440-392-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4440-389-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4440-387-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4440-384-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4440-429-0x000000001DEA0000-0x000000001DFE2000-memory.dmp

Filesize
1.3MB

Download
memory/4440-370-0x00007FFC92E90000-0x00007FFC93952000-memory.dmp

Filesize
10.8MB

Download
memory/4440-445-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/4440-446-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/5492-5121-0x0000000000420000-0x0000000000656000-memory.dmp

Filesize
2.2MB

Download
memory/5492-5131-0x0000000007610000-0x0000000007C20000-memory.dmp

Filesize
6.1MB

Download
memory/5936-5206-0x00000000009D0000-0x00000000009EE000-memory.dmp

Filesize
120KB

Download
memory/6024-5142-0x0000000005400000-0x000000000557C000-memory.dmp

Filesize
1.5MB

Download
memory/6024-5139-0x0000000004F10000-0x0000000005272000-memory.dmp

Filesize
3.4MB

Download
memory/6352-9415-0x0000000000E50000-0x000000000128C000-memory.dmp

Filesize
4.2MB

Download
memory/6352-9434-0x0000000000E50000-0x000000000128C000-memory.dmp

Filesize
4.2MB

Download
memory/6352-9412-0x0000000000E50000-0x000000000128C000-memory.dmp

Filesize
4.2MB

Download
memory/6744-9257-0x000000001FC50000-0x000000001FED6000-memory.dmp

Filesize
2.5MB

Download
memory/6744-9274-0x0000000020540000-0x0000000020640000-memory.dmp

Filesize
1024KB

Download
memory/6744-9273-0x000000001FF20000-0x0000000020538000-memory.dmp

Filesize
6.1MB

Download
memory/6744-9254-0x000000001FBE0000-0x000000001FC46000-memory.dmp

Filesize
408KB

Download
memory/6744-9442-0x0000000021C10000-0x0000000021CAC000-memory.dmp

Filesize
624KB

Download
memory/6744-9446-0x0000000021DE0000-0x0000000021E2F000-memory.dmp

Filesize
316KB

Download
memory/6744-9447-0x0000000021E30000-0x0000000021F3A000-memory.dmp

Filesize
1.0MB

Download
memory/6744-9448-0x0000000025010000-0x0000000025040000-memory.dmp

Filesize
192KB

Download
memory/6744-9449-0x0000000021D50000-0x0000000021D72000-memory.dmp

Filesize
136KB

Download
memory/6744-9450-0x0000000025B00000-0x0000000025E6C000-memory.dmp

Filesize
3.4MB

Download
memory/6744-9465-0x0000000021D80000-0x0000000021D98000-memory.dmp

Filesize
96KB

Download